[HN Gopher] RethinkDNS - monitor app activity, block ads and fir... ___________________________________________________________________ RethinkDNS - monitor app activity, block ads and firewall apps on Android Author : URfejk Score : 85 points Date : 2021-02-14 16:29 UTC (6 hours ago) (HTM) web link (www.bravedns.com) (TXT) w3m dump (www.bravedns.com) | 2Gkashmiri wrote: | I have my blokada set to DNS mode only because many apps decide | to not use the IP address of pi hole in WiFi settings so blokada | pushes all data through to pihole and that works well | ignoramous wrote: | Blokada is great. I love the direction Blokada is going | towards, but unlike Blokada, RethinkDNS also _kind of_ prevents | SNI sniffing, doesn 't leak DNS connections over TCP, and is a | (TCP/UDP) firewall. | URfejk wrote: | And Blokada can block only 450000 entries or there about, | otherwise it crashes. | | Btw, personalDNSfilter can filter millions of entries without | problems. | darkwater wrote: | The domain bravedns.com made me initially think it was related to | the Brave browser, so seeing "block ads" was a bit... strange. | But looks like they are not related at all. Why that domain name | then? The blog is under the rethinkdns.com domain. | rapnie wrote: | Probably the association with Brave was reason for the name | change. Think they still need to switch their site domain. | anotherevan wrote: | Yeah, I admit that put me off at first, as I've found Brave | browser generally off-putting. | dvfjsdhgfv wrote: | Someone must have told the developer of BarveDNS to rethink the | name. | [deleted] | llarsson wrote: | I tend to use DNS66, but have been looking for an app the can | also block on a per-app level. Because I agree with the web site: | it is very fishy that e.g. the Calculator app would have internet | access. | Valodim wrote: | Happy customer of nextdns.io, which seems to offer the same | benefits but isn't limited to Android. Is there anything this can | do that nextdns can't? | Valodim wrote: | Answering my own question, it can work on a per-app basis. So | far I haven't missed anything with per-device blocklists, but | maybe I'm missing out :) | ignoramous wrote: | Hi there, RethinkDNS developer here. | | NextDNS does a _lot_ more than RethinkDNS, at this point, but | no reason why we couldn 't implement their feature set. We | are a team of three spread thin between the Android app and | the stub resolver, but are continuing to make progress. Our | focus, unlike NextDNS', is geared more towards anti- | censorship. | | With RethinkDNS though, right now, you don't need an account | and could simply select a set of blocklists and copy the | resulting URL to any DoH client [0]. As of today, RethinkDNS, | the resolver, is more of a limited BlahDNS / Quad9 | replacement than a NextDNS replacement. Limited, because it | only supports DNS over HTTPS/[2|3]. | | That said, we do plan to pick up development pace on the DNS | side and FOSS our DNS stub resolver that one could deploy to | Cloudflare Workers with one-click [1]. | | And may be start catching up with NextDNS on the path it has | trail-blazed. | | Besides, you could use the RethinkDNS Android app to set | NextDNS as your resolver instead of the default preset | resolver; if you're on Android 8 or below, or need a firewall | and on-device DNS logs. | | [0] https://RethinkDNS.com/configure | | [1] Not ready yet, but should be by end of this month: | https://github.com/celzero/serverless-dns | URfejk wrote: | Any possibility to have Tor or Purple I2P modules included | like those in Invizible Pro: https://invizible.net/en/ | | P.S. It crashes now and then when I try to enable | resolvers. | | If I enable them and then exit the software and open it up | again, it doesn't save the resolvers I have picked. Is it | possible to save the settings? | ignoramous wrote: | RethinkDNS does support chaining out to any SOCKS5 (TCP) | endpoint on-device. SOCK5 UDP should be on its way, too. | https://github.com/celzero/rethink-app/issues/100 | | I'm not sure if we'd ever embed the Tor or I2P library in | the app (because we'd need to constantly update it with | upstream to ensure we don't slip up on security issues), | but never say never. | marshallnine wrote: | From quickly glancing over this, it sounds like its set to have | your dns lookups proxies by servers rethink dns maintains, and | forwards on to 1.1.1.1. Did I misunderstand? | | Can