Someone else posted that this isn't a feature they would look for in a VPN, and I'd mostly agree except for one big problem: VPNs are the only way to effectively block things in iOS and (un-rooted) Android, and you can only have one VPN active at a time. This means that you have to choose between either having a proper VPN connected or a fake one to block content you don't like. Mullvad's ads, trackers and malware blocking DNS has been awesome when I'm on my iPhone and don't want to deal with ads in apps. I'm sure some other people who have dependence issues with gambling or adult content would appreciate being able to use their preferred VPN while also blocking content.
On iOS you can install a configuration profile that setup a DNS-over-HTTPS endpoint without touching the VPN settings. NextDNS does this when you install their app from what I remember. For other examples, see the profiles offered by AhaDNS.com[0].
On Android there is a Private DNS option where you can also setup a DNS-over-HTTPS endpoint of your choice.
These options may be also a better choice for battery life than a fake VPN connection.
The android setting wherein you can input a standard DNS-over-HTTPS endpoint is sensible and sane.
Is it, in fact, correct that there is no such setting in iOS and has to be app-enabled ? Or are you saying I can either manage the device with configurator2 and put that setting in or I can install an app (like nextdns) that does it for me ?
Really frustrating that simple config options like DNS server and setting the name of your hotspot SSID are nonexistent in iOS ...
As I understood it was about blocking content (via DNS) *even without a fake VPN connection*. Once you run a VPN connection, most likely its DNS takes over, profile or not profile.
Yes I know but that's what the parent comment(s) are about? Using a profile for DNS settings instead of a fake VPN because you can't run more than one active VPN at a time.
Without disagreeing that folks would want an all-in-one solution, a potential alternative is to use a service like https://nextdns.io/ in addition to your VPN.
This is particularly unlucky for macOS if you want to use a application-firewall like "Little Snitch" - since Apple removed kernelextensions on macOS (which LittleSnitch and others used before) they now have to also fake a VPN. Because of this, you cannot use a custom DNS and Little Snitch. [1]
Upvote for NextDNS. Their platform has been a game changer for me on all devices/computers and really enjoy the granularity of filtering. Happy customer here!
As I've recently been made aware here on HN, on Android system applications can bind to an arbitrary interface so they can effectively bypass the VPN system. I don't think it happens often in practice, but it's something to keep in mind.
on paper (Android 8 and up) has the always-on type VPN that blocks any network connection not using the vpn (disallows bypass). Didn't poke it yet how it works if multiple apps create VPNs, I assume only one VPN of this type can be active
The single app restriction is a consequence of how the API works, but the always on VPN doesn't prohibit system apps from binding to an interface and bypassing the VPN configuration.
This kind of makes sense, you probably want a modem manager to talk to the modem interface directly, but it can be abused by data hungry manufacturers and perhaps Google.
By using a WireGuard VPN you could actually be connected to multiple endpoints at a time, if you are able to set the same tunnel IP for all endpoints.
That would enable you to have that one connection open routing to different servers (Mullvad / Homelab / Offsite Lab / Work / etc ...) hence also using your own DNS resolver with a commercial VPN.
I'm Steven Black and they cite my repo as their source for adult content domains.
Mullvad VPN seems unclear on the concept, at least in regard to my resource.
Using my porn hosts variant directly, they are presently pulling-in 188,735 domains, of which only 43,108 are porn domains. The other domains are adware, malware, etc.
I also notice the mullvad/dns-adblock repository been in existence since June 7 2022, the date of its first commit. So this is a very new thing.
Why did you include adware and malware domains in a list named to suggest it only contains pornography domains then? Seems like a fair mistake on Mullvad's part.
The issue there is pihole is only useful on your local network. You could expose it to the internet but that's a horrible idea. You could also VPN into your home network I guess but that's often not feasible.
> You could expose it to the internet but that's a horrible idea.
Been there, done that. It was a mistake. Not sure which attacks my public PiHole was part of, but I surely was part of some.
It's a shame, I'd really like to offer this as a service to friends, because I think they would be able to change the DNS settings of their routers and enjoy a safer surfing experience.
I don't want to get started with distributing key pairs to connect to a VPN and whatnot. PiHole really has a sweet spot there with its ease-of-use but it fails in regards of security/protection against becoming part of DNS-based attacks.
The PiHole has some integrated logging where you can see the requests that were made. I had several IPs which were doing queries for the same domains dozens of times per second. That wasn't a poweruser but some kind of automated system, probably doing reflection attacks or sth. alike.
I think PiHole has improved since that time, you can now set throttling, but I'm not sure I'd run a public PiHole anymore.
My pihole listens only on my server's TailScale interface, and have MagicDNS set to use the server's tailnet IP. Phone and laptops get it using the app, LAN gets it with subnet routing.
I run Pi-hole and pi-vpn on a VM at home, and have my mobile phone set to always-on VPN. I have occasionally had to disable the VPN on public wifi that blocks the high UDP port, but I think that could be gotten around with udp/443 which is used by QUIC/Google a lot. udp/53 inbound is blocked on my ATT home network.
As others say, use a VPN like wireguard. If bandwidth or latency over the VPN is a concern, you can setup your VPN to only route DNS requests over the VPN.
Unfortunately some apps[0] are already resistant to DNS-based blocking, which is why I'm creating SocialsDetox (DoH & VPN). It allows blocking of social media (+others, e.g. Gambling) across all your devices with a single click, scheduled and/or API call.
I use SafeDNS which filters adult content (plus many more categories), without forcing YouTube Restricted Mode. But, you can opt into YouTube Restricted Mode if you choose.
What irks me about this is the disingenuous concern trolling in the title:
> Aiding to break habits
If mullvad's intention with these blocklists is to help break habits, then why is the focus solely on gambling and adult content? Alcohol and nicotine 'habits' far surpass porn and gambling habits, so why is there no option to break habits by blocking, for example, smoking and drinking related content?
You can't "gamble or porn a website" either. But alcohol and nicotine companies have an online footprint, and you can buy alcohol and nicotine online.
Or in other words, there is web content that directly facilitates other 'habits' that are way more prevalent than gambling or adult content, so it stands to reason that if the intention is to break habits, the initial focus should be on the most prevalent habits.
I'd actually argue that adult content is way more prevalent than nicotine, and likely moreso than alcohol.
Researchers trying to study the effects of porn use (in college males if I remember right) struggled to get a control group because they couldn't find anyone who didn't use porn
