🆕 Software Suggestion | Nebulo #1187

New Issue

2019-08-20T13:02:13Z

Mikaela commented

2019-08-20 13:02:13 +00:00

(Migrated from github.com)

Basic Information

Name: Nebulo
Category: DNS: Additional information & worth mentioning (alternatively Android addons)
URL: https://git.frostnerd.com/PublicAndroidApps/smokescreen

Description

Nebulo is a DoT & DoH app with better privacy policy than Intra (https://github.com/privacytoolsIO/privacytools.io/issues/1069). It's suggested by dnswarden.com and has been talked about in team chats.

First impression: The author is aware of usability issues or first-run confusion and it seems solid (not being a coder) and the issues I opened or commented to aren't some that many would think about. Issue tracker link.

The only issue I can see is that they are planning to add an option requiring root which we are against as per https://github.com/privacytoolsIO/privacytools.io/issues/1124.

## Basic Information **Name:** Nebulo **Category:** DNS: Additional information & worth mentioning (alternatively Android addons) **URL:** https://git.frostnerd.com/PublicAndroidApps/smokescreen ## Description Nebulo is a DoT & DoH app with better privacy policy than Intra (https://github.com/privacytoolsIO/privacytools.io/issues/1069). It's suggested by dnswarden.com and has been talked about in team chats. First impression: The author is aware of usability issues or first-run confusion and it seems solid (not being a coder) and the issues I opened or commented to aren't some that many would think about. [Issue tracker link](https://git.frostnerd.com/PublicAndroidApps/smokescreen/issues). The only issue I can see is that they are planning to [add an option requiring root](https://git.frostnerd.com/PublicAndroidApps/smokescreen/issues/113) which we are against as per https://github.com/privacytoolsIO/privacytools.io/issues/1124.

beerisgood commented

2019-08-20 13:53:39 +00:00

(Migrated from github.com)

And why not just use the Android internal DoT feature?

nitrohorse commented

2019-08-20 14:26:17 +00:00

(Migrated from github.com)

Hmm, I’m wondering if this is potentially more reliable than the native Android DoT client which Quad9 gives a warning about?

...You may find that not 100% of your queries are protected with Private DNS in this version of Android. There are are some queries that may “leak” through after your device wakes from sleep mode for about 30 seconds, as well as some cases that we’ve observed where the encryption isn’t stable in this release, which means downgrading back to standard unencrypted DNS without notice to the user. Remember this is the first implementation of this feature for Android, and we assume that like all first releases multiple iterations will occur.

Hmm, I’m wondering if this is potentially more reliable than the native Android DoT client which [Quad9 gives a warning about](https://www.quad9.net/private-dns-quad9-android9/)? > ...You may find that not 100% of your queries are protected with Private DNS in this version of Android. There are are some queries that may “leak” through after your device wakes from sleep mode for about 30 seconds, as well as some cases that we’ve observed where the encryption isn’t stable in this release, which means downgrading back to standard unencrypted DNS without notice to the user. Remember this is the first implementation of this feature for Android, and we assume that like all first releases multiple iterations will occur.

Mikaela commented

2019-08-20 14:57:08 +00:00

(Migrated from github.com)

And why not just use the Android internal DoT feature?

I would say use both, because Android's internal DoT is port 853 (I have no idea if you can point it to some other port and if so, how?) and port 853 can be blocked by e.g. public WLANs where I think it would be the most useful and AFAIK at least Helsinki metro and Helsinki libraries are blocking it while DoH on port 443 works fine (at least when it's given a IP address directly that doesn't require a DNS lookup).

See also: DNS server suggestion: include DNS server address also by IP address

Another thing is Android's fragmentation, I imagine the majority of users are not on Android 9+ on Google Pixel or Android One device currently leaving them outside of DoH/DoT, there are only propietary provider specific apps (and Intra).

Your question also prompts me to wonder why should Blokada and similar apps bother supporting DoT/DoH at all, while everyone can setup their own DNS-over-TLS servers with the blocklists they want? (Sorry, this is a nasty comment, and I should instead just say that we already list it.)

Hmm, I’m wondering if this is potentially more reliable than the native Android DoT client which Quad9 gives a warning about?