we set this to use another provider other than 1.1.1.? | ignoramous wrote: | Not right now, but it is trivial for us to add that support, | and we intend to add it. | | https://github.com/celzero/serverless-dns/issues/1 | high_byte wrote: | Exactly what I needed. Works well so far, thanks! | ignoramous wrote: | Glad you like it! Feel free to get in touch in case you have | any queries or suggestions: I am mz at celzero dot com All ears | (: | dmje wrote: | Can someone explain to me (like I'm 5) whether I should consider | a dns service over and above a pihole, which I'm running already? | Is there any benefit to setting the dns on the pihole to use this | service, or nextdns or similar? | [deleted] | sergiomattei wrote: | I don't think you're the target audience. The biggest benefit | is simply convenience -- lots of folks, myself included, just | don't want to have to maintain/install a local instance. | dmje wrote: | Sure, but my question was a genuine one - is there a benefit | to running both? | wnevets wrote: | > The rethinkdns app keeps track of connections an app | makes from the Android device and tracks its data usage | | Thats not something pi-hole can do. | politelemon wrote: | A main use case I can think of, is if you are not at home. And | you don't use PiHole + PiVPN. Then it would be convenient for | you if you put this app on your phone and just use it like a | 'local' PiHole (but it's also working at an app level). | | I don't believe you'd get your PiHole itself to use this | service, it's not a public DNS service that you can get your | PiHole to point at. | | As for NextDNS, are you asking, would you get your PiHole to | use your NextDNS as an upstream? You could do that, there isn't | a huge advantage to it though... as PiHole is already doing the | work for you. Your main motivation to do it anyway would be the | consistency factor. | dmje wrote: | Thanks, yeh, the second part about using it upstream was what | I was meaning, thanks for your help! | cute_boi wrote: | i wish it had added root support which doesn't need vpn to block | ip and can use iptables directly. | | AFL Firewall can do this atm. | | The problem with blocking via VPN is if we close app vpn also | closes (instead of running in background as service) which can | happen due to clearing all apps. | ignoramous wrote: | (one of the developers here) | | > _The problem with blocking via VPN is if we close app vpn | also closes (instead of running in background as service) which | can happen due to clearing all apps._ | | For this problem specifically, you can turn on "Always-on VPN" | (to avoid a particular VPN app from being killed or replaced by | another VPN app) and "Block connections without VPN" (to avoid | traffic from leaking when the VPN app is killed or crashes) | against any VPN app from Android's VPN Settings page. | RethinkDNS supports both these settings. | | > _i wish it had added root support which doesn 't need vpn to | block ip and can use iptables directly._ | | The only available VPN slot going to a non-VPN app is indeed a | deal breaker for many, and so, we plan to add support for | WireGuard soon. | aclelland wrote: | I use DNS66 to as a VPN ad blocker. You can lock the app so | that clearing running apps won't shut it down, should work for | this app too. Just long press on the running window and a lock | option should show up. It works for me and I only ever need to | manually start it after rebooting my phone. | cute_boi wrote: | it doesn't seem to block some system apps? I have blocked all app | except youtube and I see redmi mi related query in dns? | ignoramous wrote: | You can navigate to the "Network Log" tab in the "Firewall" | screen and _search_ to see which app made connections to the IP | address you see resolved in the DNS logs. | NotChina wrote: | So it's OK to censor ads, and legit tracking, but not hate-facts? | There should be laws against circumvention of the protections | Google/Twitter/Amazon, and others provide. We need a GPLv4 that | limits the use of our software for these illegitimate purposes. | What next? Nuclear powered baby mulchers running GPL code? | ldng wrote: | Really curious on _where_ those services (RethinkDNS, NextDNS, | ...) are actually run. AWS ? Azure ? GCP ? In-house ? | ignoramous wrote: | RethinkDNS' DoH-only (open source) stub-resolver, written in | JavaScript, runs on Cloudflare Workers. | | NextDNS runs unbound, a