From 63d70eaf452ced178653fd97b141e2c25071720a Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Mon, 2 Jan 2023 11:57:05 -0500 Subject: [PATCH] explain DNS-over-TLS test query in detail --- static/faq.html | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/static/faq.html b/static/faq.html index ad0ded11..5be8aac5 100644 --- a/static/faq.html +++ b/static/faq.html @@ -941,8 +941,27 @@ the Google service if you prefer.

  • -

    DNS connectivity and functionality tests involving connections to - the network / user provided DNS resolvers

    +

    A test query is done via DNS-over-TLS in the automatic and manually + enabled modes to detect if DNS-over-TLS is available. It won't happen + when DNS-over-TLS is disabled. For the automatic mode, it uses this to + determine if it should be using it and for the manual mode it uses it + to report an error. This DNS query is not used to make a connection to + the resulting resolved IP.

    + +

    GrapheneOS queries the DNS resolver for + randomstring-dnsotls-ds.dnscheck.grapheneos.org + by default but switches to using the standard + randomstring-dnsotls-ds.metric.gstatic.com + when the HTTP(S) connectivity check mode is set to Standard (Google) + instead of the default GrapheneOS mode or Disabled mode to avoid + identifying itself as GrapheneOS to the DNS resolver. The DNS-over-TLS + test query will still happen with HTTP(S) connectivity checks disabled + but DNS-over-TLS can be disabled by disabling Private DNS.

    + +

    The random string is used to bypass DNS caching to make sure the + DNS resolver. It's generated with a cryptographically secure random + number generator (CSPRNG) for each request and therefore can't leak + any identifying info.

  • DNS resolution for other connections involving connections to the