Changing DNS for mobile data in Cyanogenmod 12+ and Android Kitkat Marshmallow

Android

You need root for this.

In my (probably never ending) mission to remove Google from my Android device, I recently found out, that I missed a very important detail. When using mobile data, the phone gets its IP and DNS information from the cell provider. With recent android versions, the cell providers DNS is sometimes being ignored and Googles DNS server (8.8.8.8) is used instead. This allows Google to mine data on every DNS request done by many Android devices in the world. The DNS setting for mobile data can’t be changed in the GUI. There are older shell commands which used to work in KitKat to change the mobile data DNS on Android but they are being silently ignored. If 8.8.8.8 is not set, your cell providers DNS is used which most probably also mines your resolved domains. If you are into privacy, it’s always a good idea to use a trustworthy DNS for your connection. It’s kinda creepy, that there is no uncomplicated way to change the mobile data DNS in Android.

But there is a hackish solution that works.
You need AFWall for it. As you reached this article I asume, that you are already using it. It’s an iptables fireall implementation for Android that allows you to block internet access for certain apps and run custom iptable commands automatically.

– Open Afwall
– Menu
– Set custom script

You can set 2 custom scripts here. One runs after the firewall is being enabled, the other one runs after the firewall is being stopped.

# Enable script
# Route all outgoing traffic with a destination port of 53 (DNS) to another DNS server

IT=/system/bin/iptables
DNS=your.fav.dns.ip
$IT -t nat -A OUTPUT -p tcp --dport 53 -j DNAT --to-destination $DNS:53
$IT -t nat -A OUTPUT -p udp --dport 53 -j DNAT --to-destination $DNS:53
# Disable script
# Remove the 2 rules from the NAT table

IT=/system/bin/iptables
$IT -t nat -D OUTPUT 1
$IT -t nat -D OUTPUT 1

You can check your used DNS server(s) here: https://www.perfect-privacy.com/german/dns-leaktest/

A few more trustworthy DNS servers can be found here (scroll down): https://www.ccc.de/censorship/dns-howto/

Shame on you Google. I have to tinker with iptables to set such a basic thing as a DNS server?
Ugly. Ugly. Ugly.

UPDATE:
The Afwall method didn’t work well on my device after some testing. Sometimes I was unable to use DNS at all. Running the iptables rule from any startup script during boot works fine though (Tasker can do it). I changed the script a bit to only affect mobile data DNS because changing it for Wifi as well (in the original script) broke other things in my LAN.

# Enable script
# Route all outgoing traffic going thru rmnet interfaces (androids mobile data interfaces) with a destination port of 53 (DNS) to another DNS server

IT=/system/bin/iptables
DNS=your.fav.dns.ip
$IT -t nat -A OUTPUT -i rmnet+ -p tcp --dport 53 -j DNAT --to-destination $DNS:53
$IT -t nat -A OUTPUT -i rmnet+ -p udp --dport 53 -j DNAT --to-destination $DNS:53

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Nach oben