Android’s Private DNS feature originally used DNS-over-TLS (DoT) before Google decided to focus on DNS-over-HTTPS (DoH) over DoT or the newer DNS-over-QUIC (DoQ).

They’re migrating Android to always using DoH when available. They started by always using it when the network or user configures Cloudflare or Google DNS for initial testing. Using it for everything else is behind multiple feature flags enabling newer asynchronous DNS resolution code and automatic detection of DNS-over-HTTPS support.

DoT and DoQ are leaner than doing DNS via HTTP using TLS or QUIC. The only reason DoH is winning out is because reusing HTTPS means the standard port is TCP/UDP 443 so it bypasses misguided filtering.

It’s entirely possible to host DoT/DoQ on port 443 and it looks the same as HTTPS since it’s TLS or QUIC either way. It’s just not the standard port so they lost for client side usage despite being superior protocols. DoQ will very likely win for usage on authoritative DNS servers though.

We could enable support for automatically detecting DoH support early but it would be risky. We’re planning on following along with Android’s schedule for enabling these and nearly all other features. DoT does usually work perfectly fine.

Android’s DoH implementation is newer than DoT so they wrote it with fancy async Rust. Rust has become the preferred language for new low-level code in Android. DoT would have been Rust if it was added today. DoT/DoQ are just losing to DoH due to the port.

DoQ will likely be the winner for server-side usage on authoritative DNS servers where the clients are DNS resolver servers rather than end users. DoT/DoQ are generally preferred by server/network engineers and DoH by browser/OS engineers.

Worth noting encrypted DNS doesn’t hide much from networks since they can still see the IPs. Host names are also in plain text for TLS without the barely deployed ECH. If you use a VPN to have a shared IP for privacy, using a different DNS resolver makes you stand out from other users of the VPN.