This content originally appeared on DEV Community and was authored by Flying Lama
Operating system – start with a hardened Android
- Preferred: GrapheneOS on a Pixel device.
- Alternatives: LineageOS or any other privacy‑focused custom ROM where Google Play Services can be removed and which gives you full control over networking.
GrapheneOS gives you a clean base, per‑app sandboxing and verified boot, which is essential for a privacy‑first stack.
This is the first and most important step in ensuring almost complete privacy. Even if you're not considering flashing your phone, the stack still can give you some capabilities to keep most of your data secured, so I invite you to read to the end or skip to the Conclusion to form your own opinions.
Install a VPN client from a trusted source
- Grab the Proton VPN (simple option) or other VPN provider's APK (e.g., IVPN, Mullvad; paid options) from F‑Droid or the official web-site/GitHub repository (the Proton's free tier is sufficient for the workflow).
- Enable the kill‑switch. Open Settings → Network & internet → VPN → Proton VPN (appears after first connection) → Turn on Always on VPN and Block connections without VPN.
Choose a privacy‑focused browser
- Vanadium (the Chromium‑based, hardened browser shipped with GrapheneOS) is ideal.
- Alternatives that respect DoT and have strong anti‑tracking capabilities: LibreWolf (no tracking), Brave (gathers some metadata, but gives strong anonymization capabilities) and others.
- Use DuckDuckGo or alternative privacy-focused search engines.
In order to prevent the browser from using its own DNS to bypass the configured DoT (explained further below), it is necessary to go to the browser settings and disable the “Secure DNS” option. Furthermore, it is necessary to disable “Safe Browsing”. It is important to note that the security of the traffic will be ensured by the DNS resolver that will be configured subsequently.
Configure NextDNS (browser‑only version)
- Create a profile on the NextDNS dashboard.
- Add blocklists you need (here is my blocklist set): NextDNS Ads & Trackers Blocklist, AdGuard DNS filter, OISD, HaGeZi – Multi ULTIMATE, 1Hosts (Xtra), notracking, Goodbye Ads.
- Security tab: Enable Threat Intelligence Feeds, AI‑Driven Threat Detection, Google Safe Browsing (here we ENABLE the option, as it does not transfer data to Google itself), Cryptojacking Protection, DNS Rebinding Protection, IDN Homograph Attacks Protection, Typosquatting Protection, Domain Generation Algorithms (DGAs) Protection.
- Privacy tab: Enable Block Disguised Third‑Party Trackers.
- Settings tab: Adjust logs retention to 1 hour, storage location to Switzerland. Turn on: Anonymized EDNS Client Subnet, Cache Boost, CNAME Flattening, Bypass Age Verification, Web3 (optional, but useful for modern sites).
All of these options are available in the web UI; you do not need the native NextDNS client.
Activate Android Private DNS (DoT)
- Open Settings → Network & internet → Private DNS.
- Choose “Private DNS provider hostname” and enter your profile’s endpoint: [profile‑id].dns.nextdns.io.
This forces all system DNS queries (including those generated by apps that do not honor the browser’s DNS settings) to be sent over TLS directly to NextDNS through configured VPN tunnel.
Crucially, Proton VPN does not replace your DNS when you already have a Private DNS (DoT) configuration – the DNS packets remain encrypted end‑to‑end to the DNS provider, and the VPN only wraps the whole IP payload. See Proton’s own note that “DNS queries are routed through the VPN tunnel to be resolved on our servers”, but this only applies when you let the app supply its DNS; with Private DNS the DNS stays with your chosen resolver. The NextDNS endpoints are routed automatically when you switch the VPN server. Because the DNS traffic is already wrapped in TLS, the VPN tunnel later adds another layer of encryption (AES + TLS) but does not alter the DNS destination.
How the pieces work together (WiFi or Hotspot)
Connecting to a regular WiFi network (home/public)
- Device obtains an IP address via DHCP from the AP.
- All outbound packets (including the TLS‑wrapped DoT queries) are handed to the VPN client.
- The VPN encrypts the entire IP packet and sends it to the selected VPN server.
- Inside that tunnel sits the DoT‑encrypted DNS request destined for [profile-id].dns.nextdns.io.
- The VPN server forwards the packet to the NextDNS edge node; NextDNS decrypts the DoT layer, looks up the domain using the blocklists/security settings you configured, and returns the answer (still inside the DoT envelope).
- The answer travels back through the same path: NextDNS → VPN server → VPN tunnel → your phone → browser.
Result: Every DNS lookup and every HTTP(S) request is double‑encrypted (DoT + VPN) and the only visible metadata which is available to the WiFi provider is “the client with this MAC address used that much traffic volume at this time from that VPN-IP”.
Using your second phone as a Hotspot
- The client device (e.g., Pixel) receives a local IP from your Hotspot’s DHCP (second device).
- Its encrypted traffic reaches the Hotspot’s WiFi interface, is routed through second device’s network, and then (once it arrives back on the Pixel) follows the client’s routing table, which includes the active VPN tunnel.
- Because the VPN is active on the client device, all traffic from the Hotspot—including the client’s DNS queries—is forced through the same VPN tunnel and the same DoT‑to‑NextDNS chain.
- The second device’s MAC address stays constant, while the client’s MAC address changes each time it reconnects if the "Per‑connection Randomized MAC" feature is enabled (Android 12 and later). No DNS or payload data is exposed beyond the fact that a device is connected and uses VPN.
The second phone:
- Does not know the traffic route
- Simply transmits the encrypted packet
- Only sees the MAC address of the connected device, volume and timing characteristics of the packets
- Cannot analyze the content
- Being only a transport channel
Thus the Hotspot does not become a weak point; it merely acts as a bridge for the already‑protected traffic. But the second device still gets the same amount of metadata as in the WiFi network option. That means Google Services, OS creators and mobile network provider of second device can obtain it, if not removed.
Optional extra hardening
- Disable “Allow background data” for any non‑essential app: Prevents silent data bursts that could bypass the VPN kill‑switch. Open Settings → Apps → Select app → WiFi data usage / App battery usage → Background restriction.
- Avoid installing unnecessary apps.
- Whenever possible, use Progressive Web Apps (PWAs) or home‑screen shortcuts to web services.
- Only install a native app when a PWA truly cannot replace it (e.g., a hardware‑specific utility).
Fewer apps mean fewer surface‑area attacks and fewer chances for accidental DNS leaks.
Conclusion
Following these steps gives you a fast, low‑latency connection while keeping DNS and payload fully encrypted, and it works equally well on public WiFi, home routers, or when you share your connection from other devices via Hotspot.
It is not limited to use on custom firmware. Even if you don't want to flash your phone, setting up DoT and a VPN is a simple and affordable solution to prevent your personal data from being leaked to third parties. The DoT configuration prevents sending raw data straight to the services running on the device.
I believe that this configuration and use of components is the best solution for everyday web surfing. Most people use these components (VPN, DNS, Browser) in pairs or separately, which leaves behind leaked data for one of the parties. This stack provides almost complete anonymity for your online activities using free and easily configurable tools.
Feel free to ask questions or share your own tweaks!
This content originally appeared on DEV Community and was authored by Flying Lama
Flying Lama | Sciencx (2025-10-02T03:19:47+00:00) Android: End Data Tracking Now. Retrieved from https://www.scien.cx/2025/10/02/android-end-data-tracking-now/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.