VPN and DNS Nonsense

Forum rules
Share your brain ;)
User avatar
gutterslob
Resident Tranny
Posts: 1124
Joined: Thu Aug 08, 2013 7:13 pm

VPN and DNS Nonsense

Unread post by gutterslob » Thu May 12, 2022 1:16 pm

Today I learned that Android's Private DNS setting will hijack everything and even force your VPN to use it instead of its own DNS servers.
Who the hell thought this was a good idea?

So I set up a NextDNS profile and have the OS use its DoT instance. Then I use Knox (because it's a Samsung) to create a work profile. Install Droid-ify (F-Droid client) within that "Secure Folder" and then use it to install Mullvad (my VPN) and Bromite (Chromium stripped down for privacy), thinking I can create an isolated browsing session. I set Bromite to use Mullvad's DoH servers, but guess what, opening more than one domain simultaneously in Bromite causes DNS leakage. Open one website at a time and my NextDNS logs just show Mullvad's DNS domain, which is expected behaviour. Select a few bookmarks and tap the "open in new tab" option, and I see all the domains spill out into the NextDNS logs now. Turns out this is an upstream Chromium issue. Like, what the actual fuck?!

How does anyone live with this crap?

User avatar
wuxmedia
Grasshopper
Posts: 6445
Joined: Wed Oct 17, 2012 11:32 am
Location: Back in Blighty
Contact:

Re: /dev/null

Unread post by wuxmedia » Thu May 12, 2022 7:48 pm

Blind ignorance - I expect.
"Seek, and Ye shall find"
"Github | Chooons | Site"

User avatar
GekkoP
Emacs Sancho Panza
Posts: 5877
Joined: Tue Sep 03, 2013 7:05 am

Re: /dev/null

Unread post by GekkoP » Fri May 13, 2022 7:29 am

^^ Just wanted to say thank you because I moved to Mullvad and setting it up on my devices was quick and easy. Their CLI app for the home server is nice as well.

User avatar
GekkoP
Emacs Sancho Panza
Posts: 5877
Joined: Tue Sep 03, 2013 7:05 am

Re: /dev/null

Unread post by GekkoP » Fri May 13, 2022 10:34 am

@gutterslob Any reason why you are preferring NextDNS instead of what Mullvad already provides? AFAIK, Mullvad already does its things with DNS settings. Just curious (and eager to learn, of course).

User avatar
gutterslob
Resident Tranny
Posts: 1124
Joined: Thu Aug 08, 2013 7:13 pm

Re: /dev/null

Unread post by gutterslob » Fri May 13, 2022 4:46 pm

^ Ah, good to know. Either way, Mullvad's pricing structure doesn't try to sucker you into long term commitments, so you can pay monthly and cancel if it doesn't work for you.

I recall you had some issue (which you sorted) with your uni's Cisco/IPsec network a few weeks back. If you need to use Mullvad on your uni wifi and find all ports outside the IPsec default UDP:4500 blocked or rate-limited, you can workaround it with the CLI app;

Code: Select all

mullvad relay set tunnel wireguard --protocol udp --port 4500
...or you can just generate a WireGuard config on their website and use nmcli or systemd-networkd if you prefer that method.
ArchWiki has a Mullvad section, though I'm not sure if it's up-to-date.

User avatar
GekkoP
Emacs Sancho Panza
Posts: 5877
Joined: Tue Sep 03, 2013 7:05 am

Re: /dev/null

Unread post by GekkoP » Sat May 14, 2022 6:11 am

^ Interesting, thanks for the tip.

Speaking of privacy-related tinkering, I flashed DivestOS on my 6-year old Fairphone 2 yesterday and so far so good. Home banking is going to be a bit trickier, but the little else I need to do with this phone works as fine as before.

User avatar
gutterslob
Resident Tranny
Posts: 1124
Joined: Thu Aug 08, 2013 7:13 pm

Re: /dev/null

Unread post by gutterslob » Sat May 14, 2022 3:07 pm

^ DivestOS is supposed to be one of the better ROMs out there. They follow proper security practices (unlike LineageOS) and generally do a good job with blocking/limiting most of the beacons built into the internal chipsets, according to what I've read.

