this post was submitted on 11 Nov 2024
36 points (97.4% liked)

Privacy

31981 readers
309 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

cross-posted from: https://lemmy.world/post/21884908

Is this possible on any modern day phone or tablet? Selfhosting as made me very privacy-consciouss and am concerned about my iphone.

top 12 comments
sorted by: hot top controversial new old
[–] [email protected] 13 points 5 days ago (1 children)

You could set it to use your own DNS server, and have the server block anything not on a whitelist.

[–] [email protected] 5 points 5 days ago* (last edited 5 days ago) (1 children)

If you don’t want to run your own DNS server/Pi-hole, you might consider NextDNS.

Edit to add: A mobile app could theoretically be sneaky and route around your phone’s DNS settings, but I’ve never heard of that actually happening, so it’s not something I’d worry about.

[–] [email protected] 5 points 5 days ago

Actually, there are some apps and even phone level things that do try to call to custom DNS, ignoring all the phone settings, including those defined in the global settings. Termux nslookup is one I can think of at the top of my head that ignores the phone's settings and instead tries to call to Google DNS. I've got DNS default blocked in a custom script for AFWall on my phone, excluding calling my custom DNS, and see the block frequently hit. Just now checking, I see 54 blocks on 8.8.8.8:53, 2 blocks on 1.1.1.1:53, and 16 on "other" port 53 (catch all block).

Think the best solution is either a router firewall setup if always on the wifi, or a phone firewall app that can act as a VPN and just default block everything, or something like that. If rooted, AFWall does wonders.

[–] [email protected] 11 points 5 days ago (1 children)

If you are just looking to repurpose an old device for around the house use and it won't ever be leaving your home network, then the simplest method is to set a static IP address on the device and leave the default gateway empty. That will prevent it from reaching anything other than the local subnet.

If you have multiple subnets that the device needs to access you will need a proper firewall. Make sure that the device has a DHCP reservation or a static IP and then block outgoing traffic to the WAN from that IP while still allowing traffic to your local subnets.

If it is a phone who knows what that modem might be doing if there isn't a hardware switch for it. You can't expect much privacy when that modem is active. But like the other poster mentiond a private DNS server that only has records from your local services would at least prevent apps from reaching out as long as they aren't smart enough to fall back to an IP address if DNS fails.

A VPN for your phone with firewall rules on your router that prevent your VPN clients from reaching the WAN would hopefully prevent any sort of fallback like that.

[–] [email protected] 1 points 15 hours ago

a private DNS server that only has records from your local services would at least prevent apps from reaching out as long as they aren’t smart enough to fall back to an IP address if DNS fails.

Yes, this. It's important that your local DNS server does not even forward queries from the isolated subnet to external DNS, because these queries (and responses) can contain information. ("DNS tunneling").

[–] [email protected] 4 points 4 days ago

I use the parental controls on the router to put the roomba in grounded-child mode.

That said, I'm not actually positive it works... it is able to connect to home assistant, so it definitely has local network connectivity, but I haven't proved to myself that it is actually unable to connect to its remote servers since it isn't really that big of a deal to me.

[–] [email protected] 5 points 5 days ago* (last edited 5 days ago)

If you're running an Android phone, there's RethinkDNS which can block every requests except those explicitly allowed by yourself on the DNS level and firewall your traffic based on your rules.

It's very customizable but It's not that easy to get it right. You can even hook up your own wireguard tunnel and add block lists similar to uBlock.

If you want to dig deeper into the DNS blocking you can have a look at PCAPdroid which allows you to peek into wich app does what on the DNS level. While it works without rooting your phone, if you want to use it in combination with your VPN, you need root access.

[–] [email protected] 5 points 5 days ago

Yes, you need a firewall. Deny traffic to the internet, permit to your self hosted resources. If you intent to take this phone out of the house, you can configure always on VPN with tasker and wire guard.

[–] [email protected] 4 points 5 days ago (1 children)

I have a DNS server running for my home lab with conditional forwarding from pihole. Then i only pass the internal DNS to a WLAN that doesn't need external access (locally controlled IoT devices for example).

[–] [email protected] 2 points 5 days ago (1 children)

So some WLAN devices just can't make any DNS requests that are outside your LAN, correct? But what if they use a hardcoded ip, wouldn't that circumvent everything?

[–] [email protected] 3 points 5 days ago* (last edited 5 days ago)

Port 53 going to the internal dns? Nope? Drop! Same rule you would use everywhere else to push all dns to your preferred dns server.

Static routes are also a great way but I'm not familiar enough with your setup or static routes to explain. Pihole can also have groups which can apply different rules, lists etc.

[–] [email protected] 1 points 5 days ago

Use a static route.