nklkx If your end goal is to block sites, you don't want to have accessible, then there are apps that can do that for you (they'll have to occupy the VPN slot), or you could use a DNS that blocks these sites instead. Editing the hosts file or anything like that are obsolete methods of doing what you'd like to achieve and not really compatible with a modern secure OS.

I hope that helps! If you need further guidance/more specific recommendations, let us know.

    7 months later

    Being able to edit the system hosts file can be a security risk if the user can change the blacklisted sites. The problem is that for me, neither private dns nor vpn-based adblockers are an option (android's private DNS setting does not work on all wifi networks, VPN-based adblockers occupy the vpn slot). I would really like to have an option for system-wide adblocking built into Grapheneos by default. I can imagine two solutions for this: either a pre-edited hosts fiile that blocks trackers and ads or a built in ad and trackerblocker that is based on DNS-filtering (like /e/ os's Advanced Privacy or PersonalDNSfilter in root mode). Divestos also has an edited hosts file built in.

      • [deleted]

      • Edited

      matchboxbananasynergy and not really compatible with a modern secure OS

      It can be made compatible with a modern secure OS, if there's a seperate hosts file (different than the one in the system partition) in the data partition that can be modified only by the user via the Settings app or some other system app

      JW10233 a pre-edited hosts fiile that blocks trackers and ads

      That would mean GrapheneOS developers need to push a OS update just to update the hosts file, Which is probabaly just not worth It.

      JW10233 built in ad and trackerblocker that is based on DNS-filtering

      That's already possible.

        The OS images are immutable beyond updates and are verified from a root of trust. You can't modify them. Even if there was no verification, you would be breaking delta updates by modifying the image used as the source for updates. Even without delta updates, which would eventually stop being available when you fell far enough behind, every update replaces the entirety of the OS and any changes would be gone after the first update. The OS moving the hosts file to data and providing a way to modify it isn't an appropriate approach since it's simply not designed for this purpose and works very poorly. Proper DNS filtering is the right approach when done well and is already supported.

        Providing a custom DNS resolver via a VPN service app works fine. A VPN service app is responsible for providing DNS and can do that without actually routing traffic through themselves, meaning there's already a very efficient way to run a custom DNS resolver with anything you want like an alternate encryption approach than DoT/DoH, filtering the requests, monitoring the requests, etc. This can be a standalone app or can be part of an app providing support for VPN connections like OpenVPN, WireGuard, etc. It's entirely possible via apps already in a well implemented, reasonable way and therefore this doesn't need to be built into the OS.

        There's also the Private DNS feature for a custom DoT/DoH resolver if you want to use an existing filtered DNS service instead of running an app providing a local resolver doing filtering and forwarding to another resolver.

        You can also get other DNS-resolver-based features this way such as monitoring the DNS queries, changing certain results, using local DNSSEC validation or even doing recursive resolving instead of using a DNS resolver like Quad9 or Cloudflare if for some reason you want to directly connect to the root servers, TLD servers and authoritative DNS servers of each domain you use instead of having a resolver server between you with caching.

        VPN service feature works fine for all this and doesn't mean you can't use an actual VPN. You just need an app supporting all the features you want, such as both loading DNS request filter lists and using a WireGuard VPN.

        JW10233 Private DNS works fine on Wi-Fi networks. If a Wi-Fi network is blocking the DoT port, then sure, DoT won't work. A network that's trying to enforce monitoring / filtering traffic seems problematic. Private DNS does also partially support DoH which can't really be distinguished from normal HTTPS traffic although they could block all known DoH resolvers. The DoH support is still experimental and only for a specific 2 services and it uses DoT for the rest, but that will change soon or we'll change it in GrapheneOS ourselves.

          [deleted] It would make no sense to do this because it's not a proper way to do DNS filtering and doesn't work correctly. It also doesn't really support large lists since it has to iterate through each entry for each DNS request due to how it's implemented. Why would we move it and support modifying it? If we were going to make our own DNS filtering implementation, we'd make an app providing support for importing multiple DNS request block lists with support for updating them alongside support for using an actual WireGuard VPN. This isn't within the scope of the GrapheneOS project. It's not our role to make every app people want to have, and the proper way to do this is definitely through an app instead of hard-wiring things into the OS which can already be done a better way via apps.

