First summary of my GrapheneOS experience

Dan-cer

I've been using GOS for a few weeks now, I'm pleased that it's available and I'm prepared to invest some time to make sure everything works as well as possible. Incidentally, I don't have DSL, but a cheap 50GB data flat rate, which I also use to work on my PC via a mobile hotspot.
I have tried to implement some of Naomi Brockwell's advice to compensate for other general weaknesses:

Private DNS server
VoIP instead of calls via SIM, to reduce tracking
Mobile router (with the data SIM), PC and also car unit with ethernet

I am mainly concerned with maintaining privacy and exploring ways of doing so.
Here is my first summary:
I am very grateful for the great help I have received in this forum.
The time required to optimize everything and get it up and running was considerable: Added up to about 2 weeks of more or less intensive work.
One week of this was dedicated directly to the GOS, and the second week was devoted to the peripherals (VoIP, DNS, mobile hotspot).
I noticed that there were quite frequent connection problems because of my DNS settings. Probably also because it was not only about settings in the Pixel 6a phone, but also on my Linux PC, in the browser there, as well as in the router. For a while I had 1.1.1.1 +WARP running on Pixel and finally uninstalled it again because of constant connection problems with router and telephony (probably caused by VPN that is shipped with the app).

I am aware that I want to get quite a lot under one roof and that it is not just about the GOS. I also assume that in many cases there are no universal solutions, regardless of country and user. Nevertheless, I imagine that it would be helpful if a proven private DNS is already implemented in the GOS, or at least an FAQ exists with solutions to problems. (Does this already exist, and have I just overlooked it?)

fid02

I'm not really familiar with troubleshooting DNS connection issues, but it sounds to me as though it would be beneficial as a first step to try different DNS providers in order to determine if there might be an issue with the provider, and not the router or ISP.

Dan-cer The time required to optimize everything and get it up and running was considerable: Added up to about 2 weeks of more or less intensive work.

This sounds rather exhausting. Perhaps it would be less painful to take your privacy "journey" a bit more gradually? It's what I prefer when starting on new projects in my spare time. For instance, I've started writing a novella, which I work on whenever I want to (and when time allows). But if I get exhausted from writing or thinking about it, I find it better to just take a break. It's not a privacy thing, but it's still a chosen project.

Dan-cer One week of this was dedicated directly to the GOS,

I'm wondering what you spent time on that took a whole week of your time just to set up GrapheneOS.

From personal experience, not much is needed to get GrapheneOS "up and running": installing the OS, getting your favorite apps, etc. The OS has sane security and privacy defaults which work without causing usability issues for most people.
It sounds as though you want to go considerably further, given that you find it intensive. I haven't seen Brockwell's videos, but they sound more like tips on what to do given certain threat models, rather than something necessary to achieve some goal of "privacy".

Dan-cer Nevertheless, I imagine that it would be helpful if a proven private DNS is already implemented in the GOS

My thoughts on this: there are several points to consider if an OS with high privacy and security standards is to include a default or a selectable DNS within the OS. Such as:

Speed and latency: users are located throughout the world, and a provider's DNS servers might have high latency in some areas and with some ISPs. Consequently, the user experience will vary, and feedback on latency and speed will ideally need to be collected from the user base in order to select a provider that works well for most users.
Privacy: which privacy criteria should the OS developers consider? I'm assuming that most users would prefer a DNS service that does not keep connection logs. How would the OS developers verify this? Would an infrastructure and/or server configuration audit by an independent party suffice? And if so, how regularly should such audits be completed in order to be reasonably sure that the DNS service does not start keeping connection logs? And what if it is revealed that the service out of the blue has started logging connection data despite their promises? How would the OS developers then feel towards their user base? They would have to ship an OS update to either revert to the standard DNS service of users' ISPs, or ship an update to replace them with new DNS servers, which would have to be chosen rapidly.
Uptime: a DNS service would need a high level of uptime – which is especially important if it is set as the default DNS service of the OS. If not, users who are unaware of how to troubleshoot internet unavailability would understandably become annoyed. The OS could include fallback DNS servers, but then those would have to be vetted against the chosen criteria as well, adding further work.

My personal opinion is that it's not productive to ship custom DNS servers in the OS. Even if they are not the default and only selectable within the Private DNS selection dialog, I imagine several users would consider that a recommendation of those services on behalf of the OS. I certainly would.

