LinuxBBQ

Ended up with Mullvad. :)

^ Good choice!

Back at DNS filtering and blocking unwanted things. Among the many host lists available, which ones work best for you?

I've been using 1Hosts Pro in uBlock both on desktop and mobile with uBlock itself in medium blocking mode, This breaks most of the WWW, of course, but I am fine whitelisting only the things I need. However, to make it slightly easier for the better half I set up NextDNS with the following lists:

- NextDNS Ads & Trackers Blocklist
- 1Hosts (Lite)
- oisd

Am I missing something? Should I add more lists to NextDNS to make it better without being yelled at?

Sorry I can not be of any help here. So far I have just the most very basic set up with blocking ads etc. I do understand that there are a lot of possibilities here of fine tuning choices available, and with time I might venture into it. I have a lot (A LOT!) to learn here, but right now I just want something that works.

My host preferences are mainly central Europe which almost always gives me good speed. Have tried some more remote locations a couple of times, but then the connection slows down. So that will be saved for special occasions.

GekkoP wrote: ↑

Sat Sep 24, 2022 3:33 pm

I've been using 1Hosts Pro in uBlock both on desktop and mobile with uBlock itself in medium blocking mode, This breaks most of the WWW, of course, but I am fine whitelisting only the things I need. However, to make it slightly easier for the better half I set up NextDNS with the following lists:

- NextDNS Ads & Trackers Blocklist
- 1Hosts (Lite)
- oisd

Am I missing something? Should I add more lists to NextDNS to make it better without being yelled at?

https://github.com/yokoffing/NextDNS-Config
There’s a Balanced/Strict/Aggressive table midway down. The “Balanced” combination should pass the girlfriend/wife test.

Also, if using uBO on medium mode, the default filters are more than adequate. DNS blocking would be more useful for OS-wide needs (not needed for most Linux distros) or mobile devices.

Fyi; you can create separate device profiles for different devices. If you’re putting it on a Pi-Hole or router, then yes, a less aggressive setup would ensure minimal troubleshooting.

^ Awesome, thank you. I wasn't that far from a balanced configuration then, which means I am learning something. :)

^ Always a compromise when sharing your life with someone. Personally don’t feel a “balanced” setup blocks enough. Spend some time going through the contents of oisd-full and you’ll realize the reason it’s so big is because a significant part of it is dedicated to whitelisting. It’s probably the best list out there from a set&4get perspective, but I’d personally use 1Hosts Pro with some whitelisting.

You can shore up that Balanced profile a bit more by adding every service in the Parental Controls section that you and your partner don’t use, just to make sure their analytics aren’t sneaking in. That’s the one thing that guide I posted didn’t mention, so it’s possibly just double-redundancy and not needed, but won’t hurt considering it’s done on a server and not eating local resources.

^ My approach is using the Balanced profile with NextDNS Ads & Trackers Blocklist instead of NoTrack, but I'll experiment more. I am using the Native Trackig Protection from NextDNS for Samsung and Apple devices as well, but as usual, it's a matter of finding the right setting for everyone here.

Another DNS service;
https://kb.controld.com/en/3rd-party-filters
They have DoH/DoT as well as legacy IPv4/IPv6 addresses available. From everything I’ve read, ControlD’s free servers are non-logging. Not configurable like NextDNS, but if you use something like Mullvad’s app on mobile then simply slapping on the 1Hosts Pro addresses into the Custom DNS section should provide you with better protection than Mullvad’s own DNS blocking, and you won’t be eating into your NextDNS quota (if using free account).

I'll not pretend to understand all of this thread :D
But I wsa listening to a podcast (cyber by VICE) and they were talking about ISPs trading data, with various organisations, which reveals the netflow data, which I presume includes your initial connection to the ISP - before you jump to the VPN?
They were even able to serve out packet caps .
https://www.vice.com/en/article/y3pnkw/ ... email-data

Just thought it was intersting and maybe had something to do with this topic :D

^ pretty much.

Which is why it’s important for people to know;

1. that a VPN is capable of doing the same nefarious things your ISP/telco does, which makes choosing a provider difficult.

2. that it’s important to compartmentalize what they do while on a VPN, because simply doing the same things you used to do will essentially be cloning your ISP fingerprint onto your VPN fingerprint.

gutterslob wrote: ↑

Fri Sep 30, 2022 4:26 pm

2. that it’s important to compartmentalize what they do while on a VPN, because simply doing the same things you used to do will essentially be cloning your ISP fingerprint onto your VPN fingerprint.

