cross-posted from: https://lemmy.world/post/21884908
Is this possible on any modern day phone or tablet? Selfhosting as made me very privacy-consciouss and am concerned about my iphone.
You could set it to use your own DNS server, and have the server block anything not on a whitelist.
Actually, there are some apps and even phone level things that do try to call to custom DNS, ignoring all the phone settings, including those defined in the global settings. Termux nslookup is one I can think of at the top of my head that ignores the phone’s settings and instead tries to call to Google DNS. I’ve got DNS default blocked in a custom script for AFWall on my phone, excluding calling my custom DNS, and see the block frequently hit. Just now checking, I see 54 blocks on 8.8.8.8:53, 2 blocks on 1.1.1.1:53, and 16 on “other” port 53 (catch all block).
Think the best solution is either a router firewall setup if always on the wifi, or a phone firewall app that can act as a VPN and just default block everything, or something like that. If rooted, AFWall does wonders.
If you are just looking to repurpose an old device for around the house use and it won’t ever be leaving your home network, then the simplest method is to set a static IP address on the device and leave the default gateway empty. That will prevent it from reaching anything other than the local subnet.
If you have multiple subnets that the device needs to access you will need a proper firewall. Make sure that the device has a DHCP reservation or a static IP and then block outgoing traffic to the WAN from that IP while still allowing traffic to your local subnets.
If it is a phone who knows what that modem might be doing if there isn’t a hardware switch for it. You can’t expect much privacy when that modem is active. But like the other poster mentiond a private DNS server that only has records from your local services would at least prevent apps from reaching out as long as they aren’t smart enough to fall back to an IP address if DNS fails.
A VPN for your phone with firewall rules on your router that prevent your VPN clients from reaching the WAN would hopefully prevent any sort of fallback like that.
a private DNS server that only has records from your local services would at least prevent apps from reaching out as long as they aren’t smart enough to fall back to an IP address if DNS fails.
Yes, this. It’s important that your local DNS server does not even forward queries from the isolated subnet to external DNS, because these queries (and responses) can contain information. (“DNS tunneling”).
If you’re running an Android phone, there’s RethinkDNS which can block every requests except those explicitly allowed by yourself on the DNS level and firewall your traffic based on your rules.
It’s very customizable but It’s not that easy to get it right. You can even hook up your own wireguard tunnel and add block lists similar to uBlock.
If you want to dig deeper into the DNS blocking you can have a look at PCAPdroid which allows you to peek into wich app does what on the DNS level. While it works without rooting your phone, if you want to use it in combination with your VPN, you need root access.
Use a static route.
I have a DNS server running for my home lab with conditional forwarding from pihole. Then i only pass the internal DNS to a WLAN that doesn’t need external access (locally controlled IoT devices for example).