I don’t like ads. My home firewall runs unbound for the local network. It blocks a shocking number of ads and trackers. I also have an Android phone and I browse around when commuting. The difference between doing so from inside the home network and outside is massive. 5G traffic is also subject to a limit in that if I go over that limit the rest of the month my browsing is slow. That makes ads doubly nasty: I don’t want to see them to begin with and they cost me money/speed because I get to the limit faster when they’re there.

I suppose I can wireguard to home all the time, but that seems overkill, and I would need to fiddle with that every time I go from home to not home or vice versa.

Enter Android’s Private DNS option. It supports DNS-over-TLS. It also supports DNS-over-HTTPs but only for cloudflare or google servers, so that is useless. I do have a small OpenBSD VPS that can run unbound, including a blocklist like I’m using at home. It also already gets legitimate TLS certificates from letsencrypt, which Android accepts. If I make serve DNS-over-TLS I can put that as my Private DNS and have it work regardless of where I’m browsing from.

This is how I set it up.

On the day I write this it blocked over three thousand requests from my phone.