In any case, the project already recommends using the network-provided DNS servers if the purpose is to "blend in with other users":

Using the network-provided DNS servers is the best way to blend in with other users. Network and web sites can fingerprint and track users based on a non-default DNS configuration. Our recommendation for general purpose usage is to use the network-provided DNS servers.

Please note that I am not associated with the GrapheneOS project.

tango

Dan-cer

Honestly i think your prob over complicating things. The most simple thing to do for what i think your looking would be to just get a Mullvad VPN subscription and use their DNS alongside the VPN. You leave the DNS setting to "Off" in your GOS settings if you go with that method.

DeletedUser34

Dan-cer Nice to read from your journey.

What I can recommend you is:

Use the DNS from your VPN
If you have a Router in the Future, use the Sim-Card just for Internet and make VOIP Calls only via Wifi. And if you want more Privacy, then remove the Sim-Card and just use your Wifi at Home. And for me personally I can not trust satellite, because they told me once, that they have no Problem in handing out Data to the Government, if they ask for. They told that in an common way, which made me worry. So the best solution if one can, is SimpleX Chat for Text, Calls and Videochat and Mail for important things like making appointments or authority things. And at this point, it is good to know that most common Routers for Homes, have bad Security too, unless you use an Firewall and for example WPA3, VPN etc. I would recommend Protectli as Firewall + Opensense for the Router. You can look them up.
Mobile Routers have bad Security. And make you more noticeable. If you can, use a second Pixel with GrapheneOS and your Sim, connect it via USB-Tethering for accessing Internet to your Main Phone.
And Wifi is always more secure, than mobile data/cellular. And if you want to connect to Wifi at Home, connect your Phone via Ethernet Cable to the Router and disable Wifi. This way you are more secure and have faster Internet too! And never hide the SSID from your Wifi.

These are just some tips I learned myself over time. Mostly from GrapheneOS telling and a few things self researching. I hope that it helps you!

Dan-cer

fid02 Oh - I didn't work 2 weeks on it without breaks. It was within 5 weeks that I spent about 2 weeks on it.
What is meant by recommending "network-provided DNS servers"? (I admit the DNS server matter is a bit too complex for me to understand. That's why I try to follow any recommendations that sound logical.)

Is it GOS-provided or provided by my provider that gave me the SIM card?
Should I select "Auto" in private DNS settings?

fid02

Dan-cer What is meant by recommending "network-provided DNS servers"?

Usually, I gather that "network-provided" means that you are using either the default DNS servers of your ISP or of the network you are connected to (could be your home network or for instance a public Wi-Fi network as well, such as in a café) or, if you're using a VPN, the default ones that the VPN provides.

But as you can probably tell, I'm not an expert in networking. 😊

Dan-cer

tango I prefer dns settings over VPN.
@fid02 Ok, I got it.
Thank you both!

TrustExecutor

tango
Yes, especially if you are also using a VPN. It just adds another data point in fingerprinting you.

Check this out, ftom Privacy Guide's DNS info page:
https://www.privacyguides.org/en/advanced/dns-overview/#should-i-use-encrypted-dns

TrustExecutor

Dan-cer I'm curious about your thoughts on why. Can you elaborate?

Dan-cer

TrustExecutor You ask about my preference for dns?
It was a video by Naomi Brockwell with some warnings about using VPN.
However, I'm not an expert on this matter and always glad to get some useful advice.

TrustExecutor

Dan-cer Ah, yes I thougt you were using VPN in conjunction with encrypted DNS. Encrypted DNS is mainly to circumvent poisoning/censorship of DNS requests. But be aware it is then an extra data point narrowing down the scope of your fingerprint so that you can more easily get tracked while surfing on the cyberspace waves. If you want to blend your traffic with other users you need a VPN and when/if doing so, turn off private DNS in the OS so you are tunneling your DNS requests through the VPN provider and using their servers. I think all this gets explained on the Privacy Guides site, so please take a look there, it is a very good read.

And if you go the route of VPN be very careful not to choose those providers that gets shilled by influencers. There are threads this forum helping out with that decision.

DeletedUser34

And instead of using PC, I would recommend just using your GrapheneOS Phone if possible. Because Desktop OS have not the Security and Privacy like GrapheneOS. And Desktop don't safe you from yourself, like GrapheneOS does. And you can do everything with your Phone too. If you need Office, use Collabora Office. If you need Maps, use Organic Maps from Accrescent. And if you want more Privacy, use FlorisBoard, activate force always incognito mode and turn of Internet Access for the App. This is a GrapheneOS recommendation too.