[deleted]
GlytchMeister AOSP keyboard doesn't have a thumbs up. So, thumbs up! Maybe an idea for devs to look at more than security...
Proton apps pinging Google API + sending reports back after opting out
@mmmm
@GlytchMeister
I don't know about an explicit RethinkDNS guide, start with my post above, description of specific features can be found on RDNS's github page, there's a lot of explanations in the issues.
You may want to open an RDNS thread here on the forum, pretty much sure there are some GOS users around that use RDNS, kind of a "place to go about RDNS" where we can help and answer questions...?
GlytchMeister I'm rapidly approaching the point of learning how to set up my own server rack and host my own private domain and instances of things.
An own "home lab" is an excellent thing for sure, but one has to know how set it up and keep it running.
And keep in mind, your "own private domain" makes you trackable everywhere, better use public services (email, VPN, etc.) that are known to respect privacy.
- Edited
Uuuuuugh I thought that was like, the "you need to be able to See The Code like Neo to pull it off, but if done right, is very secure and private" option
headdesk
I'm rapidly approaching the point at which I turn off my pixel and go back to my decrepit iPhone 8 and accept defeat
- Edited
GlytchMeister well it depends what you use it for.
I have a home lab. My services are searx for websearches, lingva for translate, and various other front ends and services. Calendar, contacts and photos are also self hosted. This is all easy, and you really dont have to worry too much about security so long as you access it all through a VPN, or do a bit of research into setting up reverse proxies securely. Tailscale is a good VPN option (free, though not all open source). I am assuming youre not being targeted by a nation state or even LE. If you are then I would not suggest self hosting or be so blasé about how easy it is to secure.
I personally dont try to self host my own email server, website or anything else that I can't just 'turn off' and cope with it if it need too.
Above anything else its a fun project.
Well, you're correct that I'm not being targeted. Well, as far as I know. I am a hobbyist SciFi and fantasy writer, so my searches are liable to raise some eyebrows, but I have yet to be visited by forgettable people in cheap suits and sunglasses, so I assume I'm not being actively targeted. :P
I don't have the knowhow to do it, I don't have the time to learn, and I don't have the hardware even if I had the knowledge and time, anyway, so... Yeah. Its just frustrating.
GlytchMeister a raspberry pi and a free weekend is all you need and you can have a self hosted version of searx and have the most private internet search engine free of big tech tracking. You can message me privately if you want a bit of help.
Anyway, this has got off topic.
My advice re: giving up GrapheneOS, dont do it. Take a deep breath and try not to over think it all. One step at a time is all thats needed. The OS out of the box is already leaps and bounds better than anything else. Dont buy into overblown minutiae regarding privacy services, and definitely dont let it fatigue you. You dont have to give up every proton service just because it makes an api call to google, something which most people dont even understand what it's actually doing.
FWIW, Ivran this logging by Proton support. They indicate that all notification data is encrypted currently but that they are looking at eliminating the need to use the google apis at all.
Speeduser7533 its not a good look if you intentionally implement it, but only after it has been exposed to public they attempt to patch things up.
- Edited
Thank you for revealing and discussing this issue in Proton email (and others) apps.
FWIW, I've been quite satisfied using Vanadium to access my various Proton online storage(s), and AFAICT Google is not involved.
Also Vanadium seems the MOST trustworthy and secure (hardening) web app around. Even if Proton modifies its' apps, they won't be as secure as Vanadium. So for me, the question becomes, how badly do I need push notifications?
Don't need them.
Also, the quick-reply business crowd seems to be moving to SMS - which of course has NO privacy - but significant security thanks to GOS auditing and hardening.
(FWIW this same reasoning applies to my banking - I use Vanadium, and not some poorly-written bank app)
Just suggesting that you do not abandon Proton web storage(s). HTH.
- Edited
Unfortunately, I do need notifs for my emails :/
Annoying.
I'm no security guru, so someone who knows better may give this a bad evaluation, I don't know. But, it does work for me:
- Edited
rdns dev here
GlytchMeister definitely interested in a guide... And even more interested in a "RethinkDNS for Dummies" sort of guide.
I put an ad-hoc one on our subreddit: https://www.reddit.com/r/rethinkdns/comments/12ta9zo/configure_app_for_optimal_use/ / mirror: https://archive.is/Krcoh
The gist is, allow only what you trust.
