I use mullvad VPN with its built-in DNS tracker (mallware etc…) blocker enabled. This is why I deactivated advanced privacy. I think activating both is redundant or am I wrong?
I ask this because, although Mullvad protection is active, the advanced privacy monitor shows a lot of trackers detected and not blocked. are they false positives due to the fact that advanced privacy is turned off or are they really trackers that Mullvad does not block?
from reading https://mullvad.net/en/blog/how-set-ad-blocking-our-app - Mullvad blocks dns via their own servers, outside your device. AP blocks dns based on-device and counts occurring dns queries against its known-tracker database.
So the dns query leaves your device, is counted by AP - but is returned moot by mullvad. This makes the count in AP unreliable and mostly obsolete. “Mostly” as they could have slightly differing blocklists. They’re publicly documented if you’d want to compare.
OK. Thank you. And between the two methods which is the best in terms of privacy?
I imagine that activating both of them is counterproductive and that (perhaps) it is also a useless waste of resources (greater battery consumption etc)
so you’re implicitly telling me that AP’s blocking system is better? doesn’t it also depend on the lists they use? mine is really just curiosity. It’s not a controversy. I also use Mullvad on my smartphone simply because I need it on my PC and I have paid for a subscription. and also because it has a good reputation. but I would really be interested in an honest comparison
no? “better” is simplistic - I said there’s more to it than one dimension (how many queries get blocked vs who sees your dns queries). Both blocklists are online if you want to do quantitative comparison, but I’m not sure there is benefit.
If dns-blocking gets any popular, adversaries find others means and it will get less useful.
One thing to consider is that for a VPN to block requests, the network request needs to leave your device. Advanced privacy catches it on your device already.
As far as my understanding goes, this means AP would not tax your data plan as much since the cellular modem doesn’t have to be woken up if the DNS request is answered and blocked on-device. Many carriers immediately count 1 MB of data for each time the modem connects, even if it only transfers a few bytes. Since many trackers call out periodically, some every few seconds or minutes, this could add up. Not sure how frequently the DNS would be queried in that case though.
Yeah, I’m afraid we’ll need real firewall solutions soon, not just DNS-based blockers. For example, Adobe software has been calling out to 1.1.1.1 for several years already to manually resolve DNS queries for their tracking and activation if the system DNS doesn’t give them the right answer (too many people blocked their servers in their hosts file apparently).
@p0t4 initial question was “are they false positives?” and my answer was “mostly” because as illustrated, AP counts even if mullvad blocks. Without query logs you can’t answer if there’s an advantage of using either Mullvads blocklist (easylist-privacy+telemetry-trackers) or APs (adaway+exodus) - though I’d be curious if either needs updating/expansion. In any case, enabling AP too is an option.
My thinking is: just using any tool of the category - dns based blocking - is good enough. The bigger picture is how effective dns/network based blocking really is. App publishers can ship everything they want from your usage on one url endpoint - that you, the user, do not want to block, because it’d render the App defective.