I may have overlooked something, but as far as I can tell, in order to block trackers and in order to block network access for specific apps the only solution is to use a blocking app that acts as a VPN? That makes it a non-solution for me at least, 'cause a VPN is essential to me. The only other option I know of is AFWall, which requires root, and which seems to have quite some issues.
What would be the best solution? It seems to me that what we really want is to:
patch the system DNS resolver to support a blocklist allowing users (apps) to pull from the popular blocklists (pihole, et. al.) and push to the system resolver.
support a file that lists hostnames or IP address ranges to block via iptables (the hostnames would be re-resolved periodically) so one can block services that are accessed directly via IP address.
have a way to block network access on a per-application basis (in /e/ v1-q I donāt see a way to do that and I fear that denying the permission will cause apps to error-out, Iād rather null-route the packets)
Am I missing something? Making it too complicated?
Hmmm, for #1 it seems possible to run dnscrypt-proxy on Android and I know that I can easily feed good ad/malware blocking lists into that (thatās what I do on my home router).
Edit:#3 can be done in the settings: Settings->apps-> ->Data usage->deactivate all data sliders
Thanks for the links! Blokada sounds interesting but uses the VPN slot. Iām not very interested in their VPN solution 'cause I run my own VPN, so I want to connect to thatā¦
NextDNS doesnāt seem to fit the bill IMHO. You end up sending all your DNS queries to their servers and they have your ID to conveniently track you. Thanks, but no-thanks (for me).
Thatās not true. If you use a āstandardā DNS service they can only track you by source IP, which is difficult to correlate with users, specially after youāre NATād by your mobile network.
I donāt think I understand what difference you make between a VPN tunnel and a VPN. Any VPN is a tunnel of sorts by definitionā¦
Iāve been trying to understand how blokada works and itās not easyā¦ All the docs are at a high-level feature level and thereās very little technical (that Iāve found). It does seem to me that it sends DNS requests to their DNS servers or at least through their VPN to regular DNS servers?
Blockada is using his own local VPN to monitor the outgoing network connections. But it could give you a ātunnelā inside his own VPN to reach your own VPN.
Best you will read all in blokada description.
Except that blokada blocks at the DNS level, so why canāt it just replace the system DNS resolver?
Technically, yes, but thatās not something the app supports as far as I can tell.
Iāve spent over an hour reading about it and so far I canāt find any technical description that explains how it actually works. If you found a doc, could you link to it?
Sorry no, I donāt like blokada. I only read about this ātunnel functionā on different posts here and in telegram group. I donāt know if there is a blokada telegram group where you can get details.
I donāt need this ātunnelā so Iām happy with TrackerControl
I use Tor and so its not possible to use blokada. But in tor options you find " use all traffic yust with Tor conection". The second is to use xprivacy lua to close every network conection for apps i want to close. (You need root and exposed freamework/edxposed) Blokada yust use a outgoing Tunnel to extern VPN if you use the payed Version and only to the given partners of blokada. So i couldnt use it anymore.
If somebody see a security problem with this config, please tell me. I think its anon.
If there is no possibillity to conect for apps with tracker, because xprivacy stoped the app traffic, where are the trackers? I dont see anymore trackers. First i control apps with classyshark3xodus before installation. If there are trackers i dont install them or i clean them. There are diferent apps for. If i need them i also close the network for the app and some other rights with xprivacy. The rest is used by tor to keep IP private. No one get my data, no phone ID, no serial numbers etc. Net monitoring shows no more unwanted traffic. But also i use apps from fdroid.
I woulnāt call Netguard or TrackerControl (the better Netguard) or Blokada a āFirewallā.
Theses apps are tracker blocker which using his own local VPN to monitor your network connections.
A firewall works different and will need root, like AFWall+.