The largest annoyance with app based solutions is they don't work if you need to run a VPN at the same time, since they all depend on the Android VPN API to force all traffic to go through their program. Setting a custom DNS resolver often requires the same, an app acting as a VPN provider so it can assert the DNS servers that must be used. PiHole is slightly easier in that it asserts the resolver to use via DHCP which Android mostly obeys but having an app enforce that can be a safety net. So since the not-really-a-VPN app can't coexist with another actually-a-VPN app if I connect to work and if work doesn't have the same notions about what should be blocked I start to leak/see what I hoped to avoid. Not always terrible but also not what some might hope for. Some of these apps will chain via SOCKS v5, though too many won't work unless they are not the start of the chain, worse some things don't at all, e.g., Cisco AnyConnect certainly isn't willing to be a SOCKS server, nor a SOCKS client, so can't be the beginning, ending or in a chain.
Yeah, this is a problem but not one without a solution (unless Android bundles in a built-in Firewall API that other apps could use [0]): RethinkDNS already supports chaning via SOCKS5, and it would also soon support connections to/from WireGuard endpoints: https://github.com/celzero/rethink-app/issues/52
And since RethinkDNS' underlying tunnel implementation is in Go, I'm fully expecting wireguard-go to fit in seamlessly.
This is how I enforce my private DNS on my Android devices. I just wireguard my Android devices up to a PiHole device. Works everywhere I take my Android devices, so I get all the benefits of my home network anywhere I go. :)
The best workaround on recent android versions (although I agree on the limitations being quite annoying) is to (ab)use the private DNS feature for this - it lets you set a custom DNS server that is used for both WiFi and cellular data.
Same is now available on iOS 14.4(?), via a mobileconfig plist/XML file.
Either use an existing public ad/tracker blocking DNS over (HTTPS, TLS) server, or host your own and enter the hostname there.
If you go down the hosting your own route, you can have a rather neat setup for managing and blocking things via a web browser - it is quite nice to be able to log in and control what's blocked.
Note - if you run an open resolver DNS server on the public internet, usual caveats apply about knowing what you are doing. You don't need to expose port 53 (UDP DNS) if you're using DoT or DoH, which should help.
It's possible to change the DNS server on Android without a VPN or app since Android 9 Pie. You can set a custom DoH or traditional DNS server system wide from the connection settings.
The domain bravedns.com made me initially think it was related to the Brave browser, so seeing "block ads" was a bit... strange. But looks like they are not related at all.
Why that domain name then? The blog is under the rethinkdns.com domain.
NextDNS does a lot more than RethinkDNS, at this point, but no reason why we couldn't implement their feature set. We are a team of three spread thin between the Android app and the stub resolver, but are continuing to make progress. Our focus, unlike NextDNS', is geared more towards anti-censorship.
With RethinkDNS though, right now, you don't need an account and could simply select a set of blocklists and copy the resulting URL to any DoH client [0]. As of today, RethinkDNS, the resolver, is more of a limited BlahDNS / Quad9 replacement than a NextDNS replacement. Limited, because it only supports DNS over HTTPS/[2|3].
That said, we do plan to pick up development pace on the DNS side and FOSS our DNS stub resolver that one could deploy to Cloudflare Workers with one-click [1].
And may be start catching up with NextDNS on the path it has trail-blazed.
Besides, you could use the RethinkDNS Android app to set NextDNS as your resolver instead of the default preset resolver; if you're on Android 8 or below, or need a firewall and on-device DNS logs.
I'm not sure if we'd ever embed the Tor or I2P library in the app (because we'd need to constantly update it with upstream to ensure we don't slip up on security issues), but never say never.
I have been working on this full-time with a couple other friends since May 2020. We won a grant from Mozilla as part of their FixTheInternet initiative [0] last year in July, which has meant we could afford to give away the initial versions for free as we continue to work on stability and advanced feature-set that we could charge for.
RethinkDNS is a no-root firewall for Android: It is a mix of both LittleSnitch and Pi-Hole. I believe, it might be the only open source DNSCrypt v3 client for Android.
