Quad9 via Private DNS or RethinkDNS ?

Stewart

Hi,

I have been using RethinkDNS on my GrapheneOS device for quite some time.
Now I would like to know — from a security and privacy point of view, which setup is generally recommended:

Using Quad9 as Private DNS in GrapheneOS network settings, or
Continuing to use Quad9 via the RethinkDNS app, with its filtering and firewall features?

My goal is to achieve the best possible level of privacy.

What do you think?

GrouchyGrape

Stewart increasing privacy through DNS is tricky. On one hand, you want to block unwanted communications. On the other, you want your desired services to actually work.

The most effective way to increase privacy is to stop using privacy-invasive services. This is often easier said than done, but don't forget that it's always the most effective.

Continuing that thought, if you decide that you still want to use a service, you need to accept the consequences. No matter how many domains/connections you try to block, they can get right through them as long as you continue to use their services.

mmobder

The best way is for http requests to do not leave your device at all, if it's sent to a known tracker.
Also, almost every app sends requests to "private" feature-services/trackers, like all those mixpanels etc, that aren't captured even by NextDNS not talking about q9.

So far, The only way to achieve the above is to use rdns (with nextdns/smartdns mode) combined with on-device blocklists.

Unless I'm mistaken, none of claimed "leaks" of requests using stable rDNA appeared to be proven/valid. They were usual misconfigurations.

It will cost you some effort, but even with on-device Hagezi Ultimate everything works for me.

gristle-cause

Turn off Android's PrivateDNS, configure inside rdns

Both Mulvad and Proton recommend disabling the system PrivateDNS setting when proxying traffic through their VPNs. They claim it threatens to inadvertently split tunnel your traffic & produce DNS leaks

RethinkDNS imitates a VPN, forcing all TCP/UDP traffic to pass through it. I have to assume the system-level PrivateDNS settings pose the same risk when using rdns as it would Mulvad or ProtonVPN. Best to disable it, force all traffic into rdns, and handle all encrypted DNS requests from within the rdns tunnel

Stewart

Thank you for your feedback and recommendations.

After taking your replies into account, as well as the GrapheneOS FAQ and documentation, which clearly explain why using RethinkDNS can be preferable to Android’s Private DNS, I have decided to use RethinkDNS with the following setup:

Quad9 as the encrypted DNS resolver
HaGeZi Pro as the local blocklist
Proton VPN (WireGuard), used specifically for Vanadium

This setup seems to offer a good balance between privacy, security, and reliability.