recursive-resolver, on rented servers | (CoLo not cloud) worldwide, from what I gather. | | If I were to deploy a public DNS recursive-resolver globally | today it'd probably be on fly.io or on AWS behind its Global | Accelerator product. | [deleted] | McDev wrote: | Off-topic but I'm glad to see them offering the APK download | right under the Google Play link. More organisations should do | this! | dheera wrote: | I think this is because they're probably vulnerable to being | kicked off the Google Play store since it conflicts directly | with Google's revenue model. | | I agree with you though, Google and Apple shouldn't be playing | gatekeeper between me and my phone which I bought with my | money. | kenniskrag wrote: | or they should provide a flag to show these apps. | unicornporn wrote: | Or even better, (if open-source) put it on F-droid. | politelemon wrote: | Looks like it's preparing: | https://github.com/celzero/rethink-app/issues/210 | URfejk wrote: | It is open source. | unicornporn wrote: | I was thinking of Android software in more general terms. | U8dcN7vx wrote: | The largest annoyance with app based solutions is they don't work | if you need to run a VPN at the same time, since they all depend | on the Android VPN API to force all traffic to go through their | program. Setting a custom DNS resolver often requires the same, | an app acting as a VPN provider so it can assert the DNS servers | that must be used. PiHole is slightly easier in that it asserts | the resolver to use via DHCP which Android mostly obeys but | having an app enforce that can be a safety net. So since the not- | really-a-VPN app can't coexist with another actually-a-VPN app if | I connect to work and if work doesn't have the same notions about | what should be blocked I start to leak/see what I hoped to avoid. | Not always terrible but also not what some might hope for. Some | of these apps will chain via SOCKS v5, though too many won't work | unless they are not the start of the chain, worse some things | don't at all, e.g., Cisco AnyConnect certainly isn't willing to | be a SOCKS server, nor a SOCKS client, so can't be the beginning, | ending or in a chain. | gsich wrote: | Android has DoT support, so you could setup adblocking there. | tuxracer wrote: | It's possible to change the DNS server on Android without a VPN | or app since Android 9 Pie. You can set a custom DoH or | traditional DNS server system wide from the connection | settings. | anotherevan wrote: | I use AFWall+ which works directly on the iptables and not as a | VPN. It can coexist with a VPN. It does require root though. | | https://play.google.com/store/apps/details?id=dev.ukanth.ufi... | ignoramous wrote: | Yeah, this is a problem but not one without a solution (unless | Android bundles in a built-in Firewall API that other apps | could use [0]): RethinkDNS already supports chaning via SOCKS5, | and it would also soon support connections to/from WireGuard | endpoints: https://github.com/celzero/rethink-app/issues/52 | | And since RethinkDNS' underlying tunnel implementation is in | Go, I'm fully expecting wireguard-go to fit in seamlessly. | | [0] https://www.xda-developers.com/google-restricted- | networking-... | lrae wrote: | Seeing that this seemingly launched as "BraveDNS" only a couple | of months ago (thus still using bravedns.com as domain), did | Brave Browser knock on the door? | dsissitka wrote: | It doesn't look like Brave did but it looks like they were | concerned Brave would. | | https://github.com/celzero/rethink-app/issues/69#issuecommen... | | https://twitter.com/bravedns/status/1320519852788887552 | lrae wrote: | I see, stumbled upon this thread when I wrote the comment and | it seemed like they didn't really think it's a problem. | | https://www.reddit.com/r/Adblock/comments/ia5ics/bravedns_ad. | .. | | Guess that changed within that month. | ignoramous wrote: | What changed is half my energy went in discussing about the | name (BraveDNS) on various online forums versus actually | discussing about the app itself. | riedel wrote: | How does it compare to PersonalDNS or Blockada? | ignoramous wrote: | Hi all, one of the developers of RethinkDNS here. | | I have been working on this full-time with a couple other friends | since May 2020. We won a grant from Mozilla as part of their | FixTheInternet initiative [0] last year in July, which has meant | we could afford to give away the initial versions for free