• General
  • GrapheneOS's Recommendation on DNS Servers?

Max-Zorin

You're welcome!

No, there is no point of using it besides blocking trackers/ads.

Even though you are not interested in VPN, I would still suggest you to consider one. It will protect you from ISP and when on public networks (but will not make you anonymous, you need Tor Browser for that).

I personally use Mullvad VPN and my home router is configured to use Mullvad all the time, so all network traffic goes through VPN. I also have Adguard Home configured on my Raspberry Pi so it blocks all nasty ads/trackers in my house.

On my phone, I also have Adguard Private DNS, configured to block lots of ads and trackers, and I also use Mullvad VPN from time to time, if on public hotspots.

    Max-Zorin So if my ISP / Network Provider can still see the domains I visit (and hence retain and sell that data) even if I use something like Quad9 as a private DNS, then is there even a point in using one of these services (besides say add/tracker blocking, family friendly filters, malware site blocking etc.)?

    You are correct in that private DNS itself gives you little privacy since you are generally requesting DNS lookups to visit a site, but I would say there's some benefit to using a private DNS even if your ISP still sees where you go visit. They do use an encrypted channel to communicate between you and the DNS service you choose so they get around any tampering or filtering your ISP may intend to do regarding DNS although you could still be susceptible to them filtering or blocking requests to places you try to visit. Sometimes they are better than a ISP just because they may return requests faster or even at all, I have seen some ISP DNS just suck, possibly just due to updating their records infrequently.

    Tampering with websites is something ISPs generally can't do thanks to the fact most communication is encrypted now and thanks to that encryption they can't see the specific URL you are visiting and only the domain.

    Also, just a note that I haven't seen anyone else is that using non-ISP provided DNS servers protects against DNS hijacking by your ISP (when you try to access a website that doesn't exist so the ISP puts a placeholder webpage with ads)

    • [deleted]

    Max-Zorin
    IMHO there is a better solution to care about privacy/security and it's for free.
    It's called Tor.
    You can use Orbot (F-droid, Guardian Project repo) and torify the whole traffic.
    I personally prefer other set-up. I use mini router which is configured as a Tor transparent proxy. My phone connects to the internet only via this router.
    I never connect directly to public hot spots/wifi.

    a year later

    Volen No, there is no point of using it besides blocking trackers/ads.

    What about malware? Sometimes bad payloads are delivered through ads: https://www.theregister.com/2023/09/16/insanet_spyware/
    So if I follow the recommendation on the GrapheneOS to use the network-provided DNS servers, what can protect me from ads delivering malware? Is it enough to rely on GrapheneOS's hardening within the system and within Vanadium? Will common adblocking DNS servers such as AdGuard or Mullvad even be able to protect against such attacks?

      Themble

      Malware domains can also be blocked via DNS (not the malware itself but the known domains which distribute these so the malware will never able to access your device). All you need to do is to subscribe to relevant malware blocking lists.

      Whlist both Adguard (public) and Mullvad do offer some blocklists, afaik these are mainly for privacy (they have the exact subscription lists available on their websites).

      However, you can easily use Adguard Private DNS or NextDNS and add malware blocking subscriptions.

      As for this malware itself (in case if it will reach your device somehow) - I don't know for sure as I am not a dev but Graphene is very secure on its own so afaik unless the malware abuses a not-yet-discovered vulnerability, it should be ok.

      Volen

      What do you mean by it will protect you from your ISP but not make you anonymous, only Tor will make you anonymous? Doesn't a VPN already make you anonymous??

        Sinai

        With a VPN, the VPN server knows your IP address and the address of your destination, so you are clearly not anonymous to the server.

        An attacker nay also be able to deanynomize you by correlating timings of your requests to the VPN server.

          p338k

          If you use private DNS server in Android OS, anyone monitoring your home network automatically knows for which DNS server queries to look from VPN exit nodes, unless your Vanadium (or whichever browser) uses a different DNS browser. This is because Android OS usage of Private DNS sever is retarded. It enforces selected Private DNS server outside and inside VPN tunnels. It should enforce it outside, but not inside, or at least have any option to specify. It makes the most sense to use encrypted DNS servers outside of VPN tunnels and use VPN DNS server inside VPN tunnels.

          Also, Private DNS server setting is ignored for ePGD WiFi Calling domains queries that Android OS performs regardless of whether WiFi Calling is enabled or not, even in Airplane mode. The only way around it is to use a local DNS server or forwarder like Pi-Hole or AdGuard Home or router implementation if your router has one.

            Sinai

            Do you believe in science? Today's scientists are able to rewind history to origin of time itself, to Big Bang. Do you think it is more difficult to rewind (trace) network usage than to rewind history of time itself? It isn't. Anonymity does not exist.

            Our recommendation is to use the DNS servers provided by the network and to use a VPN. Most people should avoid using Private DNS. If you want to filter traffic, then use something like RethinkDNS which provides local filtering alongside being able to use a WireGuard VPN. Filtering traffic adds an easy way to fingerprint for websites and other services so you shouldn't filter traffic if you want to avoid standing out.

