DNS filtering at system level ?

jmo

Hi,

there is a long time question I wanted to ask : is there a DNS filtrer / blacklist at system level in GarpheneOS by default ?

Correct me if I'm wrong, but I think I understand there's not. I presume it's because the out-of-the-box OS and apps are secured. But, as soon as we install other apps not 100% privacy friendly, we open privacy leaks, right ?

I used to use PersonalDNS filter with a curated blacklist Android Stock OS. See https://sebsauvage.net/wiki/doku.php?id=dnsfilter (in french).

I also tried iodéOS, that was working great with the paid plan (full DNS protection).

I came to GrapheneOS for more security but didn't catch the DNS filter/blacklist lack.

Subsidiary question : do you know a tool to test the protection at system level ? I use this one but it's browser level https://d3ward.github.io/toolz/adblock.html

Thanks

jmo

[deleted]

jmo DNS filtrer

Malware Blocking
security.cloudflare-dns.com

Malware & Adult Content Blocking
family.cloudflare-dns.com

https://developers.cloudflare.com/1.1.1.1/setup/android/

GrapheneOS

jmo DNS filtering is not a fundamental privacy improvement. It's used to block client-side connections to services resolved through the system DNS resolver which are not used to provide useful functionality. It does not work the way you believe it does for multiple reasons.

Anything used to provide useful functionality cannot be blocked without breaking it. Any connection considered to be part of things like tracking still works fine as long as the service also provides useful functionality too.

App developers can and do connect to third parties from their application servers instead of doing it from their app. Doing it from the server is considered to be better in general, since it avoids filtering, avoids leaking API keys and is under the control of their server rather than an app which could be modified.

Aside from those massive limitations, it is based on enumerating badness which is not a working approach to providing fundamentally better privacy and security.

It is a very weak way of eliminating some connections to third parties from apps which they can instead from their servers to avoid any client-side filtering.

GrapheneOS does not include DNS filtering because it can be done via an app while still using a VPN and it doesn't really fit into our approach.

Filtering within a browser has all these limitations too, but DNS filtering is even less capable than doing it within a browser where it can be finer-grained.

GrapheneOS

jmo

Subsidiary question : do you know a tool to test the protection at system level ? I use this one but it's browser level https://d3ward.github.io/toolz/adblock.html

uBlock Origin and other blockers derived from that such as the one included in Brave cheat at this test by special casing the domain and blocking all the tests it does even though many aren't blocked by their regular filters. AdGuard also cheats at the test in a similar way, by special casing all of the domains it doesn't usually block.

Exhort14

By default, no. Based on what I've read posted by the dev account, I would expect the reason is that badness enumeration isn't an effective strategy long term: https://privsec.dev/posts/knowledge/badness-enumeration/

That said, Vanadium does offer some basic ad-blocking, and RethinkDNS is commonly recommended here. Another option is to use the DNS provided by their VPN provider. I'm sure others have more suggestions.

DeletedUser59

Exhort14

I follwed your link and read a.o. this article, I found on the site you indicated https://portswigger.net/research/ublock-i-exfiltrate-exploiting-ad-blockers-with-css I already heard about the problem's of browser extensions before, uBlock Origin being recommendent by many people.

What I am asking myself: Is pihole vulnerable in the same sense? This is not only a question to Exhort14. I understand that browser extensions have access to the pages you open, but what about pihole?

Conjure6589

For system wide you can use a dedicated DNS blocker in the private DNS settings on the phone, usually something like NextDNS is a good choice with lots of control over what does/doesn't get blocked. Other than that using a VPN that has an adblocker will also block system wide. IVPN, ProtonVPN and Mullvad are all good choices.

freezet

Test with DNSleaktest.com dnscheck.tools browserleaks.com

jmo

Thanks for your answers, tips and tools.

jmo

GrapheneOS Thank you for your detailed and well-argued answer, it's very clear.

Kodi

I run a RPI that hosts Adguard Home. When I'm home it does the job, when I'm roaming, I've a permanent wireguard connection, so my phone basically is permanently connected via Wiregaurd back to my router (wireguard is hosted on the router itself) so now everything filters with 4g/5g.

It does cut my speeds, but hey filtering...might want to try this OP

GrapheneOS

DNS filtering can be done on the device while still using a VPN.

ignoramous

DeletedUser59 I understand that browser extensions have access to the pages you open, but what about pihole?

No, PiHole doesn't for the same reason as it is less intrusive (which also means, less capable) than browser plugins like uBlock Origin.

PiHole does have a "view" of the Internet traffic (see), but that shouldn't matter as PiHole is typically self-hosted & local to a network. Do note (and as noted above), there is no guarantee that all DNS queries (in the network) actually are served by PiHole.