Even tho am using proton VPN (free) with private dns enabled. dnsotls-ds.metric.gstatic.com this domain directly connects to my real isp and leaks my real location.
Am using private dns in order to block trackers in my bloated phone. (Debloating is not an option for me as i lack a laptop and bootlocker is not unlocked, i tried many ways to debloat but all i can do is disable system apps) I don’t installed any proprietary apps even whatsapp or banking apps to never sent my data to them. The issue is just system apps trackers. Am using ironfox with ublock and tor with noscript.
Any way to prevent this vpn leak ?
My threat model is to hide my traffic from isp as my isp is a spyware privacy invader.
Even tho am using proton VPN (free) with private dns enabled
Do make sure
Block connections without VPNis enabled. I know ProtonVPN had issues with leaks in the past, but it’s been resolved. I don’t know if it was only resolved for GrapheneOS devices, or ProtonVPN as a whole. You may look into Orbot if you’re willing to put up with the slow network speeds, to fully lock down any leaks from the VPN side.dnsotls-ds.metric.gstatic.com this domain directly connects to my real isp and leaks my real location.
Where did you find this out? I’m assuming from your DNS provider, but which one do you use?
Am using private dns in order to block trackers in my bloated phone.
This is reasonable, but it won’t protect you if no DNS query is made in the first place (i.e. directly connecting to the IP address, rather than a domain name). In this case, however, it looks like it is creating a DNS query, but be careful because DNS based filtering isn’t magic. If you pay for ProtonVPN (or Mullvad VPN, which is a better VPN in my opinion) you can have greater control over what gets blocked.
Debloating is not an option for me as i lack a laptop and bootlocker is not unlocked, i tried many ways to debloat but all i can do is disable system apps
Thanks for the information, and that’s unfortunate. I’ve messed around debloating cheap Android phones, but you can barely scratch the surface from a user standpoint.
I don’t installed any proprietary apps even whatsapp or banking apps to never sent my data to them.
dnsotls-ds.metric.gstatic.com is a Google-owned domain, used for DNS over TLS. I don’t know much about it, as I don’t use a custom DNS provider, but check if your DNS provider is using Google’s DNS as a backend or a fallback. That may be where it’s coming from.
The issue is just system apps trackers. Am using ironfox with ublock and tor with noscript.
Check IronFox’s DNS settings, and set a custom DNS over TLS server, if you’d like.
Any way to prevent this vpn leak ?
Since you’re using a custom DNS, this likely isn’t a VPN leak, but more likely a DNS leak. If you want to simplify things, using your VPN’s DNS can help prevent misconfigured custom DNS solutions, so it reduces the risk of a leak. This will remove some of the filtering you have in place, though.
My threat model is to hide my traffic from isp as my isp is a spyware privacy invader.
It seems your threat model is hiding traffic from your ISP, minimizing telemetry, and using as much open source software as possible. If you prioritize only hiding traffic from your ISP, using your VPN’s DNS would achieve this, but there are known cases (especially on iOS) of the system bypassing the VPN and connecting directly anyways.
Best of luck!
Am enabled block connections without vpn always. In my case orbot is very slow and constant captcha pops up which is very irritating to use the web. Even tho some privacy respecting search engines like brave and startpage too showing me captchas.
Am finded about dnsotls-ds.metric.gstatic.com from my dns provider log which directly connected from my real isp ip address (personal adguard dns free). From my search i finded that adguard or any other dns servers establish dnsotls-ds.metric.gstatic.com this connection in order to check the status of the private dns enabled or not. To block this i have to use a no-google blocklist which leads to inconvinience.
I don’t have enough money to pay for paid services (which means i don’t have a job as am a final year student).
No gecko based android browsers provide option to change dns provider. But blink does but i hate them. Blink based browsers are annoying and no addons like ublock origin never get supports. Brave is making too much background connections which is annoying. Other browsers like cromite, vivaldi have nothing to say unique just hardened like i always do in every browser. Edge supports exrensions but you know whats the point of using a spyware inorder to protect privacy ?
Not using a custom or private dns leads to,
- no logs of my traffic
- no trackers blocked
- no threats blocked (hagezi tif)
- no use of parental control for blocking myself from various services like instagram, whatsapp as my relatives actively use it. But i don’t want to.
- i use the logs to report ad/tracker domains to the corresponding blocklist provider like easylist, adguard, hagezi.
I always know my phone bypass and sent most of the connection to my dns or the device parent company. Because of that also i don’t store much info on my phone. Never take photos. Stored contacts as no other apps can see (using fossify contacts). Keep important docs on proton drive.
I believe the situation is little more understandable now. Providing my logs directly to my untrustable isp feels stupid.
Also it would be nice to know leaking my location to dnsotls-ds.metric.gstatic.com leads to any consequences. Or is it just a private dns current status checking url ?
Thank you for reply.
Even tho some privacy respecting search engines like brave and startpage too showing me captchas.
I’ve never had a captcha with DuckDuckGo, if you want to give that a try. Otherwise, metasearch engines like SearXNG act as a proxy between you and other search engines.
From my search i finded that adguard or any other dns servers establish dnsotls-ds.metric.gstatic.com this connection in order to check the status of the private dns enabled or not. To block this i have to use a no-google blocklist which leads to inconvinience.
Good to know. It’s up to you whether you want to trade privacy for convenience.
No gecko based android browsers provide option to change dns provider.
GrapheneOS’s browser Vanadium is a good option if you want to move away from Firefox-based browsers, but it’s not easy to install anywhere other than GrapheneOS. If you’re up to try, here’s how.
Brave is making too much background connections which is annoying.
Brave can be hardened to minimize most of those, but I agree it is annoying that there are still background connections.
Also it would be nice to know leaking my location to dnsotls-ds.metric.gstatic.com leads to any consequences. Or is it just a private dns current status checking url ?
Besides Google being able to see every time you ping the domain, there’s not much else going on. It’s unlikely that it’s leaking any private data, so it’s relatively harmless. It’s not ideal that it connects to it, but it doesn’t pose too large of a threat.
Mullvad’s leta (google) is my default search engine. Also am a big fan of duckduckgo for more advanced search and its duck.ai is amazing.
Sure i will give a try vanadium browser if am able to install it.
Thank you for taking time to answer my questions.
