I did a test with an app with 2 trackers, TC does catch them before sending out to DNS server, so that behaviour is “normal”. Nextdns did catch them also.
Excellent news! So from what you are seeing running NextDNS/Quad9 (Settings > Network & internet > Advanced > Private DNS > Private DNS providers hostname > *enter personal info is *******.dns.nextdns.io) should block trackers systemwide (apps and browser) and then coupled with a VPN (Mullvad, Proton etc.) we are effectively masked from big tech tracking (other than browser fingerprinting and non-FOSS app that are logged into). My next question is what filters do you use in the NextDNS UI to accomplish this? (Or does it even matter beyond their defaults)
Really appreciate people taking the time to educate, extremely helpful!
After reading fully I have appreciation for those who look at what goes on behind the scenes in FOSS apps listed on FDroid. The accountability and transparency I am learning about is very reassuring and helps me know where to put my money/donations. My gut tells me nothing malicious was purposely happening but I appreciate the standards being upheld by FDroid and those who raise red flags. Thanks for sharing. Taking a deeper look at
Yes, unless apps use fixed ip numbers to send their data. I dont know if that is done… The settings i use:
Nice nexdns feature is you can have per-device configuration.
Is NextDNS app FOSS ? I don’t think so…
No, but on Android 9 you can use private DNS settings, so no App needed. The server side is also not FOSS.
Want to be sure I see the whole picture. So the code used to process DNS resolution on their servers is not open source but the way they encrypt traffic via DoH is? (Encryption of the info from the phone to their server for resolution)
This is less of a worry to you because with any DNS transaction one must put their trust in the said entity regarding how they really are processing the requests on their servers?
From my knowledge running the DNS at the DNS setting in the OS and not using an app also lessens the scope of a potential malicious attack on one’s phone by having less area to get at.
If this is correct I’m gonna have to take a deeper look at 188.8.131.52 which is so wonderfully already present in /e/ builds and compare a bit more along with @marcdw / other suggestions.
The DNS over TLS is done by the OS, Android. You will never know what they do with your data at the server side, but that’s with all DNS servers as you’ve mentioned. In my opinion this kind of DNS service should be offered by /e/ to be able to fight the tracking from within the OS side and outside. I contacted @GaelDuval a while ago to to ask him to investigate the option to cooperate with nextdns, he could do an audit at nextdns. One of the Nexdns founders is also French . Did not hear anything back, so don’t know the status of this.
More understandable why Pihole is so desirable now.
Yes, i once opened port 53 to make use of my pi-hole outside my home, and in no time it got abused as ddos amplifier I would like an /e/ pi-hole with a solution for that though . But the pi-hole also needs to query a DNS, so that would not help either.
Gonna have to read more to understand. Thanks for the dialogue.
I installed PiVPN to my Pi-hole and opened port for that VPN and connected using wireguard from f-droid. So far no problems.
Sure since I use split tunnel I can’t use that vpn connection when connected to that network wifi (at least I assume that’s causing that issue, I can connect but internet traffic isn’t working by then. I assume dns problem), but on the other hand there’s no need cause Pi-hole works via wifi without connecting to vpn.
Edit. Bit offtopic, but what would be best way to allow ebay and zooplus usage through Pi-hole, but still keeping at least most of trackers blocked? don’t remember which list block those, but whitelisting main site doesn’t help.
Also tried that vpn solution, but in the end there is always gonna be an “external DNS” server you decide to trust. Thats why i stick with nextdns for the moment. That way i can block adds and trackers no matter how connected.
Yep, I’ve also been considering should I change or not. about blocking trackers, Tracker Control dev says something like dns can’t block all trackers as effectively as TC app can and that’s why doesn’t support to connect Pi-hole (at least via vpn which would require changes cause TC uses vpn slot). But don’t quote me on this one, should find where he mentioned that…
Anyway I assume you can use NextDNS with Tracker Control, as well as with RethinkDNS. Just wonder which would be best to choose. Especially since I do need access to pivpn when needed for checking MotionEye alerts I get to telegram.
Also would be nice to know more of /e/ upcoming built in privacy protection / privacy central, whatever it will be named.
Did TC dev explain why TC app can block more effectively?
Just tested TC + NextDNS, got message “Private DNS must be disabled”, doesn’t that mean TC also uses DNS to block…
I think it was this & following comments:
I am seeing this on my previous mentioned non-root testphone too. Its a little toaster message that pops up for 3 seconds or so then disappears.
The dilemma I see is that I don’t know what I don’t know. I know I can minimize tracking mechanisms but what is still getting through and giving Google/big tech info to fingerprint me?
From my inexperienced perspective (similar, but maybe just a bit more knowledge than the mass population) I keep thinking a setup good for simple users is Quad9/NextDNS/RethinkDNS at the system setting coupled with a VPN or… Blokada (claims DNS/Tracker Blocking/VPN all together)
For those power users/more knowledgeable one of @marcdw suggestions (root) might do a better job of more complete privacy protection. But then some will say, “you can’t have privacy without security and you don’t have verified boot and you have rooted your device…”.
So again the dilemma… What is best? One must have some education or they are somewhat blindly trusting in following any solution.
To get a good chunk of the population to use good privacy tools like /e/ and what is outlined here it must be simple and verifiable for people to gravitate to the said solution. (FOSS, @huuhaa example of RethinkDNS developer/FDroid auditing backend of what was really happening👇)
What is not “simple” for me is this example and others like it using different combinations.
I did a quick peek at the TC github repo, as far as i can see it also uses “hosts files”
So not sure why TC can do the job better. (don’t mean to bash TC, just curious)
Thanks for sharing, more learning…so TC is using these resouces “mozilla-services”?