I may have overlooked something, but as far as I can tell, in order to block trackers and in order to block network access for specific apps the only solution is to use a blocking app that acts as a VPN? That makes it a non-solution for me at least, 'cause a VPN is essential to me. The only other option I know of is AFWall, which requires root, and which seems to have quite some issues.
What would be the best solution? It seems to me that what we really want is to:
patch the system DNS resolver to support a blocklist allowing users (apps) to pull from the popular blocklists (pihole, et. al.) and push to the system resolver.
support a file that lists hostnames or IP address ranges to block via iptables (the hostnames would be re-resolved periodically) so one can block services that are accessed directly via IP address.
have a way to block network access on a per-application basis (in /e/ v1-q I don’t see a way to do that and I fear that denying the permission will cause apps to error-out, I’d rather null-route the packets)
Am I missing something? Making it too complicated?
Hmmm, for #1 it seems possible to run dnscrypt-proxy on Android and I know that I can easily feed good ad/malware blocking lists into that (that’s what I do on my home router).
Edit:#3 can be done in the settings: Settings->apps-> ->Data usage->deactivate all data sliders
Thanks for the links! Blokada sounds interesting but uses the VPN slot. I’m not very interested in their VPN solution 'cause I run my own VPN, so I want to connect to that…
NextDNS doesn’t seem to fit the bill IMHO. You end up sending all your DNS queries to their servers and they have your ID to conveniently track you. Thanks, but no-thanks (for me).
That’s not true. If you use a “standard” DNS service they can only track you by source IP, which is difficult to correlate with users, specially after you’re NAT’d by your mobile network.
I don’t think I understand what difference you make between a VPN tunnel and a VPN. Any VPN is a tunnel of sorts by definition…
I’ve been trying to understand how blokada works and it’s not easy… All the docs are at a high-level feature level and there’s very little technical (that I’ve found). It does seem to me that it sends DNS requests to their DNS servers or at least through their VPN to regular DNS servers?
Blockada is using his own local VPN to monitor the outgoing network connections. But it could give you a ‘tunnel’ inside his own VPN to reach your own VPN.
Best you will read all in blokada description.
Except that blokada blocks at the DNS level, so why can’t it just replace the system DNS resolver?
Technically, yes, but that’s not something the app supports as far as I can tell.
I’ve spent over an hour reading about it and so far I can’t find any technical description that explains how it actually works. If you found a doc, could you link to it?
Sorry no, I don’t like blokada. I only read about this ‘tunnel function’ on different posts here and in telegram group. I don’t know if there is a blokada telegram group where you can get details.
I don’t need this ‘tunnel’ so I’m happy with TrackerControl
I use Tor and so its not possible to use blokada. But in tor options you find " use all traffic yust with Tor conection". The second is to use xprivacy lua to close every network conection for apps i want to close. (You need root and exposed freamework/edxposed) Blokada yust use a outgoing Tunnel to extern VPN if you use the payed Version and only to the given partners of blokada. So i couldnt use it anymore.
If somebody see a security problem with this config, please tell me. I think its anon.
If there is no possibillity to conect for apps with tracker, because xprivacy stoped the app traffic, where are the trackers? I dont see anymore trackers. First i control apps with classyshark3xodus before installation. If there are trackers i dont install them or i clean them. There are diferent apps for. If i need them i also close the network for the app and some other rights with xprivacy. The rest is used by tor to keep IP private. No one get my data, no phone ID, no serial numbers etc. Net monitoring shows no more unwanted traffic. But also i use apps from fdroid.
I wouln’t call Netguard or TrackerControl (the better Netguard) or Blokada a ‘Firewall’.
Theses apps are tracker blocker which using his own local VPN to monitor your network connections.
A firewall works different and will need root, like AFWall+.