mmmm

Honestly my opinion is underinformed, I only started looking into RethinkDNS a few days ago.

My understanding is that vanilla RethinkDNS can help you monitor network traffic (similar to tools like LittleSnitch, Wireshark, etc) and then block domains that you disagree with (firewall). I think there's more to say about this, but I lack the expertise to type it up. Would appreciate anyone else's input / correction.

The drawback is that it uses up the one and only active VPN slot on your pixel, without actually being a VPN - you don't get the benefits of a VPN that way. From the Rethink site:

It isn't a VPN, at least not yet. Though, it is effective in circumventing internet censorship in most if not all countries. Rethink DNS uses VPN APIs to only route the DNS traffic and not the actual internet traffic.
Rethink DNS isn't a tracker. Rethink DNS logs DNS requests if a user opts-in. Rethink doesn't sell any user information or use it for anything else other than to provide analytics and reports to the user.

https://rethinkdns.com/faq

After some research, I did find that variant linked in my last post, which allows one to use a Wireguard protocol compatible VPN (like ProtonVPN) and get the benefits of RethinkDNS, all in one app and active VPN slot on your device.
I don't consider this to be as trusted as vanilla Proton VPN, so it will not be my daily driver. But I think its interesting and good for testing like this. Proton's disclaimer:

we strongly recommend using WireGuard via our apps as this is the easiest way to use WireGuard, and it allows you to benefit from many of Proton VPN’s advanced features. For example:
Kill switch and permanent kill switch
Smart protocol
DNS leak protection
Port forwarding (Windows only)
However, Proton VPN’s implementation of WireGuard follows the official open-source specifications for the protocol. This means that advanced users can use any WireGuard client that also matches official specifications to connect to Proton VPN servers using WireGuard

https://protonvpn.com/support/wireguard-configurations/

Its interesting to note that the official GOS site also does speak favorably of RethinkDNS:

If you're using a VPN, we recommended against having a Private DNS server configured. If you want to filter traffic while using a VPN, use a VPN service app able to do both such as RethinkDNS. Private DNS also interacts strangely with multiple profiles since each profile has their own VPN configuration but Private DNS is global. Either leave Private DNS on the default Automatic mode or set it to disabled when using VPNs.

https://grapheneos.org/faq#vpn-support

      zzz thanks for that. I actually got as far as all that myself, yesterday I set it up so I can use proton with it. It seems to work very well. I wasn't sure about the trust side of things, but its cool to see it mentioned directly from the GrapheneOS website so thanks for the link.

      I use Headscale (Tailscale) to access my self hosted stuff - so until I can find a way to use it with this then it can't be my weapon of choice as of yet. Which is a shame because the lulu/little snitch functionality is pretty cool.

        zzz As of recently, I've added a new reason - push notifications are rarely implemented without using Google or Apple's infrastructure. Signal is ok, but very few others are (for me)

        Even without push notifications, I am indeed seeing roughly 1x call per day to firebaselogging.googleapis.com, possibly from the proton apps, possibly from the 10x other apps in that profile.

        Push notifications / meta data is the new "gold" in tracking, since eg. messengers encrypt stuff. Push is the new "way to go" to track such stuff.

        Firebase has tons of functions. However, its all Google, and I'm thus blocking it consequently, for those few apps I depend on with no alternative.

            fid02 The GrapheneOS account has raised some points about the issues with the results displayed by Exodus Privacy, which I think is of relevance here:

            Check the manifest of an app. There you see what stuff it uses (receivers, services, etc.). If there is an entry about eg. Firebase, you can pretty much be sure that it is used. An app may let opt you out, but loaded stuff still can access the internet, do RPC, by itself...

            Apps like "AppManager" or "LibChecker" (from Github or F-Droid) can help you check such stuff too. And RethinkDNS lets you check (and block) the net traffic on-device if you haven't eg. a home lab to do such on a dedicated device/firewall.

              Goatey523 Damn that thread gave me a heart attack, thank god they are doing the bare minimum of those requests xD

              Every single of those requests is waving flags and flares, "hey Google, here I am, again"

                treenutz68 May I ask what you are using to block the metadata collection from things like firebase?