I am not sure and would be uncomfortable advertisign it as such. However Android would provide always-on-VPN, but there is still question what happens while it's starting and block-connections-without-VPN cannot be used outside of 1.1.1.1's full proxying mode as far as I am aware of.

> And why not just use the Android internal DoT feature? I would say use both, because Android's internal DoT is port 853 (I have no idea if you can point it to some other port and if so, how?) and port 853 can be blocked by e.g. public WLANs where I think it would be the most useful and AFAIK at least Helsinki metro and Helsinki libraries are blocking it while DoH on port 443 works fine (at least when it's given a IP address directly that doesn't require a DNS lookup). See also: [DNS server suggestion: include DNS server address also by IP address](https://git.frostnerd.com/PublicAndroidApps/smokescreen/issues/154) Another thing is Android's fragmentation, I imagine the majority of users are not on Android 9+ on Google Pixel or Android One device currently leaving them outside of DoH/DoT, there are only propietary provider specific apps (and Intra). Your question also prompts me to wonder why should Blokada and similar apps bother supporting DoT/DoH at all, while everyone can setup their own DNS-over-TLS servers with the blocklists they want? (Sorry, this is a nasty comment, and I should instead just say that we already list it.) > Hmm, I’m wondering if this is potentially more reliable than the native Android DoT client which Quad9 gives a warning about? I am not sure and would be uncomfortable advertisign it as such. However Android would provide always-on-VPN, but there is still question what happens while it's starting and block-connections-without-VPN cannot be used outside of 1.1.1.1's full proxying mode as far as I am aware of.

nitrohorse commented

2019-08-20 15:02:09 +00:00

(Migrated from github.com)

Hmm, good points.

...while everyone can setup their own DNS-over-TLS servers with the blocklists they want?

I don’t think that’s particularly straightforward and easy to setup for most user though which is why having that configured already by an external app can be really helpful. 🤔

Hmm, good points. > ...while everyone can setup their own DNS-over-TLS servers with the blocklists they want? I don’t think that’s particularly straightforward and easy to setup for most user though which is why having that configured already by an external app can be really helpful. 🤔

Mikaela commented

2019-08-20 15:07:38 +00:00

(Migrated from github.com)

I agree.

And the golden option of hosting your own DNS. (It’s actually easy with Unbound, I haven’t tried DoH/DoT hosting though!)

Hosting where?
Hosting with what money?
On my laptop? What about when it goes down?
On three of my active devices separately? I don’t think the root nameserver admins would be very happy if everyone did that.
On my VPS? What if it went down due to being so cheap? What to say when my family called that “the internet is broken”? How to provide the additional line of defence against malware and phishing as well as Quad9 does it with all their information sources and partners?

To me Quad9 seems the least bad (or the least scary?) option with all these things considered, but some other provider may seem better to you.

https://mikaela.info/blog/english/2019/07/11/android-private-dns-in-practice.html

I agree. > And the golden option of hosting your own DNS. (It’s actually easy with Unbound, I haven’t tried DoH/DoT hosting though!) > > Hosting where? > Hosting with what money? > On my laptop? What about when it goes down? > On three of my active devices separately? I don’t think the root nameserver admins would be very happy if everyone did that. > On my VPS? What if it went down due to being so cheap? What to say when my family called that “the internet is broken”? How to provide the additional line of defence against malware and phishing as well as Quad9 does it with all their information sources and partners? > > To me Quad9 seems the least bad (or the least scary?) option with all these things considered, but some other provider may seem better to you. * https://mikaela.info/blog/english/2019/07/11/android-private-dns-in-practice.html

beerisgood commented

2019-08-20 17:08:41 +00:00

(Migrated from github.com)

Your question also prompts me to wonder why should Blokada and similar apps bother supporting DoT/DoH at all, while everyone can setup their own DNS-over-TLS servers with the blocklists they want? (Sorry, this is a nasty comment, and I should instead just say that we already list it.)

Cause currently using both isn't possible. That's why Blokada need to implement it / or make it compatible with the Android internal feature.

