Disabling Android Private DNS on specific WiFi network

One of Android's lesser known features is Private DNS, introduced in Android 9 Pie, enhances user privacy and security by allowing devices to use DNS over TLS (DoT) to encrypt DNS queries. This prevents third parties, such as your mobile carrier or ISP, from snooping on a user's internet activity - the DNS queries at least. This ensures that all DNS traffic from the device is encrypted, providing a more secure and private browsing experience.

However, as some of you may run complex homelab DNS servers with local records or ad filtering (i.e. PiHole), you may not want to have this enabled on your home WiFi. Sadly, there is no option to exclude a certain WiFi network from Private DNS, so we have to get a bit creative.

Tasker

Tasker is an Android app that allows you to run automations on your phone whenever certain actions trigger, such as you connecting to your home WiFi. We'll use that to change the Private DNS setting on your device whenever you connect to your home WiFi and re-enable it whenever you disconnect from it.

Sadly, Samsung's built in Routines don't currently support changing this setting - so if anyone working on OneUI is reading this - please add it as an action. In the meantime, get Tasker from the PlayStore.

Profile and Tasks

Start by creating a profile based on a State. I called mine Wifi Connected.

Link to it a Task called PrivateDNS-Disable, with a Custom Setting action. The name field should be private_dns_mode and value off.

Next, create a Task called PrivateDNS-Enable and link it as an Exit Task. This task should just be a copy of the previous one, however in the value, you'll set it to hostname. This will use the manually defined DoT address, in my case I'm using 1dot1dot1dot1.cloudflare-dns.com for Cloudflare's DNS.

Now, enabling this action, you'll most likely get an error saying that Tasker can't write secure settings and needs extra permissions. This is where it gets a bit more tricky.

ADB and Developer Mode

For these permissions to work, you'll need to give Tasker permissions via ADB.

  1. Make sure that Tasker is installed on your Android device
  2. Enable Developer Mode: Go to Android Settings -> About Phone and look for the Build Number option. Touch it multiple times until developer mode is enabled.
  3. Enable USB Debugging: Go to Android Settings -> and look for the Developer Options option. In there, enable the USB debugging option.
  4. Install ADB on your PC: You can download ADB here.
  5. Connect device to PC: Connect your device to a PC and look on your phone. A prompt should show up asking you to allow your phone to be debugged by your PC. Accept this.
  6. Open your terminal of choice and go to the folder where you have the adb binary.
  7. Now run the following adb command: adb shell pm grant net.dinglisch.android.taskerm android.permission.WRITE_SECURE_SETTINGS. Note that you need to call the right binary (adb/adb.exe/...)

That's it. Tasker now has permissions to change the Private DNS setting.

If you get the an unauthorized error like the following:

╰─ .\adb.exe devices
* daemon not running; starting now at tcp:5037
* daemon started successfully
List of devices attached
R5CX13HV5JY     unauthorized

In that case, go to the developer options on the phone and click "Revoke USB debugging authorization".

After that, reconnect your phone via USB and you'll see it ask for permission on screen again. Now you can re-run the devices command and should get the following:

╰─ .\adb.exe devices
List of devices attached
R5CX13HV5JY     device

Cleanup

That's all! Test it and you should see the Private DNS setting change when you connect/disconnect from your WiFi. You can also customise Tasker a bit, for example not showing a notification whenever you're connected to your home WiFi, telling you the automation is active.