this post was submitted on 28 Oct 2023
112 points (95.9% liked)
Privacy
32173 readers
478 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
As others have said you can easily (like actually easily, not like self hosting easily) redirect every known dns query on your network to a specified dns server.
I do this to redirect all dns queries to adguard home (which is the self hosted dns-based blocker, not the app-based one).
If you layer a vpn server on top of this and vpn from your phone or other mobile device to your home network, then your phone or mobile device will remain behind adguard home (or other custom dns) no matter where you are (as long as you've configured it correctly).
You can get complex to achieve this setup (with various docker instances on a home server or whatever) or go the (fairly) easy way with an Asus router running the asus-merlin firmware, a vpn host/server, and adguard home (they will all run on the router itself just fine while maintaining gigabit routing speeds). You can also put the skynet firewall extension for ip-based blocking. It will handle all of that while running a wireless AP with multiple guest networks across 2.4 and 5ghz bands if you get one of their better routers. Very stable too. If you are brave (not afraid of console/terminal) you can even set up vlan tagging and such, but I found that an isolated guest network on wifi was sufficient.
Maybe because that's just a firewall that can be installed on Windows, Debian/Ubuntu and Fedora. What about your mobile devices? This is where Pi-hole, AGH, NextDNS etc. win.
Read the whole sentence. That "just" belongs to the fact that it's only available on a few selected OSes and none of them are for mobile devices.
It's possible I'm misunderstanding something, I am admittedly a layman when it comes to much of this. That being said, I believe NextDNS is marketed as a DNS level firewall. I do use Postmaster, but for the secure DNS I use a profile on NextDNS so I can implement granular control over what is being blocked on my PCs.
Idk what mobile device you are using, but I know on Android you can use NextDNS by updating your "Private DNS" in the Android settings. If you set it to a NextDNS profile it eliminates the need to install an app, and allows NextDNS to block ads and trackers even while not at home and utilizing your mobile data (or any other network you might need to connect to). Can also be implemented in conjunction with a VPN (if that is something the user is trying to implement based on their threat model) because it is built into the system settings rather than an app using a VPN-esque connection as a sinkhole for trackers. There is also a setting that allows you to prevent bypass if activated. I use that on our router.
Hope this helps! If I am wrong, please feel free to educate me. Always happy to learn more. 🍻
Gotcha! My bad, I clearly misinterpreted the discussion. Thank you for the clarification!
Your setup sounds pretty legit. as far as "too paranoid", I don't think that's a factor as long as the effort required to maintain your system is something you're comfortable with upkeeping and you don't feel these concerns are getting in the way of your mental well-being. I do more than work probably most of the people I know, but that's because I like to tinker and this is sort of a hobby for me. My family and partner think it's extreme, but I feel it's good to know how to implement different procedures, countermeasures, and security levels. Do I need them all? Definitely not. But there was a situation at work the other day where I was able to consult on remediation because I have exposed myself to a wide array of different tools and methodologies that most people I work with don't care to bother with. All of that to say, " do you, boo!" Follow your info tech/cyber sec bliss.
NextDNS is cool but it also doesn't sound necessary for your use case. My primary use for it was because of the limitations of my stock OS when it comes to features like built-in firewalls. Then since I was already using it on my mobile, I just decided to experiment with wrapping it into things like Postmaster and my router to control things like smart TVs.
My goal with my next mobile is a custom ROM where I can implement a setup similar to yours. That day can't come soon enough! 😂
In my network it can only do that if the app has a hardcoded encrypted DNS server because I use NAT rules to force all unencrypted DNS to be processed by my OPNsense (which uses NextDNS as upstream DNS servers). And I highly doubt many apps even have a hardcoded DNS server anyway (no matter if unencrypted or encrypted).
That's your personal use case but not everyone elses. I do much more with my phone. For example browsing. And I think most people do it too. Anyway, as long as you use mobile internet even your OS on your phone could spy on you with tracker domains. Most people don't use a custom ROM so you're just one of few people who this doesn't apply to.
Wrong. I use NextDNS so I have it everywhere. ;)
Well, you said "you" so I thought you were talking about me since you replied to my comment.
Right. I don't know about Telegram but in Firefoxes case I think it's disabled by default. I specifically checked that on my Firefox so it won't bypass my OPNsense.
You don't see it, do you? First you talk about your use case but then you talk about other people. So not your use case anymore. In their use case a Pi-hole, AdGuard Home, NextDNS or whatever else maybe makes sense and isn't a bad choice.
Erm... what?? Smartphones are designed for many different things. Browsing the internet is just one of many things it's made for. It's called "smartphone" for a reason.
It can't bypass my network DNS if only my DNS server is allowed to send out via port 53.
It's really fun to see how some devices are completely panicking. (I only have some chromecast music devices which do not need any internet) Anyway, I do hate that there are manufacturers who hardcode a dns into MY devices.
For the time I'm outside my network I do have a VPN which allows me to acces my pi-hole from outside (I never felt that the speed or latency is especially low)
There are even routers which allow you to re-route specific ports to specific devices. So, even if the device wants 8.8.8.8 the firewall would reroute it to my dns server
If you want a privacy friendly option that works from in/and outside your network without all the hassle above I can also recommend proton VPN which also procides tracker and ad blocking.