🆕 Software Suggestion | Nebulo #1187
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#1187
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Basic Information
Name: Nebulo
Category: DNS: Additional information & worth mentioning (alternatively Android addons)
URL: https://git.frostnerd.com/PublicAndroidApps/smokescreen
Description
Nebulo is a DoT & DoH app with better privacy policy than Intra (https://github.com/privacytoolsIO/privacytools.io/issues/1069). It's suggested by dnswarden.com and has been talked about in team chats.
First impression: The author is aware of usability issues or first-run confusion and it seems solid (not being a coder) and the issues I opened or commented to aren't some that many would think about. Issue tracker link.
The only issue I can see is that they are planning to add an option requiring root which we are against as per https://github.com/privacytoolsIO/privacytools.io/issues/1124.
And why not just use the Android internal DoT feature?
Hmm, I’m wondering if this is potentially more reliable than the native Android DoT client which Quad9 gives a warning about?
I would say use both, because Android's internal DoT is port 853 (I have no idea if you can point it to some other port and if so, how?) and port 853 can be blocked by e.g. public WLANs where I think it would be the most useful and AFAIK at least Helsinki metro and Helsinki libraries are blocking it while DoH on port 443 works fine (at least when it's given a IP address directly that doesn't require a DNS lookup).
See also: DNS server suggestion: include DNS server address also by IP address
Another thing is Android's fragmentation, I imagine the majority of users are not on Android 9+ on Google Pixel or Android One device currently leaving them outside of DoH/DoT, there are only propietary provider specific apps (and Intra).
Your question also prompts me to wonder why should Blokada and similar apps bother supporting DoT/DoH at all, while everyone can setup their own DNS-over-TLS servers with the blocklists they want? (Sorry, this is a nasty comment, and I should instead just say that we already list it.)
I am not sure and would be uncomfortable advertisign it as such. However Android would provide always-on-VPN, but there is still question what happens while it's starting and block-connections-without-VPN cannot be used outside of 1.1.1.1's full proxying mode as far as I am aware of.
Hmm, good points.
I don’t think that’s particularly straightforward and easy to setup for most user though which is why having that configured already by an external app can be really helpful. 🤔
I agree.
Cause currently using both isn't possible. That's why Blokada need to implement it / or make it compatible with the Android internal feature.
I'm the author of the app.
The feature which would require root is currently halted as the amount of users requesting it isn't particularly big and implementing it properly is hard. It would be entirly optional, but I get your concerns.
Android 9 offers DoT natively, but has no DoH equivalent. In my experience DoH seems to be faster, even if DoT has to transfer less data - but DoT is better for privacy. Additionally to that the app offers a lot of extra functionality (query logging, rule based host blocking, cache control, ...) missing from private DNS. As Android 9 is only running on ~10% of devices as of May the main benefit is the backporting of DoT to devices up to Android 5.0.
Correct me if I'm wrong, but except for a handful of features Nebulo offers all functionality Blokada has. You can block ads by importing DNS rules from host lists, you can blacklist/whitelist apps, you can configure a lot about the app and how it handles stuff. It isn't themed as an AdBlocker though because it is mainly distributed over the Play Store. I have a F-Droid repo as well though (which contains ad-blocking DNS servers and ad-blocking host lists by default).
What makes DoT better for privacy? I do recognise that being not-that-easily-blockable doesn't mean it's private.
DoH sends metadata along with the request. Nebulo doesn't pass any extra data, but some is sent by default. This metdata might contain some additional data about the system - nothing particularly bad but still. DoT is just a plain TLS connection without the added overhead of HTTP.
Thanks 👍
@nitrohorse Do you think this would be something worth noting (or opening an issue about) in the terms section? I imagine the metadata would be at least user-agent which can be quite leaky with Android (even if I have no idea what Intra does) and in Finland we have this mobiilimaksut thing (I am not entirely sure if this English text from the same blog is on the same subject as it has been a long time since I read it, but I wonder if it would still apply to DoH, but it could probably theoretically also apply to DoT and the general advice is to disable mobile payments).
https://plok1.blogspot.com/2014/10/identifying-mobile-network-users.html