Security Forem

llama
llama

Posted on

Privacy‑Focused Web Surfing & App Traffic: Setting Up a Fast, Low‑Latency Android Stack

#android #web #security #tutorial

Operating system – start with a hardened Android

  • Preferred: GrapheneOS on a Pixel device.
  • Alternatives: LineageOS or any other privacy‑focused custom ROM where Google Play Services can be removed and which gives you full control over networking.

GrapheneOS gives you a clean base, per‑app sandboxing and verified boot, which is essential for a privacy‑first stack.

This is the first and most important step in ensuring almost complete privacy. Even if you're not considering flashing your phone, I invite you to read to the end or skip to the Conclusion to form your own opinions.

Install a VPN client from a trusted source

  • Grab the Proton VPN (simple option) or other VPN provider's APK (e.g., IVPN, Mullvad; paid option) from F‑Droid or the official web-site/GitHub repository (the Proton VPN's free tier is sufficient for the workflow).
  • Enable the kill‑switch. Open Settings → Network & internet → VPN → Proton VPN (appears after first connection) → Turn on Always on VPN and Block connections without VPN.

Choose a privacy‑focused browser

  • Vanadium (the Chromium‑based, hardened browser shipped with GrapheneOS) is ideal.
  • Alternatives that respect DoT and have strong anti‑tracking capabilities: Brave, LibreWolf and others. But some of them still can gather some of your metadata.
  • Use DuckDuckGo or alternative privacy-focused search engines.

By default the browser use the system DNS if DoT is configured – it will automatically inherit the Private DNS configuration (more info about DoT provided below).

Configure NextDNS (browser‑only version)

  • Create a profile on the NextDNS dashboard.
  • Add blocklists you need (here is my blocklist set): NextDNS Ads & Trackers Blocklist, AdGuard DNS filter, OISD, HaGeZi – Multi ULTIMATE, 1Hosts (Xtra), notracking, Goodbye Ads.
  • Security tab: Enable Threat Intelligence Feeds, AI‑Driven Threat Detection, Google Safe Browsing, Cryptojacking Protection, DNS Rebinding Protection, IDN Homograph Attacks Protection, Typosquatting Protection, Domain Generation Algorithms (DGAs) Protection.
  • Privacy tab: Enable Block Disguised Third‑Party Trackers.
  • Settings tab: Adjust Logs Retention to 1 hour, Storage location to Switzerland (EU‑friendly jurisdiction). Turn on: Anonymized EDNS Client Subnet, Cache Boost, CNAME Flattening, Bypass Age Verification, Web3 (optional, but useful for modern sites).

All of these options are available in the web UI; you do not need the native NextDNS client.

Activate Android Private DNS (DoT)

  • Open Settings → Network & internet → Private DNS.
  • Choose “Private DNS provider hostname” and enter your profile’s endpoint: [profile‑id].dns.nextdns.io.

This forces all system DNS queries (including those generated by apps that do not honor the browser’s DNS settings) to be sent over TLS directly to NextDNS through configured VPN tunnel.

Crucially, Proton VPN does not replace your DNS when you already have a Private DNS (DoT) configuration – the DNS packets remain encrypted end‑to‑end to the DNS provider, and the VPN only wraps the whole IP payload. See Proton’s own note that “DNS queries are routed through the VPN tunnel to be resolved on our servers”, but this only applies when you let the app supply its DNS; with Private DNS the DNS stays with your chosen resolver. The NextDNS endpoints are routed automatically when you switch the VPN server. Because the DNS traffic is already wrapped in TLS, the VPN tunnel later adds another layer of encryption (AES + TLS) but does not alter the DNS destination.

How the pieces work together (WiFi or Hotspot)

Connecting to a regular WiFi network (home/public)

  1. Device obtains an IP address via DHCP from the AP.
  2. All outbound packets (including the TLS‑wrapped DoT queries) are handed to the VPN client.
  3. The VPN encrypts the entire IP packet and sends it to the selected VPN server.
  4. Inside that tunnel sits the DoT‑encrypted DNS request destined for [profile-id].dns.nextdns.io.
  5. The VPN server forwards the packet to the NextDNS edge node; NextDNS decrypts the DoT layer, looks up the domain using the blocklists/security settings you configured, and returns the answer (still inside the DoT envelope).
  6. The answer travels back through the same path: NextDNS → VPN server → VPN tunnel → your phone → browser.

Result: Every DNS lookup and every HTTP(S) request is double‑encrypted (DoT + VPN) and the only visible metadata which is available to the WiFi provider is “the client with this MAC address used that much traffic volume at this time from that VPN-IP”.

Using your second phone as a Hotspot

  1. The client device (e.g., Pixel) receives a local IP from your Hotspot’s DHCP (second device).
  2. Its encrypted traffic reaches the Hotspot’s WiFi interface, is routed through second device’s network, and then (once it arrives back on the Pixel) follows the client’s routing table, which includes the active VPN tunnel.
  3. Because the VPN is active on the client device, all traffic from the Hotspot—including the client’s DNS queries—is forced through the same VPN tunnel and the same DoT‑to‑NextDNS chain.
  4. The second device’s MAC address stays constant, while the client’s MAC address changes each time it reconnects if the "Per‑connection Randomized MAC" feature is enabled (Android 12 and later). No DNS or payload data is exposed beyond the fact that a device is connected and uses VPN.

The second phone:

  • Does not know the traffic route
  • Simply transmits the encrypted packet
  • Only sees the volume and timing characteristics of the packets
  • Cannot analyze the content
  • Being only a transport channel

Thus the Hotspot does not become a weak point; it merely acts as a bridge for the already‑protected traffic. But the second device still gets the same amount of metadata as in the WiFi network option. That means Google Services, OS creators and mobile network provider of second device can obtain it, if not removed.

Optional extra hardening

  • Disable “Allow background data” for any non‑essential app: Prevents silent data bursts that could bypass the VPN kill‑switch. Open Settings → Apps → Select app → WiFi data usage / App battery usage → Background restriction.
  • Avoid installing unnecessary apps.
  • Whenever possible, use Progressive Web Apps (PWAs) or home‑screen shortcuts to web services.
  • Only install a native app when a PWA truly cannot replace it (e.g., a hardware‑specific utility).

Fewer apps mean fewer surface‑area attacks and fewer chances for accidental DNS leaks.

Conclusion

Following these steps gives you a fast, low‑latency connection while keeping DNS and payload fully encrypted, and it works equally well on public WiFi, home routers, or when you share your connection from other devices via Hotspot.

I believe that this configuration and use of components is the best solution for everyday web surfing. Unlike those who use only a privacy-focused browser, only a VPN service, or even a private browser with a VPN service, this stack provides almost complete anonymity for your online activities using free and easily configurable tools.

It is not limited to use on custom firmware. Even if you don't want to flash your phone, setting up DoT and a VPN is a simple and affordable solution to prevent your personal data from being leaked to third parties.

Feel free to ask questions or share your own tweaks!

Top comments (0)