Insecure DNS Setup
Stay organized with collections
Save and categorize content based on your preferences.
OWASP category: MASVS-NETWORK: Network Communication
Overview
Insecure DNS configurations can occur when developers customize an application's
DNS transport behavior, bypass device defaults, or when a user specifies a
private DNS server in Android 9 and later. Deviation from known good DNS
configurations can leave users vulnerable to attacks like DNS Spoofing or DNS
cache poisoning, allowing attackers to redirect user traffic to malicious sites.
Impact
If a malicious network attacker is able to spoof DNS, they can discreetly
redirect the user to a website they control, without arousing the user's
suspicion. This malicious website could, for example, phish the user for
personally identifiable information, cause a denial of service for the user, or
redirect the user to websites without notification.
Risk: Vulnerable DNS Transport Security
Custom DNS configurations may allow apps to bypass Android's built-in transport
security for DNS in Android 9 and higher.
Mitigations
Use the Android OS to handle DNS traffic
Allow the Android OS to handle DNS. Since SDK level 28, Android has added
security to DNS transport through DNS over TLS, and then DNS over HTTP/3 in SDK
level 30.
Use SDK level >=28
Update SDK level to at least 28. It should be noted that this mitigation
requires communication with well-known and secure public DNS servers such as can
be found here.
Resources
Content and code samples on this page are subject to the licenses described in the Content License. Java and OpenJDK are trademarks or registered trademarks of Oracle and/or its affiliates.
Last updated 2024-09-24 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-09-24 UTC."],[],[],null,["# Insecure DNS Setup\n\n\u003cbr /\u003e\n\n**OWASP category:** [MASVS-NETWORK: Network Communication](https://mas.owasp.org/MASVS/08-MASVS-NETWORK)\n\nOverview\n--------\n\nInsecure DNS configurations can occur when developers customize an application's\nDNS transport behavior, bypass device defaults, or when a user specifies a\nprivate DNS server in Android 9 and later. Deviation from known good DNS\nconfigurations can leave users vulnerable to attacks like DNS Spoofing or DNS\ncache poisoning, allowing attackers to redirect user traffic to malicious sites.\n\nImpact\n------\n\nIf a malicious network attacker is able to spoof DNS, they can discreetly\nredirect the user to a website they control, without arousing the user's\nsuspicion. This malicious website could, for example, phish the user for\npersonally identifiable information, cause a denial of service for the user, or\nredirect the user to websites without notification.\n\nRisk: Vulnerable DNS Transport Security\n---------------------------------------\n\nCustom DNS configurations may allow apps to bypass Android's built-in transport\nsecurity for DNS in Android 9 and higher.\n\n### Mitigations\n\n#### Use the Android OS to handle DNS traffic\n\nAllow the Android OS to handle DNS. Since SDK level 28, Android has added\nsecurity to DNS transport through DNS over TLS, and then DNS over HTTP/3 in SDK\nlevel 30.\n\n#### Use SDK level \\\u003e=28\n\nUpdate SDK level to at least 28. It should be noted that this mitigation\nrequires communication with well-known and secure public DNS servers such as can\nbe found [here](https://dnsprivacy.org/public_resolvers/).\n\nResources\n---------\n\n- [Resolve DNS queries](/training/basics/network-ops/connecting#lookup-dns)\n- [Java reference for DnsResolver Class](/reference/android/net/DnsResolver)\n- [Android Security Blog post about DNS-over-HTTP/3](https://security.googleblog.com/2022/07/dns-over-http3-in-android.html)\n- [Overview of secure transport for DNS](https://developers.google.com/speed/public-dns/docs/secure-transports)\n- [Android Developer Blog post about DNS over TLS](https://android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html)"]]