              OpenSource-Ghost The local network and ISP can see the connections to the IP addresses. They don't need the DNS queries to find the specific IP addresses that are used. It's not clear what the benefit would be of using the Private DNS server for looking up the VPN IP address since it's very obvious where you're connecting. You're talking about doing something sophisticated and yet not doing the basics. Private DNS only helps against unsophisticated, very passive surveillance and it has significant drawbacks such as being global rather than per-user like VPN configuration. You should avoid Private DNS in combination with VPNs especially when using multiple profiles.

              Our FAQ doesn't currently try to provide much advice on these topics, especially since people will then want to debate it and attack the project over it.

              GrapheneOS

              Thanks a lot for providing this very useful information!

              May I please ask a few questions regarding this, to clarify which method is the best? I believe other members will benefit from this too.

              My understanding (and I might be wrong, hence the questions) is:

              1. The best choice is to use VPN with its own DNS server - this is clear enough, no questions here.
              2. But in case if we need to block trackers via DNS, you advised it is better to use something like RethinkDNS instead of built-in Private DNS. However, both RethinkDNS and Private DNS will change the DNS so no matter which one we use with the VPN, the DNS will be different from VPN's DNS hence opening a hole for fingeprinting. With this in mind, why would we use RethinkDNS if we can use Private DNS instead and block trackers in all profiles? What's the difference between them if both will change the DNS and will ultimately make the VPN connection more fingerprintable?
              3. On Graphene's FAQ, in the "Are ad-blocking apps supported?" section, it says that "Content filtering apps are fully compatible with GrapheneOS, but they have serious drawbacks and are not recommended. These apps use the VPN service feature to route traffic through themselves to perform filtering. The approach of intercepting traffic is inherently incompatible with encryption from the client to the server" which, as far as I understand, seems to contradict the idea of using the RethinkDNS and logically means that Private DNS will be a better option? Can you please confirm please?
              4. Based on the facts above, the only practical benefit of using RethinkDNS (and again, I might be wrong here) is to use RethinkDNS only for specific installed apps that have trackers and let all other tracker-free apps as well as the web browser (to avoid websites to fingerprint based on unique DNS-VPN combination) to use VPN's DNS. But in this case the websites we visit via browser will process all the trackers as most web browsers don't have built-in adblockers and the ones that have it (for example, Brave) will make you fingerprintable if we select built-in filters (this is as per Privacy Guide's Brave settings recommendation that specifically says to not select any built-in tracker blocklist: https://www.privacyguides.org/en/mobile-browsers/#recommended-configuration). This again leads to the question of what are the practical benefits of RethinkDNS vs built-in Private DNS and how do we solve tracker issues (both in installed apps and when visiting websites)?

                • [deleted]

                Volen Can you please confirm please?

                The RethinkDNS application can act as an (Wireguard) VPN client too.

                  [deleted]

                  It's not really an advantage as we can use Private DNS + VPN provide's own app which is better in most cases (and can also rotate wireguard keys easily). Using RethinkDNS's DNS+VPN will still have a unique (RethinkDNS's) DNS for the VPN.

                  Volen Not sad, they have improved it. Go to the link I posted & have a read....

                    The way I look at it is a solid VPN like Mullvad or Proton using their DNS will do the trick. I'm sure Mullvad does it, but I know Proton VPN DNS servers seek to block adware and malware. You also should use a privacy browser (with privacy search engine) to block ads/tracking/fingerprinting and I made Proton Mail my go to as it blocks ads/tracking in emails. Trackers are placed in "legit" (not otherwise malicious) email links and in the pixels of a company logo in an email that activate when the email is opened. Proton Mail shows how many have been blocked. You will never stop it, but can mitigate.

                    As for VPNs not being anonymous, if your VPN truly does not log what you search as well as your real IP, and you paid with a crypto and throwaway email, they can make you pretty anonymous. Both VPNs and Tor can be hit by correlation attacks on exit nodes, but that is generally nation state level (can also always have a bad apple working for a VPN or running a Tor exit node), but you need to really be on guv radar to be targeted for correlation.

                    GrapheneOS So wait, hold on… when you say use the networks DNS, is the network the vpn?
                    Aka I should use mullvad’s dns if I’m on mullvad vpn?

                    What is the recommended way to block ads? Or is “filtering traffic” different from blocking ads?

                    Because blocking ads is practically a requirement to effectively browse the internet nowadays, and I’ve had experiences with websites running ads that hijack the site somehow and cause redirects without me clicking on any ads. Which is pretty spooky, if you ask me, because even if I only go to trustworthy websites, I have kinda no way to know what ad networks they use to pay their bills, and even if I did, I also have no way of knowing what ads that network will run - aka there’s kinda no way to know whether or not a website is trustworthy - so if I can’t trust any website, I /have/ to put up defenses. So… blocking ads, right?