In Android 9, Google introduced native DNS-over-TLS support. I wanted to use this for adblocking as I don’t like rooting my phone or using an always-on VPN. So I built this, which uses DNS-over-TLS combined with PiHole - ads and trackers are blocked on the web and in apps!
I use NetGuard for this. It’s a non-root local VPN (as in, doesn’t connect to external provider servers) that allows to block network access per app and also has the option to add systemwide host blocking if installed from github. It’s always-on, but doesn’t use much battery, has support for more android versions and doesn’t require to mantain a dns server
Netguard link with video demo. That’s interesting. Thanks for tip. Can you mix it with Pi-Hole?
No idea, but I suppose it’s possible. It uses the phone normal connection or you can setup a dns address. It works like a firewall installed as system vpn to avoid root requirement.
If installed from github it has the option to add hosts blocklist.
Is it ok to share the project link as a story on lobster?
Hell yeah, it is! I suggest security, networking, and mobile tags.
That’s pretty nice. The client side depends on Android 9, though, because that’s the only one that will let you set DNS (to a DNS-over-TLS service) without either root or a VPN – and if you have root or are willing to use a VPN, you don’t need this.
Would it be feasible to add DNS-over-TLS service directly to pihole?
(haven’t used pihole, but have toyed with the idea, specifically to block ads in Android)
Is it possible to restrict it so only you can use it? I know people would have to guess the hostname but I’m not sure I’m willing to run a public dns server.
I can’t think of a way that wouldn’t require a VPN or some other type of private network, but I’m not super familiar with Android’s implementation, there may be a way to validate based on something but I’m not aware of one.
The biggest concern for me about a public DNS server is me unwittingly participating in a DDoS attack, but in the case of DoT, a three-way handshake has to be completed first so it shouldn’t be possible for that to happen for a DoT or DoH server.