Blokada doesn't DoH or DoT the last time I checked, but they have added a wireguard-based paid VPN service, which is nice.
Intra [0] can DoH (but no on-device custom blocklists) and Nebulo [1] can DoH and DoT (with on-device blocklists). Personally, I see better latencies with DoH.
A paid upgrade to the Play store version lets you filter traffic like adblock, or just use the releases from Github (they allow filtering, but not most pro features)
I use and love Netguard. It's great to see the trackers every app is connecting to but can't see a global option to block a particular domain across the board. I can only block on a case by case app..
Maybe they added this option recently?
It's only in the github version due to play store rules. And it's a global DNS based blacklist.
I wish there was global or group based ip rules though, since there's no way to whitelist DNS per app or temporarily, without completely turning off filtering.
It's kind of a pain, honestly. Some of the developers decisions seem pretty arbitrary to me. It's so close to being a must have app. I wish I had time to get familiar with the code.
That said, it's still my favorite option since losing adhell3 again.
I've only seen across-the-board, though you can allow individual apps to bypass the filter entirely. I think it's just a filter on DNS requests, but for APKs from github:
settings -> backup -> import hosts file
You may also need to enable traffic filtering, I forget. that's at:
Do you have any tips on how to set up NetGuard well? I use an app now called "NoRoot Firewall" that lets me filter on ip address or url and also port, with wildcards. (Ex. *.facebook.com).
I cannot find a way to set up NetGuard since it appears to me that I can only decide on each request, which makes it near impossible to ever whitelist/blacklist something like AWS, which uses an ever rotating number of locations.
Nrf hasn't been updated in a very long time, but as you say you can whitelist/blacklist pretty easily.
Sadly, netguard doesn't have this facility as a global, and only allows it to be done on a clunky, per-app basis. I seem to recall the author not being receptive to the idea.
Everyone should fire up https://mitmproxy.org/ from time to time just to see how much chatty your mobile apps can be, phoning home to places like analytics services on every tap and swipe. I was using a translation app on my phone that sent every keystroke to google analytics.
Of course also fun in its own right to see the sorts of APIs an app uses and how often the developers like to query it.
Just the app. I think it's just a testament to how normal and easy tracking/info-collection has become that there's no real downside to doing it everywhere nor pressure to really stop, think, and care.
That you have to go through the trouble of mitm'ing yourself to see this stuff is also the flip side of HN's native app fetishization and knee-jerk web hate.
On iOS I use DNSCloak. It takes some work to setup, like downloading the blocklist from somewhere yourself, but it works. I will try lockdown to see how it compares though. It looks easier.
DNSCloak and Lockdown cannot be enabled at the same time. When I tried it quite sometime ago, it was one or the other, which is a bummer if you want to use Lockdown while also choosing specific DNS servers to use. I’m guessing this is due to a limitation imposed by iOS, but have no idea how it can be solved.
> You could always manually enter your DNS servers in your iPhone's settings.
Can you do this for mobile connections? From what I've been able to see, you have to set DNS settings on a per SSID basis, and that particular menu doesn't exist when connected to the cell network instead of wifi.
I haven't checked myself, but I read that it's likely because Instagram may use the same domain to serve ads as its regular content. So, if you block Instagram's domain, you will block Instagram itself.
Is there anywhere with an in-depth overview of what this does? Does it just fail DNS request and block known IPs? How are the lists maintained and updated? With TLS and it surely not mitm-ing connections, that's all it can do correct?
It's a start. It's good that it's open source, but that's necessary not sufficient to establish trust for something which requires such significant privileges.
You also want to be able to know who the authors are, to evaluate them for trustworthiness, and to evaluate their processes to see how well hardened they are against malicious contributions.
It's an app you install on your phone. That app can use any service on the device if system permissions allow it, also, tracking and libraries or spyware can be embedded in the app itself which could potentially circumvent device security.
The source indicates that they check-in DNS blocklists as JSON files [0] and txt files (one of which has Facebook IPv4s) [1]. So, the updates to those would require app updates, I guess, unless there's OTA for the blocklists somewhere in the code that I missed.
My experience with running client-side DNS based blockers are they consume additional battery and need a lot of RAM if you block with aggressive lists that have more than 1M+ domains. Besides, DNS based blockers can be circumvented by apps that do their own resolution over DoH or use clever techniques like CNAME cloaking [2]. Some nameservers such as the one run by Cloudflare flatten the CNAMES [3], effectively rendering even nextdns' solution ineffective [4].