What's the reason for banking being harder? Bootloader not relockable or lack of Google Play Services or some issue with microG? Banking is one of the reservations I have as well when it comes to deGoogling Android.

I was tempted to get a Pixel and put GrapheneOS or CalyxOS on it, but the issues I've read about with microG on Calyx or Graphene's sandboxing (checking an app on Exodus doesn't really tell you much, frankly) give me pause. The other issue has been the lack of local availability for Pixels (importing doesn't bring warranty coverage). The new 6a that was just announced will be officially available here, so we'll see.

This current Android I'm using is for a temp job. Helping an acquaintance set up a company. No MDM, but required apps like Chanty, Kyte and the revolting WhatsApp for Business, none of which I was willing to put on my own devices, so they got me a number/plan which included this midrange Samsung. Bloody perverted thing! Disabled as many services as I could and limited as many permissions as possible for the remainder, and even when barely used it still averages around a thousand DNS queries a day (with a whopping 40% being blocked) according to NextDNS, and that's with DNS caching enabled. I'm pretty sure those parole ankle bracelets track less then this. Maybe once I'm done with the job I'll attempt that popular Universal Android Debloater script.

User avatar
GekkoP
Emacs Sancho Panza
Posts: 5877
Joined: Tue Sep 03, 2013 7:05 am

Re: /dev/null

Unread post by GekkoP » Sat May 14, 2022 3:31 pm

Banking is harder because some of it needs Google Play Services. Also, in Italy we have a thing called SPID (https://www.spid.gov.it/en/) which baffingly enough requires Google Play Services as well. I don't think DivestOS supports microG (see here), but this is a newbie at smartphone flashing writing, so I need to research more on this.

Edit: microG is listed here, though, so I seriously need to know more.

User avatar
ivanovnegro
Minister of Truth
Posts: 5448
Joined: Wed Oct 17, 2012 11:12 pm

Re: /dev/null

Unread post by ivanovnegro » Sun May 15, 2022 1:25 am

This thread turned into being super interesting.

One thing I will never use my smartphone for and never did and I hope it will stay that way, is online banking. My better half e.g. must use it with her Spanish bank account, there is no way she could manage it outside Spain. It is a fucked up bank anyway like most, but she still has this account in Spain for emergencies.

My question now to you guys that prefer not use Google Play services. If you take microG, does it not destroy the purpose of not using some of those apps that are exclusive to Google's Android? For me at least de-Googling would also mean not to use e.g. Google Maps or Gmail, even Youtube on my phone and I did that on my old Android. I used F-Droid apps exclusively.

User avatar
GekkoP
Emacs Sancho Panza
Posts: 5877
Joined: Tue Sep 03, 2013 7:05 am

Re: /dev/null

Unread post by GekkoP » Sun May 15, 2022 7:32 am

^ That's the reason I went for DivestOS: complete de-googling (as far as possible, I mean).

Home banking seems to be working just fine, at least the functions I need. I also found a workaround for that SPID thing which lets me use it without the phone app: basically part of the authentication process is through an SMS. There is a 3-month limit of 8 messages, but I need this bloody thing only for taxes so it should be twice or three times a year at most.

User avatar
gutterslob
Resident Tranny
Posts: 1124
Joined: Thu Aug 08, 2013 7:13 pm

Re: /dev/null

Unread post by gutterslob » Sun May 15, 2022 9:01 am

Preface: I've been away from Android for a long time, so a lot of this is as new to me as it is for you chaps.

@Ivan
If you're using a deGoogled ROM and can do everything you need via F-Droid* then there is no reason for you to install microG.

Reason some people use microG is for apps they need that require Google Play Services (GPS) and all the components it brings with it (like SafetyNet, GMS, etc) for stuff like banking, shopping, and in some cases push notifications for messaging. It's not necessarily Google's own apps, most of which you can replace with stuff like OsmAnd, Newpipe or any privacy respecting email provider, but for those apps that need some sort of Google backend service.

Basically, if that banking, e-hailing or shopping app you need is only available via the Play Store, that's where microG and the Aurora Store come in. With microG enabled in it's default mode (meaning no Google/Gmail account) you will give up some anonymity - you won't be tied to a Google account, but your IP address (assuming no VPN used) and device identifier (some ROMs like CalyxOS and DivestOS will randomize this) will be sent. Occasionally, depending on the app, location might be required as well, though some ROMs like CalyxOS use Mozilla's location database as a replacement.

