I didn’t add it to any lists, but to the network interface itself. You know the output of ip a? The one pihole listens on (wg0 in my case, because wireguard) has something like, say, 10.0.0.1, but also8.8.8.8. So when a DNS packet is spit out by chromecast to go to 8.8.8.8 UDP port 53 - my pihole happily answers that request. You could also do a separate unbound instance on a new virtual interface with a quad8 ip and just forward everything to pihole, if you fancy.
I solved that by adding an 8.8.8.8 ip to my pihole interface. Because of how TCP/IP works, this has the fewest hops and is, therefore, the one to be used. I’m blocking all outbound DNS traffic for good measure.
I would suggest having an nginx as a reverse proxy (I prefer avoiding a container as it’s easier to manage) and the have your services in whatever medium you prefer.
I don’t have something specific to read, my statement comes from questioning the declared permissions by apps. Why would, say, facebook - an app that, essentially, downloads and uploads content via http, need access to location, gyro, contacts, texts, call history, making calls, microphone, etc? Also, while I can’t prove it, as someone who works in computing I can guarantee there are undocumented/buggy/testing APIs and just straight up bugs that companies with enough resources can and do find and abuse. Cambridge analytica has only strengthened my view on this.
Launcher on android is just that - an app to launch other apps. Other apps can and do run in the background, without ever being explicitly launched. Think play services, location provider, wifi connection manager, etc. Since google runs its stuff at the highest level - nothing can hide from it. Other apps, like netflix, utilise internal telemetry. Assholes like facebook push the boundaries to the limit and collect literally every input of every sensor to have as much data about your environment as possible.
I’m lucky enough to be in a company where Windows is banned by the CEO. Granted, there are 4 (I believe) exceptions, but the vast majority of employees have an Ubuntu workstation and everyone has a macbook. A bit of a shame this macbook thing, really. A 2 grand thin client to ssh into my desktop when working remotely :D