as we | continue to work on stability and advanced feature-set that we | could charge for. | | RethinkDNS is a no-root firewall for Android: It is a mix of both | LittleSnitch and Pi-Hole. I believe, it might be the only open | source DNSCrypt v3 client for Android. | | The website points to bravedns.com because that's the name we | launched with. A lot of untangling is required to completely move | to rethinkdns.com (for example, older clients still use | bravedns.com and do not seem to respect 301/302 redirects), which | we intend to do sooner rather than later. | | The core firewall is written in Golang, whilst the UI is all | Kotlin/Android. We are evaluating a move to Flutter to take this | cross-platform, but the immediate focus has been stability and | adding support for WireGuard [1]. | | Currently, the firewall only tracks TCP/UDP flows. We are in the | process of rewiring the firewall's network stack to use gVisor's | TCP/IP implementation, and we presume that should improve things | considerably. | | RethinkDNS, which is a fork of getintra.org, is also an anti- | censorship tool. It can, bypass SNI based censorship in most | countries like Iran, India, Saudi Arabia (but not all). | Eventually, we forsee adding a mesh-VPN like capability to | WireGuard (a la tailscale.com) in the app to enable people who | "friend eachother" to share each others connections and IPs, | similar to now-defunct uProxy [2], to bypass censorship. | | RethinkDNS relies on its namesake stub DoH-only resolver for DNS | based content-blocking which is deployed to Cloudflare Workers. | This is open source, as well. We are working towards making it | one-click deployable so that others may run their own stub | resolver; Workers' free-tier supports well over 3 devices worth | of DNS queries a month. The stub resolver, as of today, supports | blocking over 5M domains from around 171 lists. We plan to | support all 2400+ blocklists listed on filterlists.com | eventually. | | Since the app and the resolver are both super early, I did not | expect it to land on HN. It is what it is, but please be kind :) | | [0] https://news.ycombinator.com/item?id=23194178 | | [1] https://github.com/celzero/rethink-app/issues/52 | | [2] https://en.wikipedia.org/wiki/UProxy | karlzt wrote: | These types of tools on Google play are an oxymoron. | | I would only use it if it is kicked off the Google play store | because is against Google's revenue model. | williesleg wrote: | Pihole and a vpn, problem solved inside and out of the house. | Darmody wrote: | Apparently it blocks ads on Youtube, something that Blokada is | not able to do. | libertine wrote: | It's not blocking youtube ads for me, weird. | Darmody wrote: | I can see the yellow dots on the video progress bar but | that's all, the ads don't show up. | newscracker wrote: | It says "for Android" right in the title, but I'm sure there are | people who'd like to know if there will be an iOS release (and if | yes, when that may be likely). I couldn't find answers to this in | the FAQ. | | For iOS, there's Lockdown (lockdownprivacy.com), which is | _slightly_ similar to this. | ignoramous wrote: | Hi, one of the developers here. Did not expect this to land on | HN. | | For iOS, my understanding was that Apple already provides a | built-in firewall? | | Besides, the APIs to track connections/flows per application | aren't necessarily available on iOS [0]? | | I used to hack on AOSP for a living, so kind of right at home | with Android, right now. | | [0} | https://developer.apple.com/documentation/networkextension/f... | angott wrote: | That API you're linking is only available on macOS (see the | column on the right side of the page). | ignoramous wrote: | Yeah, that was the point I was trying to make. I am not | aware of APIs on iOS that let VPN apps track and block per | app connections flows. | | Digging a bit deeper in the developer docs, it looks like | it may be possible? https://developer.apple.com/documentati | on/networkextension/a... | | Given that the core firewall is implemented in Go, we | should be able to port it to iOS without much worry. But | first, must arrange funds to purchase a Mac and an iPhone | :) | machello13 wrote: | Just a heads-up that at the end of that support doc, it | says the API is only available for managed devices on | iOS. ___________________________________________________________________ (page generated 2021-02-14 23:00 UTC)