[U8dcN7vx]

The largest annoyance with app based solutions is they don't work if you need to run a VPN at the same time, since they all depend on the Android VPN API to force all traffic to go through their program. Setting a custom DNS resolver often requires the same, an app acting as a VPN provider so it can assert the DNS servers that must be used. PiHole is slightly easier in that it asserts the resolver to use via DHCP which Android mostly obeys but having an app enforce that can be a safety net. So since the not-really-a-VPN app can't coexist with another actually-a-VPN app if I connect to work and if work doesn't have the same notions about what should be blocked I start to leak/see what I hoped to avoid. Not always terrible but also not what some might hope for. Some of these apps will chain via SOCKS v5, though too many won't work unless they are not the start of the chain, worse some things don't at all, e.g., Cisco AnyConnect certainly isn't willing to be a SOCKS server, nor a SOCKS client, so can't be the beginning, ending or in a chain.

[ignoramous]

Yeah, this is a problem but not one without a solution (unless Android bundles in a built-in Firewall API that other apps could use [0]): RethinkDNS already supports chaning via SOCKS5, and it would also soon support connections to/from WireGuard endpoints: https://github.com/celzero/rethink-app/issues/52

And since RethinkDNS' underlying tunnel implementation is in Go, I'm fully expecting wireguard-go to fit in seamlessly.

[0] https://www.xda-developers.com/google-restricted-networking-...

[blooalien]

This is how I enforce my private DNS on my Android devices. I just wireguard my Android devices up to a PiHole device. Works everywhere I take my Android devices, so I get all the benefits of my home network anywhere I go. :)

[canada_dry]

> soon support connections to/from WireGuard endpoints

+1

[anotherevan]

I use AFWall+ which works directly on the iptables and not as a VPN. It can coexist with a VPN. It does require root though.

https://play.google.com/store/apps/details?id=dev.ukanth.ufi...

[curiousgal]

This app is why I root my phones.

[g_p]

The best workaround on recent android versions (although I agree on the limitations being quite annoying) is to (ab)use the private DNS feature for this - it lets you set a custom DNS server that is used for both WiFi and cellular data.

Same is now available on iOS 14.4(?), via a mobileconfig plist/XML file.

Either use an existing public ad/tracker blocking DNS over (HTTPS, TLS) server, or host your own and enter the hostname there.

If you go down the hosting your own route, you can have a rather neat setup for managing and blocking things via a web browser - it is quite nice to be able to log in and control what's blocked.

Note - if you run an open resolver DNS server on the public internet, usual caveats apply about knowing what you are doing. You don't need to expose port 53 (UDP DNS) if you're using DoT or DoH, which should help.

[tuxracer]

It's possible to change the DNS server on Android without a VPN or app since Android 9 Pie. You can set a custom DoH or traditional DNS server system wide from the connection settings.

[qwerty456127]

This is why these services should be offered by actual VPN providers.

[gsich]

Android has DoT support, so you could setup adblocking there.

[ignoramous]

There's a lot you could do with RethinkDNS that you can't with DoT (Private DNS) on Android 9+.

RethinkDNS can:

1. Prevent apps from doing their own DNS. Android's DoT can't do that.

2. Block TCP/UDP connections to IPs per-app.

3. Block all connections when device is locked.

4. Block connections from any app not in the foreground.

5. Forward DNS queries to DNSCrypt v3 endpoints (supports Anonymized Relays) or Tor (via Orbot).

6. Forward all connections over Tor (via Orbot).