The website points to bravedns.com because that's the name we launched with. A lot of untangling is required to completely move to rethinkdns.com (for example, older clients still use bravedns.com and do not seem to respect 301/302 redirects), which we intend to do sooner rather than later.
The core firewall is written in Golang, whilst the UI is all Kotlin/Android. We are evaluating a move to Flutter to take this cross-platform, but the immediate focus has been stability and adding support for WireGuard [1].
Currently, the firewall only tracks TCP/UDP flows. We are in the process of rewiring the firewall's network stack to use gVisor's TCP/IP implementation, and we presume that should improve things considerably.
RethinkDNS, which is a fork of getintra.org, is also an anti-censorship tool. It can, bypass SNI based censorship in most countries like Iran, India, Saudi Arabia (but not all). Eventually, we forsee adding a mesh-VPN like capability to WireGuard (à la tailscale.com) in the app to enable people who "friend eachother" to share each others connections and IPs, similar to now-defunct uProxy [2], to bypass censorship.
RethinkDNS relies on its namesake stub DoH-only resolver for DNS based content-blocking which is deployed to Cloudflare Workers. This is open source, as well. We are working towards making it one-click deployable so that others may run their own stub resolver; Workers' free-tier supports well over 3 devices worth of DNS queries a month. The stub resolver, as of today, supports blocking over 5M domains from around 171 lists. We plan to support all 2400+ blocklists listed on filterlists.com eventually.
Since the app and the resolver are both super early, I did not expect it to land on HN. It is what it is, but please be kind :)
It took me a second to grok that this is really mostly just an OSS Android app with some associated DNS servers you can optionally use with it. It's not in F-Droid yet (which I personally consider to be a hard requirement for this class of software) because it includes proprietary bits, but here's the link to the F-Droid issue for those who want to keep an eye on it:
This is baseless. There are no proprietary bits. Just because the default build script doesn't take to polyglot codebases well enough does not mean the app contains closed source tech. And I'm in no hurry to fix that myself but welcome code changes from anyone who's willing to put in the work. Here's the issue in case you or anyone reading this is interested: https://github.com/celzero/rethink-app/issues/215
Please don't confidentally pass off judgement on things you may not fully understand. A quick cursory search of the app's GitHub issues would have alleviated your misplaced concerns.
> In the meantime, there's DNS 66, which includes some similar features (minus the app firewall)
> It took me a second to grok that this is really mostly just an OSS Android app with some associated DNS servers you can optionally use with it.
Take a second or two more, you've likely missed out on a Littlesnitch-esque firewall which is like 50% of the app; and DNSCrypt v3 support, too; and on-device blocklists; and DNS over Tor support; and support for censorship bypass by protecting against SNI sniffing attacks? It is may be our terrible website design and copywriting skills that did us in. DNS66, as great as it is, doesn't have half the features.
Apologies, I saw a different issue https://github.com/celzero/rethink-app/issues/210#issuecomme... and did not realize those concerns had already been addressed. Unfortunately I can no longer edit my post, but it's good to learn that it is that much closer to F-Droid inclusion! :)
I think my comment must have appeared harsher than I intended, because I'm very excited to learn about this project. When I say "just an android app" that's a massive positive for me, but I understand why it might read otherwise! I had assumed at first blush this was yet another scammy SASS product with a corresponding app, but when I realized it was "just" an open source Android app (and finding the open issue re: working towards F-Droid inclusion) it made me very interested indeed!
I also didn't mean to imply that DNS 66 was anywhere near feature parity with this project, so apologies if that appeared to be the case. That said I have used DNS 66 in the past effectively, despite its limitations. Can you suggest where I can read more about its security deficiencies, or by "insecure" do you just mean to say it is an incomplete solution? (i.e. the lack of protocol support and the reliance on the Android VPN framework?)
> Apologies, I saw a different issue and did not realize those concerns had already been addressed.
My bad. I'm sorry, too. In fact, I may be solely at fault here for over-reacting to your comment. My reaction really stems from an unpleasant r/Android experience where folks just piled up on BraveDNS (as it was called then) with utter non-sense and blatant, misleading lies.
