What is your threat model for your Internet connection (and LAN when running NAS or local server) ?
Do you use Encrypted DNS only or VPN all the time or Split tunnelled VPN or Tor over VPN or Tor all time ?
I have my own. Just trying to know what’s out there in the wild to sulk in better.
No but seriously I try to use a VPN all the time on all my devices with separately set Encrypted DNS. Don’t really care about the “standing out from the other VPN users” aspect of this.
Somewhat same here. Although I don’t have an always-on VPN for my mobile device I use it whenever I can. When in public I tend to use mobile data and limit my phone use unless absolutely necessary. I use an encrypted DNS.
I am currently with NextDNS but soon switching to ControlD because they can spoof my IP to the destination server via Proxy. I don’t care about ISP since things are encrypted via TLS and I use sites that an average internet user uses. So, not a problemo.
Because of the above, I uninstalled official VPN apps and just using ProtonVPN’s free server configs on my devices whenever I need (for the most part, I don’t).
Pretty much the same as @ikelatomig, currently using NextDNS and sometimes use ProtonVPN for downloading linux iso’s but I don’t even have ProtonVPN installed on my phone, just on my pc and laptop.
I use a VPN double hop, some apps / browsers are split tunneled out, mostly when interacting with services that have my true identity / address.
I also use Tor Browser sometimes outside the VPN tunnel, and some apps run behind Tor proxy (Telegram / bitcoin / monero stuff)
I personally think[1] per-app network sandbox is a good way to think about it: iOS apps should be inside a network sandbox · Felix Krause (mirror).
Such drastic measures isn’t possible for all apps, but for frequently-used, task-specific, non-browser apps (like email/messaging/social media), setting up a network sandbox (using tools like LuLu Firewall / Little Snitch / OpenSnitch) makes me feel better about it all.
I co-develop an Android-only firewall app, so I may be biased towards solns similar to it. ↩︎
VPN always except for a specific browser that requires my identity, which is split tunnelled (whatsapp, email, government sites). Tor on top whenever possible.
Yeah, this is cool.
Firejail has a netlock feature, which scans the hosts that the app connects to in the first minute when you launch it, and builds a whitelist of hosts based on this that is enforced afterwards. Not as good or convenient as something set up out of the box by the developer or packager, but still good.
A network sandbox is cool when you want to block internet access for certain apps which we can do in Graphene OS via native apps or in normal android via Rethink (or just block trackers via something like Next DNS).
I am into PC networks primarily.
I am considering Split Tunnelling and do all the casual browsing via Tor too, but it would create a lot of Suspicion.
Currently thinking of,
RethinkDNS, NetGuard, etc. can only block direct internet access. GrapheneOS network permission blocks both direct and indirect internet access and is a lot more robust.
As for blocking trackers using NextDNS:
DNS filtering solutions. while not having any negative impact on security, are trivially bypassable by just hosting the advertisement and trackers under the apex domain instead of a subdomain. For example, instead of hosting advertisement and trackers under ads.example.com, the webmaster can move them to be under example.com/ads and it would be impossible for DNS filters to block. Other bypasses include an application implementing its own DNS resolution instead of relying on the DNS servers set by the operating system, or connecting directly to certain IP addresses without any DNS resolution at all.
It should also be noted that websites can detect which DNS servers a visitor uses. You can look at DNSLeakTest as an example. Using non-network provided DNS servers adds to the fingerprint and make you more identifiable.
The best way to do DNS filtering is to use a VPN provider which has this feature built in like ProtonVPN, Mullvad, and IVPN in order to not standout from other users of the same VPN provider. Even then, DNS filtering is purely a convenience feature and cannot be relied on for privacy and security.
Are you living in a country where Tor is illegal? If not, then I’m not sure what’s the problem with using Tor directly.
It is legal. I just don’t want to be under suspicion. Simply because I am avoiding trackers and having anonymity during Casual browsing (Even when I haven’t done anything).
I just don’t want to be under the radar.
Regarding DNS, the paragraph you highlighted does introduce some valid points. Problem.
I like Next DNS because it has robust filtering and I have configured every device on my home to use it (including family) so that they can have a good web experience.
Yeah, the subpage thing is valid but not a concern when ad blocker is used in browser or using Brave browser.
Even though, it fingerprints me, it does give a lot of convenience. And why does website know the DNS server instead of only the IP address ?
To be honest, I am into Windscribe VPN, it’s robust, but I am in no situation to purchase a premium at the moment, and it’s R.O.B.E.R.T is not as powerful as ControlD. So, I might need to wait for that to happen or use Both Windscribe + ControlD when it is sold as a combo like AdGuardVPN + AdGuard DNS.
It may or may not happen. It’s up to @yegor. Would be great to know some insights on that though.
Interesting. I’d have thought it is the same INTERNET permission AOSP Android checks for. What changes has Graphene made to it, if you’re aware?
Can this indirect access be used to upload things?
One of the examples:
Result: You will have internet access in Molly even though it’s blocked using RethinkDNS or NetGuard.
That sounds pretty dangerous. Is there anyway to get rid of this (for non-graphene devices)?
You could also use DivestOS, it also has network permission.
My guess is, this happens because Android doesn’t route localhost traffic into the VPN tunnel. If Rethink or NetGuard are setup to block the proxy app, Orbot, it should block Molly, as well.
Would you know if localhost traffic bypasses even when Block connections without VPN is turned ON? If so, I’d want to ask Graphene/Divest/Calyx to shore that one up, even if AOSP may not.
Using something like RethinkDNS or NetGuard with “Block all connections without VPN” will prevent direct network access via sockets, but the internet can still be accessed via OS networking APIs.
Nothing to do with sockets or networking APIs. On Android, a VPN app cannot prevent apps from using either of those.
The extent of a VPN-based firewall like Rethink or NetGuard is… iff the OS routes traffic into the VPN tunnel, it may either forward it or block it. It cannot act on traffic flowing outside of its tunnel (like ESP for VoWiFi, Hotspot, built-in AOSP Connectivity Checks, built-in HTTP Connect Proxy, localhost).
In case of Molly+Orbot, it is effectively Orbot that’s connecting to the Internet to forward Molly’s traffic. Installed apps using APIs from the Download Manager or Google Play services to connect (which still pass through the VPN tunnel) has similar effect.
As for Molly+Orbot, my guess is… AOSP not routing localhost traffic to the VPN tunnel is why the bypass happens. I’d imagine this holds true even when Block connections without VPN is turned ON, but I’m unsure.
As for Download Manager / Google Play services, the bypass is because the original app identity is lost by the time the traffic reaches the VPN tunnel.
Found some information on GOS forum.
It would be possible to split up the INTERNET permission to an extent by making it possible to disable some sockets but not others, such as splitting out
localhostaccess into a separate toggle. However, the permission enforced by the permission system will need to be denied if network access is partially denied. Otherwise, an application could bypass the direct traffic filtering with indirect access. This is something missed by other projects trying to make finer grained firewall toggles, including every firewall app implemented as a VPN service which do not really work properly.