VPN and DNS Nonsense

[vic]

Ended up with Mullvad. :)

[GekkoP]

^ Good choice!

Back at DNS filtering and blocking unwanted things. Among the many host lists available, which ones work best for you?

I've been using 1Hosts Pro in uBlock both on desktop and mobile with uBlock itself in medium blocking mode, This breaks most of the WWW, of course, but I am fine whitelisting only the things I need. However, to make it slightly easier for the better half I set up NextDNS with the following lists:

- NextDNS Ads & Trackers Blocklist
- 1Hosts (Lite)
- oisd

Am I missing something? Should I add more lists to NextDNS to make it better without being yelled at?

[vic]

Sorry I can not be of any help here. So far I have just the most very basic set up with blocking ads etc. I do understand that there are a lot of possibilities here of fine tuning choices available, and with time I might venture into it. I have a lot (A LOT!) to learn here, but right now I just want something that works.

My host preferences are mainly central Europe which almost always gives me good speed. Have tried some more remote locations a couple of times, but then the connection slows down. So that will be saved for special occasions.

[gutterslob]

I've been using 1Hosts Pro in uBlock both on desktop and mobile with uBlock itself in medium blocking mode, This breaks most of the WWW, of course, but I am fine whitelisting only the things I need. However, to make it slightly easier for the better half I set up NextDNS with the following lists:

- NextDNS Ads & Trackers Blocklist
- 1Hosts (Lite)
- oisd

Am I missing something? Should I add more lists to NextDNS to make it better without being yelled at?

https://github.com/yokoffing/NextDNS-Config
There’s a Balanced/Strict/Aggressive table midway down. The “Balanced” combination should pass the girlfriend/wife test.

Also, if using uBO on medium mode, the default filters are more than adequate. DNS blocking would be more useful for OS-wide needs (not needed for most Linux distros) or mobile devices.

Fyi; you can create separate device profiles for different devices. If you’re putting it on a Pi-Hole or router, then yes, a less aggressive setup would ensure minimal troubleshooting.

[GekkoP]

^ Awesome, thank you. I wasn't that far from a balanced configuration then, which means I am learning something. :)

[gutterslob]

^ Always a compromise when sharing your life with someone. Personally don’t feel a “balanced” setup blocks enough. Spend some time going through the contents of oisd-full and you’ll realize the reason it’s so big is because a significant part of it is dedicated to whitelisting. It’s probably the best list out there from a set&4get perspective, but I’d personally use 1Hosts Pro with some whitelisting.

You can shore up that Balanced profile a bit more by adding every service in the Parental Controls section that you and your partner don’t use, just to make sure their analytics aren’t sneaking in. That’s the one thing that guide I posted didn’t mention, so it’s possibly just double-redundancy and not needed, but won’t hurt considering it’s done on a server and not eating local resources.

[GekkoP]

^ My approach is using the Balanced profile with NextDNS Ads & Trackers Blocklist instead of NoTrack, but I'll experiment more. I am using the Native Trackig Protection from NextDNS for Samsung and Apple devices as well, but as usual, it's a matter of finding the right setting for everyone here.

[gutterslob]

Another DNS service;
https://kb.controld.com/en/3rd-party-filters
They have DoH/DoT as well as legacy IPv4/IPv6 addresses available. From everything I’ve read, ControlD’s free servers are non-logging. Not configurable like NextDNS, but if you use something like Mullvad’s app on mobile then simply slapping on the 1Hosts Pro addresses into the Custom DNS section should provide you with better protection than Mullvad’s own DNS blocking, and you won’t be eating into your NextDNS quota (if using free account).

[wuxmedia]

I'll not pretend to understand all of this thread :D
But I wsa listening to a podcast (cyber by VICE) and they were talking about ISPs trading data, with various organisations, which reveals the netflow data, which I presume includes your initial connection to the ISP - before you jump to the VPN?
They were even able to serve out packet caps .
https://www.vice.com/en/article/y3pnkw/ ... email-data

Just thought it was intersting and maybe had something to do with this topic :D

[gutterslob]

^ pretty much.

Which is why it’s important for people to know;

1. that a VPN is capable of doing the same nefarious things your ISP/telco does, which makes choosing a provider difficult.

2. that it’s important to compartmentalize what they do while on a VPN, because simply doing the same things you used to do will essentially be cloning your ISP fingerprint onto your VPN fingerprint.

[GekkoP]

2. that it’s important to compartmentalize what they do while on a VPN, because simply doing the same things you used to do will essentially be cloning your ISP fingerprint onto your VPN fingerprint.

One of the things that I didn't like in the Android app from Mullvad was the lack of split tunneling. They added it finally, which to me is a nice way to specify the apps I do not want behind a VPN all the time.

[gutterslob]

One of the things that I didn't like in the Android app from Mullvad was the lack of split tunneling. They added it finally, which to me is a nice way to specify the apps I do not want behind a VPN all the time.

I thought the feature had been on the Android app for a while. Did something change in the latest build?

What I don’t like about the Mullvad app’s split tunneling feature is that it’s only exclusion based. I suppose that’s what most users expect. They tunnel everything and just select what services they want to exclude like Netflix, Steam, banking, etc.

My use case on Android is the exact opposite, in that I only want a couple of apps tunneled, like a web browser or reddit client. For that, I’d essentially need to select almost everything from the split tunneling list the app generates, and even then I’m not sure because of how shared libraries work in Android. Hence, I need to take the convoluted path of using an app like Shelter to box off a separate profile that contains only apps I want the VPN for, which in turn creates its own inconveniences due to how the Private DNS setting in Android hijacks queries made from within a VPN tunnel.

[GekkoP]

I thought the feature had been on the Android app for a while. Did something change in the latest build?

Probably me not getting the update, but I didn't see it before. Or it could be just me getting old, of course.

[gutterslob]

https://github.com/yokoffing/NextDNS-Config

Just a heads up (although Gekko is probably on top of it already, considering his NextDNS addiction), but this guide has been revised a few times since I last shared it, to keep up with the new features and blocklists added to the service.

Recently visited my mother and the guide proved useful for a normie/mom-friendly setup on her iPhone (off-topic;- those ‘Mini’ sized iPhones are so refreshing to use in these times of giant slabs). I ended up with something in between the Balanced and Strict profiles for her — basically just Hagezi Pro and some anti-scam list whose name I can’t recall, with around a dozen or so domains added the Allowlist — and she’s been having zero issues so far.

If she ever does run into problems, I can just log into my account (upgraded to a paid account recently) and remotely ease up the blocking on her device profile.

[GekkoP]

^ Yes, I visit that page regularly. :)

I moved to Hagezi too a while ago, and everything works smoothly.