@luc If you want privacy, you need to focus on what you share with apps and services, not which IP addresses or DNS names can be used. That isn't going to provide real privacy protection, it's just a best effort way to eliminate some things which are easy to cut out without losing functionality. The idea that it provides substantial/fundamental privacy protections is wrong. Features like our Contact Scopes, Storage Scopes, Sensors toggle and standard Android privacy features are what you need.
Conversation
Notices
-
Embed this notice
GrapheneOS (grapheneos@grapheneos.social)'s status on Saturday, 07-Jun-2025 02:18:40 JST 
GrapheneOS
-
Embed this notice
GrapheneOS (grapheneos@grapheneos.social)'s status on Saturday, 07-Jun-2025 02:18:41 JST
GrapheneOS
@luc You can use RethinkDNS on GrapheneOS for filtering DNS in combination with using a WIreGuard VPN or multiple chained WireGuard VPNs. However, just be aware that the privacy benefits from filtering DNS or IP-based filtering are limited. You're limited to blocking things not required for apps to function, i.e. you cannot block the core privacy invasive behavior of apps and how they share with third parties from their services including long after the fact based on the data they gathered.
Jesse 🇫🇷 repeated this. -
Embed this notice
GrapheneOS (grapheneos@grapheneos.social)'s status on Saturday, 07-Jun-2025 02:18:42 JST
GrapheneOS
@luc Many people wrongly believe they can prevent sharing with third parties through filtering on the client side. That won't work if you're letting them connect to anything else, especially their own services directly.
There are also many apps using DNS itself as a 2-way communication system. DNS resolution itself allows communicating to the nameservers for a service through your DNS resolver server. It's a full blown 2 way communication system. Can include a random value to bypass caching.
-
Embed this notice
GrapheneOS (grapheneos@grapheneos.social)'s status on Saturday, 07-Jun-2025 02:18:43 JST
GrapheneOS
@luc You do not need app accessible root access to filter DNS requests or network traffic beyond that. However, you are not going to provide any substantial form of privacy through using block lists enumerating badness. Those can only block looking up DNS names which are solely used for unwanted things and not useful things. Services combining those together prevents this being done since you aren't going to be using apps if you're blocking the services they use. The approach does not work.
Jesse 🇫🇷 repeated this. -
Embed this notice
GrapheneOS (grapheneos@grapheneos.social)'s status on Saturday, 07-Jun-2025 02:18:43 JST
GrapheneOS
@luc Many apps do hard-wire IP addresses as a fallback such as certain Facebook apps. It may also be the primary way they connect. They can hard-wire DNS-over-HTTPS IPs and use their own DNS resolution for everything else.E ven if this wasn't the case, you're not going to be using apps if you've blocked the services they need to function. Unless the apps don't depend on any non-user-selected services, what will be accomplished? They can and do connect to third parties from their servers.
-
Embed this notice
All GNU social JP content and data are available under the