I must also note that, Cloudflare does hide origin-IP if they are setup to reverse-proxy the traffic, which then would render IP based blocklists ineffective, too, unless Cloudflare's IPs are blocked, as well.
u/willstrafach's https://guardianapp.com (VPN and ad-blocking), u/poitrus's https://nextdns.io (no VPN but imo the best DNS based content-blocker in the market today), and https://adguard.com (cross platform all-in-one network security suite) are other comparable alternatives.
Disclosure: I run a competing ad-blocking service.
> "The folks who build the lockdownhq apps are also the makers of ...[a bunch of other iOS apps]."
are you saying the same group of subcontractors built them all? or that it's the same app repackaged multiple times? or something else?
i use adguard on iOS and while i don't like the first-party exposure (to adguard itself), it's better than being completely naked in public to all sorts of shady actors (including telecom/wireless providers). or is it?
Important to note, our app is a VPN as well. This way, with the bulk of our business logic on the server-side, device battery is saved and we can do real-time block list updates rather than the app needing to pull down a new rule set.
The $1/day / $10/month / $100/year has been fairly well received, but may not be for everyone, especially those who enjoy running their own VPN server and/or curating their own block lists.
$10/GB is pretty much the going rate for a la carte data on all major US carriers. You typically get better rates for your monthly plan but if you go over you're flipped back to the a la carte pricing.
On macOS, we got a port of OpenBSD pf (probably not up to date though). I've been able to convert hosts files to OpenBSD pf format in, when was it, 2002? What you'd need to do is create an anchor. Perhaps there's a GUI for it as well for those who prefer. There's at least pfBlockerNG which basically does that for PfSense. [1] FWIW, all of this existed before Pi-Hole (or Raspberry Pi for that matter). IIRC there was also a converter script for hosts files to IPTables rules.
Is it possible to import such rules to Little Snitch? That's the go to firewall on macOS, though it is proprietary. There's also LuLu, a FOSS firewall for macOS. [2]
Now, from my memory, these block lists did cost quite some memory on a machine with 512 MB RAM. Even though it'd do dedup. What one could also do is build up a VPN with a remote server (in the cloud, or at home) and use say use WireGuard to have a secure connection while using a remote DNS on the VPN to get ads blocked.
As a pihole user for years I recently bought a firewalla blue. Installed pihole on the firewalla, turned off firewalla ad blocking, and done.
I can VPN to my home ad blocking network from anywhere, have more insights into my home network shenanigans, and still use my personal block list built over years. Super easy and most importantly, done.
I'm not sure I get it? Why not run OpenVPN on your pihole's RPi, forward the port on your router, bingo-bango-bongo?? What extra are you getting with the firewalla? Is it 'just' ease of administration (which is probably worth the price!)?
Did you research if the Pi could be setup with additional software (apart from pi-hole) to handle all that (or most of what) the Firewalla provides? Seems like that’d be a lot cheaper if one doesn’t need very high network performance.
Firefox Focus does not block ads the same was as Lockdown does. Lockdown uses the [Packet Tunnel Provider](https://developer.apple.com/documentation/networkextension/p...) API which has the added benefit of "protecting" the entire device (not just your browser).
That was my observation too. They’re both classified as the same class of “VPN” services. So you’d have to choose one or the other. Other VPN apps and services, such as ProtonVPN and Guardian Firewall, can be enabled while using 1.1.1.1 or DNSCloak.
There is no uBlock Origin for iOS, and never will be because of Apple’s list based content blocking mechanism where the blocker doesn’t intercept and process requests. It just provides the block list to Safari, which is also the only rendering engine (that can be) used by every browser on iOS.
For an open source app distributed on the App Store, is there actually any way of verifying that what you get on your phone is the same as the source code you can read?
If Apple keeps pushing their Bitcode LLVM IR trans-compiling, along with magic App Store re-linking, they will kill the possibility of reproducible builds forever. In Apple's world, you are supposed to trust their app vetting process, not the source code on some website.
But the ad-blocking vpn server is 127.0.0.1, so perhaps, like it says all the blocking happens right on your phone.
This is what I've been waiting for if this works.
Still getting ads on instagram though.