            6 months later

            GrapheneOS that is a false equivalence logical fallacy. Besides that all insecurity that comes with DNS modification fully equally applies to an app that does DNS filtering via a local VPN, it is clear that using VPN for that is an abuse of the feature.

            Further it is a slippery slope logical fallacy to say officially supporting that would require implementing an app for that, support wireguard, or support all various user wishes. For this all that would be required is implementing the functionality OSwise and expose it as an API with a specific new permission

            The right choice forward would be to support DNS blocking in a secure manner. When we talk about DNS blocking we are only talking about a subset of the hosts.txt capabilities. DNS blocking is implemented by pointing banned domains to local loopback (has problems) or to default route. If an OS API would only allow setting blocked domains like that via a new permission there would not be any security risk associated with this as redirecting is not possible.
            There are cases where redirecting DNS makes sense as e.g. pointing google.com to forcesafesearch.google.com but enabling redirects comes with all the above security risks. This may still be done by requiring user confirmation for each redirected DNS or possibly by a whitelist. However besides in the case of parental control there really are no valid use cases for DNS redirect

            GrapheneOS The DoH support is still experimental and only for a specific 2 services and it uses DoT for the rest, but that will change soon or we'll change it in GrapheneOS ourselves.

            Is this still on the GrapheneOS (or Google) roadmap? I would love to have DoH support in the Private DNS feature.

              a month later

              hello, i'm kind of desperate and in a bad situation. I'm a recovering porn addict and I really really really need to block these websites.

              What has worked for me for a while now was setting up a rasperry pi at home, with Pihole and let that do the job of blocking things. I would then have my mobile-phone VPN into my home network 24/7.

              however, recently, when relapsing, I just turned off the VPN to "unblock" stuff. It is already tedious enough but now this barrier has been broken....

              I really need to enforce the VPN or the blocking on the device itself. I was also thinking about editing the host file, which lead me to this thread, but I understand how that is not feasible.

              So now I'm thinking: grapheneOS has the "always on" feature for the VPN... is it somehow possible to lock this and prevent myself from changing this setting? somehow password protecting a setting in grapheneOS (with the risk of locking myself out if I don't have the password)

              I'm basically looking for a way to lock myself in with the vpn connection and throw away the option to disable or change anything.

              Any other suggestions are welcome too.

                Viewpoint0232 As per my understanding, DoH is supported from Android 11, but only with limited DNS resolvers (Google's and Cloudflare's); other sources cite the fact that DoH is supported from Android 13 onwards, but it is not enabled by default. As of now, GrapheneOS only supports both DoT and DoH. See also this official response from the GOS team:

                Android already supports DoT and DoH via Private DNS. Private DNS enables DoT for most providers but has a list of providers known to support DoH where it will use that instead. The list can be extended but we don't plan to add our own auto-detection for DoH. They'll likely add that in some form eventually.

                invader666 That's an unfortunate situation; I hope you'll fully recover.
                VPN apps can crash, can be closed, etc. To have a system-wide blocker that's always on, you can use a private DNS with the "family filter" option, specifically suited for children, so without porn, gambling, drugs, etc. Some recommended providers are:

                or check this list or other recommended DNS providers with optional filtering on other trusted websites.

                Note that there is currently no possibility to add a password to protect some settings, and is not a feature considered in the roadmap, as it is assumed that if one has the system PIN/password/passphrase can easily access the settings too.

                  ToffoliGate thanks for those suggestions and the kind words.

                  I just saw that the android private DNS option in grapheneOS is only available on the admin profile, not on other user profiles, which is a good thing for me, because in my case, the more stones to trip over, while 'trying to disable protection', the better. the longer it takes for me to disable all blockers and filters, the more time there is to snap out. fingers crossed.
                  I'll try going with dns0 kids for now.

                    6 months later

                    invader666
                    The only reliable way I have found is to use Andoff. Which allows you to add many restrictions to your Android phone. The only way to change settings after locked is by waiting some time delay or entering a password. Some features include:

                    • Lock private dns settings (set in system settings)
                    • Disallow installation of apps
                    • Newly installed apps are locked

                    I'm not aware of the privacy or security of the app, but if someone more knowledge than me has any insight I'd be interested to know. I have not found an open source alternative but a tool like this would be awesome to see in the open-source community.