- From Configure -> Firewall -> Universal firewall rules, turn ON
- Block when device is locked
- Block newly installed apps by default
- (if you're feeling particularly adventurous) Block when DNS is bypassed
- Go to Configure -> Apps, then tap on the wifi and mobile icons 🛜📶 to block all apps.
- Search for apps you use (for me, its 7 apps of the over 400 installed), and either Bypass Universal them or Isolate them.
- If you Isolate the app, you'll have to set up trust / allow rules for domains or IPs, over a period of time. Pretty time consuming, but once setup, it works flawlessly.
- Bypass Universal an app named Google Play services, which is usually responsible for Push Notifications / Gaming / Backups / Payments and other such functionalities apps installed from the Play Store depend on, without which they usually don't work.
- Search for apps you use (for me, its 7 apps of the over 400 installed), and either Bypass Universal them or Isolate them.
- From Configure -> DNS, choose or setup your favourite DNS provider. I prefer Oblivious DNS over HTTPS endpoints but there aren't many. You can also leave the default DNS settings as-is; or...
- Turn ON Advanced DNS filtering (which is experimental and may cause connectivity issues), to make sure domain to IP address mapping isn't polluted. For example, when multiple domain names (
youtube.com,mtalk.google.com,googleapis.com) may point to a same set of IP addresses (all owned by Google and hence may be used interchangeably), the Stats and per-app domain rules may behave in funny ways. With Advanced DNS filtering (which has other bugs) will possibly not. - Turn ON Prevent DNS leaks to trap apps sending DNS traffic themselves. This setting may break notifications for some apps.
- Turn ON Never proxy DNS if you face connectivity issues with using your preferred DNS upstream with an egress proxy setup within Rethink (SOCKS5, Tor, or WireGuard).
- Turn ON Advanced DNS filtering (which is experimental and may cause connectivity issues), to make sure domain to IP address mapping isn't polluted. For example, when multiple domain names (
- In Configure -> Network, you may
- Set Choose IP version to Auto and turn ON Perform connectivity checks (if you're on networks that perform 4to6 translations).
- Turn ON Use all available networks, if you'd want Rethink to use either wifi or mobile at the same time. Make sure you've got enough juice on mobile data, as it is usually prohibitively expensive in some countries.
- Leave everything else in there turned OFF, unless you like living dangerously.
- Set Choose IP version to Auto and turn ON Perform connectivity checks (if you're on networks that perform 4to6 translations).
- Optionally setup WireGuard from Configure -> Proxy -> Setup WireGuard, either in Simple mode (single WireGuard, all apps routed through it, unless Bypass app from all proxies is set for that particular app) or Advanced mode (multiple WireGuards, split tunneled, manually choose apps to route through them).
Rethink has grown to be a Frankenstein monster and I get a lot of emails on how difficult it is to use, but someday someone from the community will write one true guide to setup Rethink so I can point everyone to it.
- Edited
ignoramous THANK YOU for putting the time and energy into posting this message! I haven't yet had a chance to read and absorb all that you have given us here - it is tech heavy - but it is clearly an important read even for us who rely upon our VPNs to provide DNS service which filters badware and adware! Thanks Again!
[deleted]
- Edited
Hi! ignoramous Could you please explain the reasoning behind locking local DNS filtering in Advanced proxy mode? My friend recently pointed out that Rethink's advanced proxy mode forces to use an external, non-proxy DNS, which defeats the whole purpose of VPN.
- Edited
I'm confused, are you saying that if we use the proton mail with our graphenos phone google can track us?
OK... So...
Uh.
What stuff can I use alongside the Mullvad App? I don't want to use wireguard and non-mullvad DNS because Mullvad has lockdown and always-on, and using non-mullvad DNS makes my fingerprint more unique.
I really just want to use RDNS to block apps like discord and proton mail from connecting to anything except what they strictly need to connect to in order to function.
Aka, I only want the local, on-device filtering, and I don't know enough about anything to know what is local and what will mess up the Mullvad App.
GlytchMeister don't want to use wireguard and non-mullvad DNS because Mullvad has lockdown and always-on, and using non-mullvad DNS makes my fingerprint more unique.
Lockdown and always on can be done in the system VPN settings. And Mullvad DNS can be added to the wireguard config.