DNS connectivity and functionality tests involving connections to - the network / user provided DNS resolvers
+A test query is done via DNS-over-TLS in the automatic and manually + enabled modes to detect if DNS-over-TLS is available. It won't happen + when DNS-over-TLS is disabled. For the automatic mode, it uses this to + determine if it should be using it and for the manual mode it uses it + to report an error. This DNS query is not used to make a connection to + the resulting resolved IP.
+ +GrapheneOS queries the DNS resolver for
+ randomstring-dnsotls-ds.dnscheck.grapheneos.org
+ by default but switches to using the standard
+ randomstring-dnsotls-ds.metric.gstatic.com
+ when the HTTP(S) connectivity check mode is set to Standard (Google)
+ instead of the default GrapheneOS mode or Disabled mode to avoid
+ identifying itself as GrapheneOS to the DNS resolver. The DNS-over-TLS
+ test query will still happen with HTTP(S) connectivity checks disabled
+ but DNS-over-TLS can be disabled by disabling Private DNS.
The random string is used to bypass DNS caching to make sure the + DNS resolver. It's generated with a cryptographically secure random + number generator (CSPRNG) for each request and therefore can't leak + any identifying info.
DNS resolution for other connections involving connections to the