For me, with this Samsung, its sole purpose is for the temp job I mentioned. Stuff like the inventory management app requires location services, while the banking app is needed for invoices and scanning cheques. Most business/current account banking applications nowadays (I suspect personal/savings accounts as well) use their own app for the transaction authentication for amounts exceeding a certain amount. Funny how they deem SMS-based 2FA as insecure but are more than happy to depend on GPS for the in-app notifications, instead of adopting proven OTP standards. Anyway, it's solely for that job and I make sure to disable wifi and location before I'm in the vicinity of my apartment.

* I sincerely hope you're using Neo/Droid-ify as your F-Droid client, because the official F-Driod app is slow as heck and looks like its from 1643 BC.

User avatar
GekkoP
Emacs Sancho Panza
Posts: 5877
Joined: Tue Sep 03, 2013 7:05 am

Re: /dev/null

Unread post by GekkoP » Sun May 15, 2022 10:22 am

gutterslob wrote:
Sun May 15, 2022 9:01 am
Funny how they deem SMS-based 2FA as insecure but are more than happy to depend on GPS for the in-app notifications, instead of adopting proven OTP standards.
This.

And it's why that SPID thing I mentioned is particularly ridiculous. You want to prove my digital identity when I have to deal with my taxes? Fine, I understand. But why should I use a service which depends on me giving up personal data to another party?

User avatar
gutterslob
Resident Tranny
Posts: 1124
Joined: Thu Aug 08, 2013 7:13 pm

Re: /dev/null

Unread post by gutterslob » Sun May 15, 2022 11:15 am

^ I suspect it's combination of 1.technical incompetence, 2.cost and 3.wanting to cover their own asses

1. Because politicians/CEOs/marketing are the ones making the final decision
2. Because politicians/CEOs/marketing are the ones signing the cheques
3. Because it's easier to blame everything on Google and other subcontracted companies when something bad happens

Baffling, as you said earlier, but also completely predictable.

User avatar
GekkoP
Emacs Sancho Panza
Posts: 5877
Joined: Tue Sep 03, 2013 7:05 am

Re: /dev/null

Unread post by GekkoP » Sun May 15, 2022 11:22 am

^ Yes, I think those points pretty much sum it all well.

Although I also suspect the IT department behind SPID preferring the easy solution Google offers (the usual popularity/comfort zone deal) and not caring much about greater concerns. I mean, I am fairly sure they didn't try too much to push for alternatives. Just as Uni has chosen to be locked-in with Google, by the way.

User avatar
GekkoP
Emacs Sancho Panza
Posts: 5877
Joined: Tue Sep 03, 2013 7:05 am

Re: /dev/null

Unread post by GekkoP » Mon May 16, 2022 11:55 am

gutterslob wrote:
Sat May 14, 2022 3:07 pm
I was tempted to get a Pixel and put GrapheneOS or CalyxOS on it, but the issues I've read about with microG on Calyx or Graphene's sandboxing (checking an app on Exodus doesn't really tell you much, frankly) give me pause. The other issue has been the lack of local availability for Pixels (importing doesn't bring warranty coverage). The new 6a that was just announced will be officially available here, so we'll see.
I meant to reply to this and then forgot.

When my FP2 dies, I'll probably move to a phone more reliable on the security/privacy side than this.

Don't get me wrong, I love the fairness and sustainability of the Fairphone. However, beside the external cover and the battery (just once), I didn't play much with its modular upgrades.

DivestOS on the FP2 is a compromise, of course, and being at home most of the time means I should care more about my network here than what's outside. Still, the FP3 and FP4 are not known to be that privacy friendly.

User avatar
gutterslob
Resident Tranny
Posts: 1124
Joined: Thu Aug 08, 2013 7:13 pm

Re: /dev/null

Unread post by gutterslob » Mon May 16, 2022 3:51 pm

GekkoP wrote:
Mon May 16, 2022 11:55 am
When my FP2 dies, I'll probably move to a phone more reliable on the security/privacy side than this.
But is there such a phone though, and would it matter? If you're deGoogling, then wouldn't device compatibility with the ROM you intend to use outweigh whatever privacy/security state the stock phone comes in? That's my understanding, at least.

