I try to use an app that supports Orbot on my android device.
So I activate Orbot for this single app but in the app itself it doesn’t connect to the onion service.
Now, if I turn off my “Private DNS” setting (dns.quad9.net) it connects successfull to the .onion.
So my questions would be:
a) why does it seem that no connection can be made with androids “Private DNS” enabled?
b) during my initial research I recall to have read that if the app tries to reach out to an .onion it sends a dns request first (which can’t be resolved by “normal” dns resolvers since its an .onion address). Once it comes back unresolved it tries to connect to the onion via Orbot. Is that true? I mean that would leak the .onion address to all dns parties involved which would be a joke imho since it would defeat the “privacy” side of hidden services?!
a) On Android, Orbot is basically a VPN app, and “Private DNS” has priority over VPN settings. When “Private DNS” is enabled, all DNS queries are sent through the DoT server you have configured, even if you’re using Orbot or any VPN app for that matter. Of course, a DNS server cannot “resolve” an .onion address.
b) You’re right that the DNS query “leaks” the .onion address to the DoT server (managed by Quad9 in your case). The DNS query is encrypted in transit (with TLS), but since it is not routed through Orbot, your DNS provider is able to associate it with your IP address. Depending on your threat model and how much you trust Quad9, it may or may not be a problem. Anyway, it seems you can’t connect to the Onion service.
Interestingly, the combination “Orbot FULL Vpn” mode with “Private DNS” also doesn’t seem to work for clearnet sites?! I would have thought that at least those should work e.g. in a browser app. But it’s like it completly kills all internet connections?!
Anyway, back to the real question: if I have Orbot in the “per app mode” and disable “Private DNS”, does this also “leak” to the DoT (in that case to the one which gets automatically assigned to me by my router/ISP) in a first step before successfully connecting to the .onion or does this prevent that?
At the end of the day, it depends on how the app is making DNS queries.
I guess the vast majority of apps use Android’s default DNS resolver. When you’re using a VPN app like Orbot, all network traffic is supposed to be sent through it, even DNS queries when “Private DNS” is disabled. So your queries will hopefully not “leak” to your router/ISP.
However, some apps may use their own DNS resolver, possibly over TLS or HTTPS, bypassing Android’s defaults. For instance Firefox can be configured to use DoH (DNS over HTTPS). All DNS queries made by these apps will be sent to their configured resolver, which will “see” them. If these queries are not encrypted in transit (with DoT or DoH), intermediary network nodes will also be able to “see them”. In any case, there will be an information leak.
Finally a few apps are natively able to make queries through tor (by embedding a tor library), like the Tor Browser itself or Cwtch. Theses apps can connect to .onion addresses even when “Private DNS” is enabled. If you just need to access web pages over Tor, possibly with an .onion address, you can simply use the Tor Browser without having to change your “Private DNS” settings.