> I had assumed at first blush this was yet another scammy SaaS product with a corresponding app...
This isn't the first time I've heard from folks that the whole thing comes off as scammy / scareware. Is it the website design? The copy? The readme on GitHub? The name of the project?
> Can you suggest where I can read more about its security deficiencies, or by "insecure" do you just mean to say it is an incomplete solution?
DNS66 is insecure in the sense it doesn't do any form of encryption for DNS requests [0] and, like most other DNS clients, it leaks DNS connections over TCP (only handles UDP) [1].
I wouldn't call it incomplete, it is likely fully complete in the eyes of the original developers. A DNS client can definitely do more, and that's why RethinkDNS exists in the first place. I used to use Nebulo [2] which is super light weight, supports DNS over HTTPS/3 (QUIC), and has way more features than any other DNS client I've come across.
> This isn't the first time I've heard from folks that the whole thing comes off as scammy / scareware. Is it the website design? The copy? The readme on GitHub? The name of the project?
This is interesting, it's hard to put my finger on it. There's nothing in particular that I think is "wrong" but there were a few subtle things that might have caused me to bounce were I not already curious:
1) It made the front page of HN (so I'm already primed to expect a SAAS) and it was the landing page (rather than, say, the git repo)
2) The domain name mismatch with the project name - other comments have already mentioned this one - and especially the "Brave" in there (which has an immediate negative association for me)
3) The suggestion of cloud DNS servers and cost model in the main landing page, which made me wonder for a second about the business model and incentives
4) The github link wasn't terribly prominent and the phrase "open source" (while present) doesn't stand out visually (when I see something like this I know to ctrl+f for "github" and "source" so I found both of them without issue, it's that just they weren't immediately apparent).
I know I'm an outlier in many ways, though, so I don't know how far those observations would take you in general. In my case a prominent link to an F-Droid page (or a note by the Play Store badge that F-Droid support is being considered) would have sent a signal I would recognize instantly, for example! Something minor like hosting the APK as a github release and changing the non-Play-Store download link to "download from github" also would have clued me in immediately.
It says “for Android” right in the title, but I’m sure there are people who’d like to know if there will be an iOS release (and if yes, when that may be likely). I couldn’t find answers to this in the FAQ.
For iOS, there’s Lockdown (lockdownprivacy.com), which is slightly similar to this.
Given that the core firewall is implemented in Go, we should be able to port it to iOS without much worry. But first, must arrange funds to purchase a Mac and an iPhone :)
Can someone explain to me (like I’m 5) whether I should consider a dns service over and above a pihole, which I’m running already? Is there any benefit to setting the dns on the pihole to use this service, or nextdns or similar?
A main use case I can think of, is if you are not at home. And you don't use PiHole + PiVPN. Then it would be convenient for you if you put this app on your phone and just use it like a 'local' PiHole (but it's also working at an app level).
I don't believe you'd get your PiHole itself to use this service, it's not a public DNS service that you can get your PiHole to point at.
As for NextDNS, are you asking, would you get your PiHole to use your NextDNS as an upstream? You could do that, there isn't a huge advantage to it though... as PiHole is already doing the work for you. Your main motivation to do it anyway would be the consistency factor.
I don't think you're the target audience. The biggest benefit is simply convenience — lots of folks, myself included, just don't want to have to maintain/install a local instance.
I'm currently using NetGuard which is also open src. What do you all opinion this app? So far I like it. I have the paid version and one feature I LOVE is the speed graph that show up/down load bandwidth. Will try out RethinkDNS. So far android really sux at privacy and security. The permissions aspect is too broad and intrusive. I wish I could sandbox specific apps with honeypot contact etc stuff I don't think app needs to have but requires to operate..wtf. So many apps nowadays "require" permissions it has no business in having else it won't launch.
From what I've read, NetGuard's speed graph could be a drain on the battery. Besides would showing connection speed in the app's homescreen suffice?
> I wish I could sandbox specific apps with honeypot contact etc stuff I don't think app needs to have but requires to operate..wtf.
fwiw, we started off by building a userspace application sandbox (many exist today, ParallelSpace, available on the PlayStore, is probably the gold standard), but the bugs and speed was just too dysmal and it seemed it required a long tail of development just to get a v0.1 out of the door. That said, another way to do sandboxing is to use apps like Island and Shelter that abuse Android's "Work Profile" APIs.