One of the things that I didn't like in the Android app from Mullvad was the lack of split tunneling. They added it finally, which to me is a nice way to specify the apps I do not want behind a VPN all the time.

GekkoP wrote: ↑

Sun Oct 30, 2022 12:10 pm

One of the things that I didn't like in the Android app from Mullvad was the lack of split tunneling. They added it finally, which to me is a nice way to specify the apps I do not want behind a VPN all the time.

I thought the feature had been on the Android app for a while. Did something change in the latest build?

What I don’t like about the Mullvad app’s split tunneling feature is that it’s only exclusion based. I suppose that’s what most users expect. They tunnel everything and just select what services they want to exclude like Netflix, Steam, banking, etc.

My use case on Android is the exact opposite, in that I only want a couple of apps tunneled, like a web browser or reddit client. For that, I’d essentially need to select almost everything from the split tunneling list the app generates, and even then I’m not sure because of how shared libraries work in Android. Hence, I need to take the convoluted path of using an app like Shelter to box off a separate profile that contains only apps I want the VPN for, which in turn creates its own inconveniences due to how the Private DNS setting in Android hijacks queries made from within a VPN tunnel.

gutterslob wrote: ↑

Tue Nov 01, 2022 4:12 pm

I thought the feature had been on the Android app for a while. Did something change in the latest build?

Probably me not getting the update, but I didn't see it before. Or it could be just me getting old, of course.

gutterslob wrote: ↑

Sun Sep 25, 2022 10:12 pm

https://github.com/yokoffing/NextDNS-Config

Just a heads up (although Gekko is probably on top of it already, considering his NextDNS addiction), but this guide has been revised a few times since I last shared it, to keep up with the new features and blocklists added to the service.

Recently visited my mother and the guide proved useful for a normie/mom-friendly setup on her iPhone (off-topic;- those ‘Mini’ sized iPhones are so refreshing to use in these times of giant slabs). I ended up with something in between the Balanced and Strict profiles for her — basically just Hagezi Pro and some anti-scam list whose name I can’t recall, with around a dozen or so domains added the Allowlist — and she’s been having zero issues so far.

If she ever does run into problems, I can just log into my account (upgraded to a paid account recently) and remotely ease up the blocking on her device profile.

^ Yes, I visit that page regularly. :)

I moved to Hagezi too a while ago, and everything works smoothly.

Bad news (and a heads up) for anyone on Mullvad. Looks like the pedos ruined it for the rest of us; https://mullvad.net/en/blog/2023/5/29/r ... ded-ports/

If you’re depending on port forwarding for your private tracker seeding, web hosting, media streaming, game server, etc - time to look elsewhere :(

^ Just as I switched from ProtonVPN to Mullvad in May. :(

ivanovnegro wrote: ↑

Sun Jun 04, 2023 10:05 pm

^ Just as I switched from ProtonVPN to Mullvad in May. :(

If you pay monthly then you should have nothing to worry about. Forwarded port(s) will be active until 1st July. If you’ve paid for longer you can email support to request a refund even if the 30-day refund period has passed (although it will be pro-rated so you won’t be refunded for the time you’ve already used). People who paid with BTC have also successfully gotten refunds (according to reddit). Not sure about XMR or cash.

As for alternatives, the best one that comes to mind would be AirVPN. Very old school provider, you’ll need to do manual configuration, but they have active forums and provide port forwarding (10 ports, I think) and decent speeds according to what I’ve read. You can sign up anonymously by refusing to provide an email address, but you will lose the ability to reset your password that way.

IVPN isn’t built to handle heavy torrenting (and it’s expensive), so better to avoid. Proton’s port forwarding is problematic, I’ve heard. Perfect Privacy might also be a good alternative, but it’s been years since I tried them so it’s best to do your reading first.

I wasn't using port forwarding, but still, there's always someone out there just ruining it for everybody else. FFS.

If you think about it, offering five ports for forwarding is kinda asking for abuse. Removing the feature might actually get their IPs off some blacklists in time.

I do wonder what’s seeded behind private trackers these days though, especially with the news of RARBG’s death. Haven’t forwarded ports in years, so I guess I’ll never find out, which is probably a good thing.