Google introduced the PrivateDNS feature with Android 9.
Private DNS comes with its own flaws, but of course, it is a native implementation, and works wonders when you set it to point to dns.adguard.com
. Shame that Private DNS (DoT) is blocked in censorship-heavy countries, and trivially so.
That’s because I didn’t find the option to allow LAN-only access for apps
This one is coming, but instead of “excluding” all LAN traffic like NetGuard does, we instead want it to continue to flow through the local-VPN. This means, queries / connections going on on the local LAN is also visible. The consequence is, it might take us a bit longer to implement and get it right.
I tried RethinkDNS yesterday.
Nice. Thanks (:
Unless this is a bug, the ‘whitelist’ feature (which allows apps to bypass the firewall but not DNS) is useless because it does nothing.
Ouch. Strong words. ‘Whitelist’/‘allowlist’ is helpful when one doesn’t want to block a particular app like, say, Fairmail. That is, adding Fairmail to the whitelist would exclude it from blanket firewall rules like ‘Block all apps when device locked’, ‘Block all connections when DNS is bypassed’, ‘Block apps not in use (foreground)’ etc.
As for ‘whitelisting’/‘allowlisting’ an app from both DNS+Firewall, that requires considerable work which is already underway: Per-app DNS · Issue #270 · celzero/rethink-app · GitHub The long story short of this feature is, Android makes all DNS queries on behalf of apps, and so, it is not possible to know which DNS queries belongs to which app. Of course, rough heuristics could be used, but when those break, they cause a lot of confusion (a rough heuristic is what NetGuard uses, it works well in 99% of the cases, but that 1% remains unfix-able unless that heuristic is abandoned for a newer one, but then that newer one would work in some cases and won’t in another).
RethinkDNS didn’t do anything that NetGuard or Karma Firewall can’t do. On the contrary, it was less functional.
I have never used Karma, but have used NetGuard briefly before giving up on it. There’s a bunch NetGuard can’t do that RethinkDNS can, but I think those features don’t matter to you, personally. So, your assessment is valid in that context.
Those phones too use pretty much the same hardware.
You mean PINE64, Fairphone, and Librem? I thought those were open firmware?