celzero
Setting to let always apply DNS domain rules at connection time
Globally blocked DNS entries are not shown in Network logs, this means users cannot identify which application made the request as it is not shown in DNS logs. It makes whitelisting domains for specific applications more tedious, as users have to guess which application made the request, manually copy the domain, go to the application setting, and add a domain exception for the application. If the user guessed wrong, he has to delete the exception from the application, and repeat the process with the next one.
It would be a lot simpler if it would just also appear in Network logs, as the source application is shown there and clicking on it allows to trust/block the domain in seconds.
I guess it has been decided to hide blocked DNS to declutter the Network logs, but as explained above it can be a huge usability issue. Could an option be made to not hide them? (which I believe was the default some versions ago?)
When DNS is blocked, there's no corresponding network/connection request (TCP/UDP) to show which app sent the DNS request.
Blocking DNS at connection time is something we've experimented with, but it results in more power usage (since it is more efficient to block at DNS level than at network level, if that makes sense). May be we can introduce a user-preference to enable / disable this behaviour (of always blocking DNS requests at connection time).
When DNS is blocked, there's no corresponding network/connection request (TCP/UDP) to show which app sent the DNS request. Blocking DNS at connection time is something we've experimented with, but it results in more power usage (since it is more efficient to block at DNS level than at network level, if that makes sense).
Oh that's why, I tough it was an UI issue (hiding to declutter the logs), but in reality it's a technical limitation (Android not permitting to know which application made the DNS request). Indeed, the current behavior is much preferable to the old one.
May be we can introduce a user-preference to enable / disable this behaviour (of always blocking DNS requests at connection time).
Maybe, but that sure will add some complexity to the code. Honestly I opened the issue only because I thought that it would be an easy fix (not hiding entries by default), but now that (thanks to your explanation) I understand the issue better I don't know if it is even worth doing anything about it. The issue only occurs when a new application is installed, and if it attempts to connect to a globally blocked domain, and if the said domain really is necessary to the app function. And even then, 95% of the time the application is doing the request itself. Meaning that, in the end it would only save a few clicks in a very specific and unusual situation.
To me, the issue could just be closed as solved since it really was more a misunderstanding on my side than anything else.
Honestly I opened the issue only because I thought that it would be an easy fix (not hiding entries by default)
This is already implemented, but not exposed as a setting. I'll use this issue to track exposing it as a setting (:
It's seems the latest version v0.5.5b introduced a regression where per-applications trusted domains are ignored (they remain blocked) if said domains are included in a DNS blocklist :( Universally trusted domains are still honored, though.
Amusingly, I noticed the current behavior of blocking DNS at the network level could lead to a crash for a particular application. An easy workaround exists however: manually blocking the domain both globally and in the per-app settings (instead of relying on a blocklist block) resolve the crash and serve the same purpose, the only difference being that the domain is now blocked at connection time.
It seems like an extreme edge case though, and the fault is on that specific application which really shouldn't crash in such situation. I just wanted to share the workaround in case someone else encounter that strange issue.