Most people are not aware what DNS is or what it does. The Domain Name System (DNS) is one of the foundations of the internet, yet most people outside of networking probably don’t realize they use it every day to do their jobs, check their email or waste time on their smartphones.
At its most basic, DNS is a directory of names that match with numbers. The numbers, in this case, are IP addresses, which computers use to communicate with each other. Most descriptions of DNS use the analogy of a phone book, which is fine for people over the age of 30 who know what a phone book is. Ok, but why we are bothering with DNS?
The central issue is that most people do not appreciate that DNS providers (your own ISP, Google, Cloudflare etc.) can see everything you do on the internet. Worse than that is that they can then share, modify or intercept and replace your requests any way they want. Your signal might slow when watching too many videos via your ISP, ever wonder why?
Google DNS servers, which are standard on most Android phones, are recording what you do and as such Google should not be a choice when it comes to privacy.
So what can you do to make your internet experience more private, maybe even faster and best of all lock out some of the bad websites at the DNS level. You could do your very own, but let's do this the easiest, possible way. After all, we did promise to give the non-tech savvy among us access to this actionable information.
Note! This will not hide your IP or make you untraceable. This is not a VPN or TOR! However, it will prevent DNS hijacking and make your DNS requests harder for third parties to eavesdrop and tamper with.
The first approach is so easy that anyone, even the person who only knows how to make a phone call, can adopt it. Well, maybe not, but it is dead simple.
On iOS, select a DNS provider you trust, perhaps AdGuard, dismail or dnsforge, click install profile and install it. After you've installed the profile jump over to:
Settings → General → VPN and Network → DNSand select the newly installed profile as your DNS.
Wasn't that simple? You have now not only an encrypted DNS, but also an ad and malware blocker (depending on the DNS provider you've selected).
On Android, jump to:
Settings → Network & Internet → Private DNS → Private DNS provider hostnameAgain, you can use any of the DNS providers you trust. Some good choices could include:
doh.mullvad.netdnsforge.dedot-ch.blahdns.comdot.libredns.gr
For Android, DeCloudUs is also an excellent solution to block nearly all Google domains. It's a really hard core solution with a simple execution.
This easy solution is a great fit for most people, you would regain a hell of a lot of your privacy and can even run some VPN services next to this setup if you'd like to. This only works on Android, as with iOS you would override the DNS by switching on a VPN service!
This is not super complicated, but gives you more options to block ads and malware. Here I would look at NextDNS, with an account attached. This means, sign up on NextDNS, select the servers and services you want to block and enter the domain or download the profile as you would have done with the easy approach.
The beauty of this setup is that you can block, deny and whitelist domains as you go. You have a login on NextDNS and can see statistics on what you have blocked etc.
I am a big fan of NextDNS and think this approach is perfect for most users. You can achieve an almost perfect setup with this way of DNS.
This is where you combine a firewall and DNS in one app.
Remember, this not about firewalls, but about DNS combined with firewalls. So, I am not putting up the usual suspects when it comes to great firewalls here.
On iOS, you have many great ad blockers, but only one that makes it easy to use and gives you a great user experience. Combined with DNS control, chose AdGuard Pro, here you can add a DNS and select block lists on the device. You can also select ads or objects on websites (within Safari) and block them permanently for your next visits. AdGuard Pro also allows blocking ads on YouTube as long you use the Safari browser and not the YouTube app. This is, however, a paid app!
AdGuard Pro also allows combining the VPN service they are offering with the AdGuard DNS and blocklist app. Note that both of those services are paid services. However, when it comes to iOS, it is probably your very best option, when you like to combine VPN and blocklists.
Of course, some VPN providers like iVPN, ProtonVPN and Mullvad now have these blocking services in their VPN apps.
https://adguard.com/en/adguard-ios-pro/overview.html
You have other options on iOS like DNSCloak, but it takes way more effort and a steep learning curve to get it as good as AdGuard Pro is.
Once again, you have better and easier options in Android. RethinkDNS, for example, can combine your favorite DNS service with a full-blown firewall. Here you can block total internet access also to System apps, but always download a local version of block lists.
AdGuard has the same functions as RethinkDNS and allows you to block and add domains to your local blocklist with just one click.
Both of those firewall apps let you add a DNS provider, so you really can combine a firewall and a DNS and a local blocklist in one app.
Even though this sounds like the best approach, it does have one drawback. Both of those apps will take a VPN slot away, this means you can't combine a VPN with your DNS firewall. A great way around this is using Tor which has a built-in option on RethinkDNS and guides you on how to make that happen. On AdGuard, you can combine the VPN from AdGuard itself, but it's another paid service.
I'd also like to note that if you'd like to use the system-wide protection AdGuard, it lets you download a trust certificate. Not an approach I am a fan of, yet, you either trust AdGuard or you don't.
Just as with iOS you could use iVPN, ProtonVPN or Mullvad which all have blocklists in their apps. However, on a VPN approach, you also assign trust to a 'middle man', which can log your DNS. Then again, so could every DNS provider! The chances here are way slimmer, so I would recommend everyone to use DNS protection.
Regardless of what you do, if you are a GrapheneOS user, or just a simple user of a Samsung or iPhone, there is hope when it comes to privacy, and so consider any of these 3 options that I've mentioned to get you back to an excellent privacy setup.
You don't need to be totally paranoid and make your selection on a phone just to be private, you absolutely should, and that's surely the best approach because every little step counts...