So, we switched gears, and instead started focusing on controls for the Network.
Re: Permissions management:
For permissions, specifically, we do have an alpha-implementation that works on AOSP, that auto-grants permissions when the app is in the foreground and auto-revokes it when it is in the background. We are yet to productize it and fix all its rough corners. It isn't priority, but something we eventually want to complete, even if just for AOSP.
From quickly glancing over this, it sounds like its set to have your dns lookups proxies by servers rethink dns maintains, and forwards on to 1.1.1.1. Did I misunderstand?
Can we set this to use another provider other than 1.1.1.?
Looks interesting! Does RethinkDNS purely do DNS-based blocking and monitoring or is there an IP firewall as well? I'm not sure how prevalent it is but I suspect apps could hard-code their own DNS servers.
Apps can (and do) absolutely use DoH themselves. One way to mitigate is to block DoH IPs (RethinkDNS' on-device network logs are quite comprehensive). This isn't full-proof, and so, a feature we have been contemplating is, firewall would auto-block IPs not resolved by user-set DNS resolver.
I have my blokada set to DNS mode only because many apps decide to not use the IP address of pi hole in WiFi settings so blokada pushes all data through to pihole and that works well
Blokada is great. I love the direction Blokada is going towards, but unlike Blokada, RethinkDNS also kind of prevents SNI sniffing, doesn't leak DNS connections over TCP, and is a (TCP/UDP) firewall.
Seeing that this seemingly launched as "BraveDNS" only a couple of months ago (thus still using bravedns.com as domain), did Brave Browser knock on the door?
I tend to use DNS66, but have been looking for an app the can also block on a per-app level. Because I agree with the web site: it is very fishy that e.g. the Calculator app would have internet access.
i wish it had added root support which doesn't need vpn to block ip and can use iptables directly.
AFL Firewall can do this atm.
The problem with blocking via VPN is if we close app vpn also closes (instead of running in background as service) which can happen due to clearing all apps.
> The problem with blocking via VPN is if we close app vpn also closes (instead of running in background as service) which can happen due to clearing all apps.
For this problem specifically, you can turn on "Always-on VPN" (to avoid a particular VPN app from being killed or replaced by another VPN app) and "Block connections without VPN" (to avoid traffic from leaking when the VPN app is killed or crashes) against any VPN app from Android's VPN Settings page. RethinkDNS supports both these settings.
> i wish it had added root support which doesn't need vpn to block ip and can use iptables directly.
The only available VPN slot going to a non-VPN app is indeed a deal breaker for many, and so, we plan to add support for WireGuard soon.
Always on VPN doesn't work at least on the Redmi Phone stock rom. When I clear app by closing all apps I get notification "Disconnected from always on VPN" and if i open rethink app it disconnects. So I have to keep it running . I wish there was a way where even if I clear app vpn app runs in background even if I clear all apps..
To be clear, you can still clear the activity stack (swipe up dismiss RethinkDNS from Android's Recents screen) which doesn't shutdown VPN; at least not on devices I've tested it on (like the OnePluses and the Oppos). MiUI seems to be aggressive here.
I use DNS66 to as a VPN ad blocker. You can lock the app so that clearing running apps won't shut it down, should work for this app too. Just long press on the running window and a lock option should show up. It works for me and I only ever need to manually start it after rebooting my phone.
RethinkDNS is both a firewall and a DNS client. Not sure about pdnsf, but RethinkDNS doesn't leak DNS connections over TCP (afaik, Blokada does). Besides, RethinkDNS can also prevent one class of SNI sniffing attacks (typically employed by ISPs as a poor man's firewall to censor websites) which Blokada and PDNSF both don't / can't.
Think of it as a (limited) cross between Little Snitch and Pi-Hole with anti-censorship capabilities.
You can navigate to the "Network Log" tab in the "Firewall" screen and search to see which app made connections to the IP address you see resolved in the DNS logs.