Mobile phones suck as computers. NetGuard PCAP files are must read if using a mobile phone as a computer.
One setup that works reasonably well is
NetGuard --> Nebulo --> DNSdist on own router
On phone,
(a) set DNS in Wifi to localhost, i.e., disable service provider DNS
(b) set VPN to Block all connections without VPN
(c) set Netguard to forward port 53 to Nebulo
(d) set Nebulo to run in non-VPN mode
(e) set DNS configuration in Nebulo to DNSdist on router
On router, point DNSdist at nsd or tinydns serving custom root zone containing all needed DNS data. Apps like NetGuard, Nebulo, PCAPdroid, etc. allow one to easily export the DNS data needed for the zone file.
There is at least one leak in this setup. Nebulo's "Internal DNS server" can only be set to Cloudflare, Google or Quad9. In theory this should only be used to resolve the address of the DoH provider and nothing else. But not allowing the user to choose their own DNS data source and forcing the user to keep pinging (querying) Cloudflare, Google or Quad9 is poor design. Those addresses are unlikely to change anyway.
Using a browser in place of other apps seems like good strategy but the browser "app" is far, far more complicated than many open source "apps" and much more difficult to control.
Firefox is not only filled with telemetry, almost no one compiles it themselves, it has more settings than any normal user can keep track of and it is constantly changing. Layer upon layer of unneeded complexity.
One setup that works reasonably well is
NetGuard --> Nebulo --> DNSdist on own router
On phone,
(a) set DNS in Wifi to localhost, i.e., disable service provider DNS
(b) set VPN to Block all connections without VPN
(c) set Netguard to forward port 53 to Nebulo
(d) set Nebulo to run in non-VPN mode
(e) set DNS configuration in Nebulo to DNSdist on router
On router, point DNSdist at nsd or tinydns serving custom root zone containing all needed DNS data. Apps like NetGuard, Nebulo, PCAPdroid, etc. allow one to easily export the DNS data needed for the zone file.
There is at least one leak in this setup. Nebulo's "Internal DNS server" can only be set to Cloudflare, Google or Quad9. In theory this should only be used to resolve the address of the DoH provider and nothing else. But not allowing the user to choose their own DNS data source and forcing the user to keep pinging (querying) Cloudflare, Google or Quad9 is poor design. Those addresses are unlikely to change anyway.
Using a browser in place of other apps seems like good strategy but the browser "app" is far, far more complicated than many open source "apps" and much more difficult to control.
Firefox is not only filled with telemetry, almost no one compiles it themselves, it has more settings than any normal user can keep track of and it is constantly changing. Layer upon layer of unneeded complexity.