[FR] Access to /etc/hosts file

avidgrapher

The access can be implemented through adding a textbox in settings.
The problem with VPN is it's an overkill for just blocking few sites and battery-consuming too.
The problem with DNS is it adds to your fingerprint. It's not recommended by GrapheneOS FAQ.

This has been requested before:

GrapheneOS

The access can be implemented through adding a textbox in settings.

The OS images are immutable beyond updates and are verified from a root of trust. Modifying the hosts file is not ever an appropriate way of filtering DNS requests rather than doing it in a way that provides proper errors regardless. Adding a third way to do something that's increasingly less impactful instead of implementing truly fundamentaly privacy and security improvements is highly unlikely.

Whether this is a good aside is a separate issue. It only impacts connections made after a query to retrieve an IP via the system DNS resolver. The lists you'd be using are best efforts attempts to enumerate domains belonging to certain categories without breaking actual functionality. A telemetry blocking list can't block a domain used for both telemetry and actual functionality or it would break apps and sites. Many domains are dual purpose and therefore won't be blocked even if they're widely used and known about. Anything new or not widely known about won't be blocked. It has all the same issues as the antivirus approach of enumerating badness. It's already possible to do this filtering in 2 different ways on GrapheneOS.

The problem with VPN is it's an overkill for just blocking few sites and battery-consuming too.

You can filter DNS results by either using the Private DNS feature or a VPN service.

The VPN service feature can be used by apps which only provide their own DNS resolver rather than VPN. There are also actual VPN implementations which support local or remote filtering of DNS queries.

Using a VPN service which provides only a custom local DNS resolver won't use significant power since it's not routing traffic through it. Only requests to the system DNS resolver are going through it.

The problem with DNS is it adds to your fingerprint. It's not recommended by GrapheneOS FAQ.

Filtering of DNS results is detectable by services including web sites, not just the DNS resolver server that you're using. If you're concerned about fingerprinting by services, filtering DNS requests this way isn't on the table. It doesn't provide a fundamental privacy improvement regardless.

This has been requested before

Please don't create duplicate threads, especially without reading all the responses in previous threads.

GrapheneOS

avidgrapher If you care about efficiency / battery life, then misusing the hosts file this way is a very poor idea since the stub resolver code iterates through the whole thing for every single DNS request. It's not designed to have more than a few entries and isn't capable of providing proper error responses.

csis01

A better approach to this is to RUN a DNS relay ON THE PHONE, and set the private DNS to localhost.

Ammako

You will be fingerprinted as well based on the edits you've made to your hosts file, especially if you block a lot of stuff (tracking etc.)

JW10233

My problem with private DNS is that the built in android feature does not work on all wifi networks. With an edited hosts file I never had any issues.

GrapheneOS

JW10233 Private DNS works fine with Wi-Fi networks. Providing a custom DNS resolver via a VPN service app works fine too. A VPN service app is responsible for providing DNS and can do that without actually routing traffic through themselves, meaning there's already a very efficient way to run a custom DNS resolver with anything you want like an alternate encryption approach than DoT/DoH, filtering the requests, monitoring the requests, etc. This can be a standalone app or can be part of an app providing support for VPN connections like OpenVPN, WireGuard, etc. It's entirely possible via apps already in a well implemented, reasonable way and therefore this doesn't need to be built into the OS.