                Metadata collection from push notifications cannot be blocked as far as I know, you'd have to live without pushs to do that.

                I use RethinkDNS to put those apps to "isolation mode". That blocks everything that is not whitelisted, means nothing can be connected by default by that app. Then, start the app and check the connections log. There you'll see the domains and IPs the app tries to connect. Whitelist the domains (or IPs) that are needed to run the app, eg. the domain of your bank for your banking app. That should make the app work, and everything else stays blocked by default. I prefer this approach vs. "badness enumeration" where you allow/trust everything by default and specifically block certain domains (the badnesses). Furthermore, I do not allow DNS bypass in RethinkDNS, as apps may work around DNS (domain names) by contacting IPs directly. (eg. Whatsapp telemetry once had a specific domain, that everyone was blocking, now they use tons of IPs that are contacted directly, DNS bypass. Google is doing the same, they contact tons of IPs directly.) That way you can make your app work by allowing the minimum, everything else is blocked. If you want to preserve push notifications, you'll have to whitelist firebase, mtalk.google.xxx, and others. I don't do that to keep as much privacy as possible for those few apps I depend on, but come with all kind of trackers sadly (banking apps, local post office and such things with no alternatives). RethinkDNS is great, it allows lot of fine tuning, but you have to know how to set it up properly. And you can use Wireguard too (VPN). That's the price you pay for privacy when giving up functionality like push and having additional efforts, but privacy itself is the prize you win :-)

                    TRInvictus RethinkDNS is great, it allows lot of fine tuning, but you have to know how to set it up proper

                    I have just started looking at this app. It does look great, but youre right, one does need to know how to set it up properly. Do you know of any good guides to that end?

                        6 days later

                        GlytchMeister and everyone, sorry for the slow update: they got back to me.

                        They answer is in short: yes. it's the normal app behavior and there is no way to turn off this anywhere inside any of the proton android apps. Also, this won't change in the foreseeable future.

                        Personally, I find this very sad. I really like proton, but this is a break up reason for me. It will be a proper hassle, but I'm going for a new mail host. GOS is such a therapeutic experience without Google, and I strictly want to keep it like that. My takeaway: be the possibly less dependent on any mail provider, and just use domains for most of the things. I wish I would do that earlier, now it would save me loads of time. Anyway, lesson learned.

                        @TRInvictus Thank you for your comments on RethinkDNS! I'll also definitely deep dive into all of this as well.

                            Speeduser7533 I think they don't, but I'll test it soon and post the results here. My pick is they probably not, as they using their own push service, which is great anway. Proton's constant connection to Google is due to their reliance on Google Push Services (what is still the case if you disable it and if you don't have Google Push), or that is what they said. Crossed fingers!

                              Speeduser7533 Tuta doesn't use anything Google for their services. I switched to Tuta when I switched to Graphene and learned Proton push services wouldn't work.
                              As for the pinging of Google from a Proton service it isn't their VPN app cause I use it in my main profile and it doesn't ping anything google. I use their Email and calendar app in another profile and something is pinging. I think it's the email app.

                                Bugger. I recently bought into Proton before I learned how to really investigate this kind of crap. Was about to use their calendar app to migrate my schedules and events and whatnot from my iPhone to my pixel.

                                Bugger bugger bugger.

                                Right. I guess that means I need a calendar app and an email app.

                                I'm rapidly approaching the point of learning how to set up my own server rack and host my own private domain and instances of things. Getting tired of having to determine if a provided service is trustworthy and finding out it ain't.

                                Which is a real pain in my butt, because I don't own a desktop PC, I don't have a lot of money, and my internet isn't exactly amazing. And I have yet to have a good experience with Linux... Well, desktop Linux. GOS is doing much better than any other Linux or Linux-adjacent OS I've had the displeasure of wrangling. (Tho I still can't get it to accept a custom ringtone...)

                                  • [deleted]

                                  • Post #40

                                  GlytchMeister AOSP keyboard doesn't have a thumbs up. So, thumbs up! Maybe an idea for devs to look at more than security...