GekkoP wrote:DivestOS on the FP2 is a compromise, of course, and being at home most of the time means I should care more about my network here than what's outside. Still, the FP3 and FP4 are not known to be that privacy friendly.
According to the DivestOS device downloads section, the FP3 seems to have good compatibility. Bootloader is relockable and Verified Boot state is at 2.0 (I'm not quite sure what that means, tbh), while your FP2 is listed with "Relockable: Unknown / Verified Boot: No". Did you manage to relock the bootloader after install? From what I understand, passing the SafetyNet check in Google Play Services (and its equivalent signature-spoof with microG) is the main factor in whether banking/finance apps will work, and the checks done are mostly bootloader related I believe.

User avatar
GekkoP
Emacs Sancho Panza
Posts: 5877
Joined: Tue Sep 03, 2013 7:05 am

Re: /dev/null

Unread post by GekkoP » Mon May 16, 2022 4:36 pm

gutterslob wrote:
Mon May 16, 2022 3:51 pm
But is there such a phone though, and would it matter? If you're deGoogling, then wouldn't device compatibility with the ROM you intend to use outweigh whatever privacy/security state the stock phone comes in? That's my understanding, at least.
They're all good questions, and actually the ones I am asking to myself. If DivestOS proves to be enough for my needs, than the next phone will be another FP.
gutterslob wrote:
Mon May 16, 2022 3:51 pm
According to the DivestOS device downloads section, the FP3 seems to have good compatibility. Bootloader is relockable and Verified Boot state is at 2.0 (I'm not quite sure what that means, tbh), while your FP2 is listed with "Relockable: Unknown / Verified Boot: No". Did you manage to relock the bootloader after install? From what I understand, passing the SafetyNet check in Google Play Services (and its equivalent signature-spoof with microG) is the main factor in whether banking/finance apps will work.
I relocked the bootloader with:

Code: Select all

$ fastboot oem lock
Which replied with:

Code: Select all

OKAY [  some milliseconds I don't remember]
Finished. Total time: [  same milliseconds I don't remember]

User avatar
ivanovnegro
Minister of Truth
Posts: 5448
Joined: Wed Oct 17, 2012 11:12 pm

Re: /dev/null

Unread post by ivanovnegro » Mon May 16, 2022 4:50 pm

@Gutterslob: Thank you for your thorough explanation. Now I get it.

Basically on my Android, that is now used as some kind of remote or Newpipe music radio for the kitchen, I only use F-Droid apps and as it is not used anymore as a phone, most of the apps were dropped on it and if not in use, the phone is not connected to WiFi or even off.
gutterslob wrote:
Sun May 15, 2022 9:01 am
* I sincerely hope you're using Neo/Droid-ify as your F-Droid client, because the official F-Driod app is slow as heck and looks like its from 1643 BC.
Damn. I missed that. I will check it out ASAP. Thanks. I always found the official client to be a real turtle and often throwing errors on me when updating programs.

User avatar
GekkoP
Emacs Sancho Panza
Posts: 5877
Joined: Tue Sep 03, 2013 7:05 am

Re: /dev/null

Unread post by GekkoP » Tue May 17, 2022 5:24 pm

^ I second the Droid-ify advice.

Also, I went to Uni for an exam today (written test, I feel confident about it, but I don't know the mark yet) and no problem whatsoever with DivestOS: I bought train tickets, listened to some music during the travel and encrypted a couple of emails. VPN was alive and rock solid as well. All good. I'm happy.

User avatar
gutterslob
Resident Tranny
Posts: 1124
Joined: Thu Aug 08, 2013 7:13 pm

Re: /dev/null

Unread post by gutterslob » Wed May 18, 2022 3:16 pm

@Ivan - in case you're procrastinating;
https://github.com/NeoApplications/Neo-Store
Install and welcome yourself to 2022.

@Gekko - in case you wanna spruce your gnome shell;
https://github.com/Pobega/gnome-shell-e ... -indicator
Good luck with the exam results, btw.

Post Reply