At this URL: FAQ | GrapheneOS and FAQ | GrapheneOS , it talks about a private DNS over TLS being superior to ad-blocking apps. I am not nearly technical enough to understand and evaluate the points being made.
Is Blokada an “ad-blocking app”, or does it employ the DNS over TLS approach?
I realize this might be asking a lot, but for any readers of this who are knowledgeable about these matters, how would the points made in the five paragraphs in the links I provided apply to the current state of Blokada?
DoT (DNS over TLS) is not yet implemented in Blokada only DoH. As for which one is better, it’s pretty much subjective, as i understand it most prefer DoH.
Reading through a bit of the article it seems they refer to a version of AdGuard that intercepted connections rather than working at the DNS level which Blokada does.
According to the article they installed a local certificate which circumvents encryption, indeed this is bad.
Blokada does effectively work as the suggested best practice, configures a system wide DNS based ad-blocker. Blokada doesn’t inspect the encrypted content itself.
As for DNS over TLS (DoT) versus DNS over HTTPS (DoH), both are encrypted with TLS.
But DoH also wraps HTTP within the TLS, this has became the most common protocol.
One benefit of using DoH is that you talk the same protocol as you would with any website, meaning in theory you blend in a little bit better and firewalls usually allows this type of traffic.