Public wifi

Public WiFi Survival

This guide explains how to survive public WiFi safely by controlling DNS resolution, forcing all traffic through a VPN, isolating browser sessions with containers, and avoiding identity tokens that persist beyond the session.

Public WiFi is infrastructure you don’t own, operated by people who profit from logging behavior. Hotels log. Airports inspect. Cafes inject. Always assume observation.

Don’t be like most people asking what app, which browser, what toggle. That framework fails immediately. Survival on public WiFi is about containment. Reduce what can leak, what can persist, and what can be correlated later.

Always Assume

When you connect to public WiFi assume:

  • DNS is being logged
  • Traffic metadata is visible
  • Devices are being fingerprinted
  • Credentials will persist beyond the session

It’s like camping. Your goal is to leave nothing behind. That means controlling the layers in the correct order.

  1. DNS.
  2. Transport.
  3. Execution.
  4. Identity.

Miss one and the whole thing collapses.

What This Does Not Do

Don’t get it twisted. This does not make you anonymous. It does not defeat targeted attacks. It doesn’t protect against physical compromise. What it does is stop passive logging, cheap correlation, and lazy harvesting. That is 90% of public WiFi risk.

1. DNS

Resolution Is Identity

DNS happens before everything else. Before HTTPS. Before apps. Sometimes before VPN tunnels. Don’t let some random network you don’t control decide DNS. That “free” wifi provider loves DNS because it is cheap telemetry. They can log intent without having to worry about decrypting content. Every domain lookup is your behavior signal. Don’t let public infrastructure resolve your names.

Options that work:

  • Default – Encrypted DNS through a tunnel
    • DNS is forced inside the tunnel
    • No system fallback DNS
    • Tunnel comes up before apps
  • Damage ControlA encrypted resolver you chose
    • Prevents local network from seeing domains
    • Encrypts DNS queries
    • Removes hostle network DNS visibility
  • Infrastructure Level ControlA local resolver you control
    • No public DNS ever sees your intent directly
    • Consistent behavior across networks
    • Full control over validation and logging

Never let infrastructure you don’t own resolve your names. Otherwise you are leaking before you even start browsing. Everything else is downstream of that mistake. The easiest way is by forcing DNS through your VPN provider. Just always confirm that DNS is locked to the tunnel and not the interface.

2. VPN

Traffic Routing and Exit Control

Your transport level protection should be boring and total. HTTPS already handles content encryption but you still need metadata control. A reputable VPN collapses all the passive observers into one exit point. That alone removes most cheap surveillance but you still have to configure it correctly.

Rules:

  • VPN connects before anything else
  • Kill switch is enforced
  • No split tunneling
  • No app based exceptions

3. Containers

Separate Paths, Separate Identities

Your browser is still a liability. Cookies persist. Local storage persists. Fingerprints persist. Tokens persist. The solution is isolation. Use containers. Use profiles. Use separation. If you do not isolate contexts, every site you touch can correlate everything else you touched on that network.

A clean approach:

  • One browser profile for public WiFi
  • No logged in accounts
  • Seperate containers for any additional access

Firefox containers exist for this reason. Use them, keep sessions from touching.

4. Identity Tokens

Tokens outlive sessions so don’t ignore these. OAuth tokens. Session cookies. App tokens. Cached credentials. If you log into anything on public WiFi you risk leaving a durable artifact that can be replayed later.

Rules:

  • Never log into primary accounts
  • Never authenticate critical identities
  • Never reuse sessions

If you have to access something sensitive, at least do it inside a disposable container and destroy it after. If you can’t burn it, don’t open it.

Phones are Worse Than Laptops

They auto connect. They background sync. They refresh tokens silently. They leak metadata even when locked. Phones are chatty and obedient.

If you are stuck using a phone:

  • Disable auto join
  • Disable background sync
  • Force VPN always on
  • Avoid apps entirely

Browsers can be constrained. Apps do whatever the hell they want. Sandbox them if possible.

Containers are Not Just for Browsers

If you are doing real work on public WiFi use OS level containment.

  • A disposable VM.
  • A containerized workspace.
  • A temporary user account.

VMs like Whonix exist for a reason. So does TailsOS. They are not just hacker toys.

Remember

Public WiFi is not a “free” service. If you don’t know where your traffic went, who resolved it, and what persisted, then assume the worst.

-GHOST
Untraceable Digital Dissident