DNS over TLS Lets Google Serve You More Ads

By Eric Lathrop on

Like a lot of people, I hate advertisements. In my quest to remove ads as much as possible, I've installed an ad blocker in my browser. To go further, I've installed Pi-Hole to block ads for all devices on my home network. I've even setup firewall rules to re-route all DNS traffic through Pi-Hole. This setup seemed to work pretty well until I noticed I was still seeing ads in an app on my Android phone.

Sometime in the last couple of years Google added a Private DNS feature to Android and enabled it by default. Private DNS is really DNS over TLS (DoT), which is supposed to be a privacy feature that encrypts your DNS so your network operators can't snoop on what sites you're browsing. It sounds nice in theory, but when I'm at home, I am the network operator, and DoT has a side-effect of making my apps and devices ignore my carefully planned DNS settings, and bypass my (actually privacy enhancing) Pi-Hole ad blocker. The (surely coincidental) outcome is that Google can freely serve ads to my Android device.

You can disable the Private DNS feature in Android (for now). The bad news is that Firefox is enabling DNS over HTTPS (DoH), which is a similar system, with similar drawbacks. Now, you have to change settings not only on each device's operating system, but you might have to individually configure every app to disable DoT/DoH. The next thing I'm going to try is blocking all traffic to public DoT/DoH servers at my firewall.

Update 2021-03-22:

I learned that Firefox supports a temporary workaround for disabling DoH. You can setup Pi-Hole to point the "canary domain" use-application-dns.net to any IP address to cause Firefox to use normal DNS.