> Your question also prompts me to wonder why should Blokada and similar apps bother supporting DoT/DoH at all, while everyone can setup their own DNS-over-TLS servers with the blocklists they want? (Sorry, this is a nasty comment, and I should instead just say that we already list it.) Cause currently using both isn't possible. That's why Blokada need to implement it / or make it compatible with the Android internal feature.

Ch4t4r commented

2019-08-21 06:18:32 +00:00

(Migrated from github.com)

I'm the author of the app.

The feature which would require root is currently halted as the amount of users requesting it isn't particularly big and implementing it properly is hard. It would be entirly optional, but I get your concerns.

Android 9 offers DoT natively, but has no DoH equivalent. In my experience DoH seems to be faster, even if DoT has to transfer less data - but DoT is better for privacy. Additionally to that the app offers a lot of extra functionality (query logging, rule based host blocking, cache control, ...) missing from private DNS. As Android 9 is only running on ~10% of devices as of May the main benefit is the backporting of DoT to devices up to Android 5.0.

Correct me if I'm wrong, but except for a handful of features Nebulo offers all functionality Blokada has. You can block ads by importing DNS rules from host lists, you can blacklist/whitelist apps, you can configure a lot about the app and how it handles stuff. It isn't themed as an AdBlocker though because it is mainly distributed over the Play Store. I have a F-Droid repo as well though (which contains ad-blocking DNS servers and ad-blocking host lists by default).

I'm the author of the app. The feature which would require root is currently halted as the amount of users requesting it isn't particularly big and implementing it properly is hard. It would be entirly optional, but I get your concerns. Android 9 offers DoT natively, but has no DoH equivalent. In my experience DoH seems to be faster, even if DoT has to transfer less data - but DoT is better for privacy. Additionally to that the app offers a lot of extra functionality (query logging, rule based host blocking, cache control, ...) missing from private DNS. As Android 9 is only running on [~10% of devices](https://developer.android.com/about/dashboards) as of May the main benefit is the backporting of DoT to devices up to Android 5.0. Correct me if I'm wrong, but except for a handful of features Nebulo offers all functionality Blokada has. You can block ads by importing DNS rules from host lists, you can blacklist/whitelist apps, you can configure a lot about the app and how it handles stuff. It isn't themed as an AdBlocker though because it is mainly distributed over the Play Store. I have a [F-Droid repo ](https://git.frostnerd.com/PublicAndroidApps/smokescreen#f-droid)as well though (which contains ad-blocking DNS servers and ad-blocking host lists by default).

👍 4

Mikaela commented

2019-08-21 09:29:17 +00:00

(Migrated from github.com)

What makes DoT better for privacy? I do recognise that being not-that-easily-blockable doesn't mean it's private.

Ch4t4r commented

2019-08-21 09:40:03 +00:00

(Migrated from github.com)

DoH sends metadata along with the request. Nebulo doesn't pass any extra data, but some is sent by default. This metdata might contain some additional data about the system - nothing particularly bad but still. DoT is just a plain TLS connection without the added overhead of HTTP.

👍 3

Mikaela commented

2019-08-21 09:58:14 +00:00

(Migrated from github.com)

Thanks 👍

@nitrohorse Do you think this would be something worth noting (or opening an issue about) in the terms section? I imagine the metadata would be at least user-agent which can be quite leaky with Android (even if I have no idea what Intra does) and in Finland we have this mobiilimaksut thing (I am not entirely sure if this English text from the same blog is on the same subject as it has been a long time since I read it, but I wonder if it would still apply to DoH, but it could probably theoretically also apply to DoT and the general advice is to disable mobile payments).

https://plok1.blogspot.com/2014/10/identifying-mobile-network-users.html

Thanks :+1: @nitrohorse Do you think this would be something worth noting *(or opening an issue about)* in the terms section? I imagine the metadata would be at least user-agent which can be quite leaky with Android (even if I have no idea what Intra does) and in Finland we have this mobiilimaksut thing (I am not entirely sure if this English text from the same blog is on the same subject as it has been a long time since I read it, but I wonder if it would still apply to DoH, but it could probably theoretically also apply to DoT and the general advice is to disable mobile payments). https://plok1.blogspot.com/2014/10/identifying-mobile-network-users.html

👍 1

This repo is archived. You cannot comment on issues.