I was using the netguard app as a firewall on my android, the problem is that I would like to encrypt the dns requests and I have found two options.
One is to use the nextdns client (it is not found in fdroid) that encrypts the dns requests and using my configuration id I can also block the advertising but, if I use nextdns I cannot use netguard because the nextdns app establishes a local vpn connection preventing me also use netguard as a firewall.
The other option is rethinkdns which has dns encryption and also includes a firewall. This app is available in fdroid but I don’t know the privacy policy of your dns server, I don’t know if it saves the logs of the dns queries on your server.
What option do you recommend? Use nextdns and lose use of netguard or better use rethinkdns?
If you’re on Android 10+, you can set NextDNS as a Private DNS provider on your Android and use NetGuard concurrently with it.
Regarding the app RethinkDNS+Firewall, you can use the app to point it to any DNS resolver of your choice. You’re not beholden to use RethinkDNS’ own DNS resolver.
And if something isn’t on F-Droid, then it might be prudent to ask the developer about it rather than the F-Droid community, though the volunteers and the community do tend to invest a lot of their own time and effort helping FOSS developers onboard.
RethinkDNS+Firewall mitigates this by splitting the TLS ClientHello packet which contains Sever Name Identification (SNI) into two. Unless the ISPs are running a stateful firewall (most aren’t), they won’t know.
Intra does this split, too. Libretra, as well (btw you should consider rebasing it to latest from upstream
DNS is used to resolve names to IPs: example.com → 2606:2800:220:1:248:1893:25c8:1946
TLS ClientHello is used to identify the hostname (typically, a domain name) a client wants to connect to over that IP: 2606:2800:220:1:248:1893:25c8:1946 → example.com.
Why is that so? Because, multiple ‘domain names’ (hostnames) can point to a singe IP (that is, a single IP can serve multiple hosts behind it).
The real reason to use dns over https isn’t really for privacy, or even security but it’s to get around a isp blocking specific website access. If you want actual privacy from the isp, use a vpn as an alternative. Although it can be tough using both a vpn and using a firewall on Android.
Even if they do find that you visited the website after words it would be too late to block you from getting to the site. Think of the recent net neutrality issues.
The isp could still throttle you if they can’t determine what website you are on and you are using a lot of bandwith (or even if you are using very little bandwith.)
Relays sit between the dns resolver and the client. They’re routing proxies, if you will.
In a regular setup, the dnscrypt-resolver knows both who’s the client (dnscrypt-header) and what’s the query (dns-packet).
In a relay setup, the dnscrypt-resolver knows what’s the query (dns-packet) but not who sent it (dnscrypt-header), while the relay knows who’s the client (dnscrypt-header) but not what’s in the dns-packet (query).
I am searching the net but I cannot find an updated tutorial to configure dnscrypt in linux and configure the relays, do you know any web where it is explained how to configure it?
I gave it a try, but did not see benefits with Orbot and the few sites I usually use. YMMV.
so why bother to encrypt dns requests?