Android 將測試 DNS over TLS

從「Android getting "DNS over TLS" to prevent ISPs from knowing what websites you visit」這邊看到的報導,原
文在「Android getting “DNS over TLS” support to stop ISPs from knowing what websites you visit」這邊可以看到。

It appears that “DNS over TLS” support is being added to Android, according to several commits added to the Android Open Source Project (AOSP). The addition in the Android repository shows that a new setting will be added under Developer Options allowing users to turn on or off DNS over TLS. Presumably, if such an option is being added to Developer Options, then that means it is in testing and may arrive in a future version of Android such as version 8.1.

這邊用的應該是 RFC 7858 的「Specification for DNS over Transport Layer Security (TLS)」,已經是 Standards Track 了。預設使用 TCP port 853:

By default, a DNS client desiring privacy from DNS over TLS from a particular server MUST establish a TCP connection to port 853 on the server, unless it has mutual agreement with its server to use a port other than port 853 for DNS over TLS.

而且建議如果另外定義的話,不要用 port 53:

This recommendation against use of port 53 for DNS over TLS is to avoid complication in selecting use or non-use of TLS and to reduce risk of downgrade attacks.

另外也說明了在 port 853 上禁用明文傳輸:

DNS clients and servers MUST NOT use port 853 to transport cleartext DNS messages.

另外一個還在發展的標準是 Cisco 的人推出的「DNS over Datagram Transport Layer Security (DTLS)」,走的是 UDP port 853,不過看起來因為 stateless 的特性,需要考慮比較多問題... (尤其這類服務常配合 anycast)

不過即使將 DNS query 保護起來,TLS 本身還是會透漏 hostname 的部份 (因為 SNI 的關係),所以就 privacy 面向考量的話,沒有實質的意義... 主要還是考慮被竄改的問題?但如果是這樣的話,目前 TLS 連線本身就已經有這樣的保護了?暫時沒想到可以解什麼實際的問題...

Google 將 Raspberry Pi 3 加到 AOSP 裡

GoogleAOSP 裡加入對 Raspberry Pi 3 的支援:「Google to bring official Android support to the Raspberry Pi 3」,repository 可以在「device/pifoundation/rpi3/」這邊看到,目前是空的,不過這讓大家就有很多想像了:

For now, the Pi 3 device tree is empty with only the comment "initial empty repository" accompanying it. The repository should soon start to fill with code, though.

感覺對 Raspberry Pi 注入了不少活力... (以及估值 XDDD)