[HN Gopher] RethinkDNS - monitor app activity, block ads and fir...
___________________________________________________________________
RethinkDNS - monitor app activity, block ads and firewall apps on
Android
Author : URfejk
Score : 85 points
Date : 2021-02-14 16:29 UTC (6 hours ago)
(HTM) web link (www.bravedns.com)
(TXT) w3m dump (www.bravedns.com)
| 2Gkashmiri wrote:
| I have my blokada set to DNS mode only because many apps decide
| to not use the IP address of pi hole in WiFi settings so blokada
| pushes all data through to pihole and that works well
| ignoramous wrote:
| Blokada is great. I love the direction Blokada is going
| towards, but unlike Blokada, RethinkDNS also _kind of_ prevents
| SNI sniffing, doesn 't leak DNS connections over TCP, and is a
| (TCP/UDP) firewall.
| URfejk wrote:
| And Blokada can block only 450000 entries or there about,
| otherwise it crashes.
|
| Btw, personalDNSfilter can filter millions of entries without
| problems.
| darkwater wrote:
| The domain bravedns.com made me initially think it was related to
| the Brave browser, so seeing "block ads" was a bit... strange.
| But looks like they are not related at all. Why that domain name
| then? The blog is under the rethinkdns.com domain.
| rapnie wrote:
| Probably the association with Brave was reason for the name
| change. Think they still need to switch their site domain.
| anotherevan wrote:
| Yeah, I admit that put me off at first, as I've found Brave
| browser generally off-putting.
| dvfjsdhgfv wrote:
| Someone must have told the developer of BarveDNS to rethink the
| name.
| [deleted]
| llarsson wrote:
| I tend to use DNS66, but have been looking for an app the can
| also block on a per-app level. Because I agree with the web site:
| it is very fishy that e.g. the Calculator app would have internet
| access.
| Valodim wrote:
| Happy customer of nextdns.io, which seems to offer the same
| benefits but isn't limited to Android. Is there anything this can
| do that nextdns can't?
| Valodim wrote:
| Answering my own question, it can work on a per-app basis. So
| far I haven't missed anything with per-device blocklists, but
| maybe I'm missing out :)
| ignoramous wrote:
| Hi there, RethinkDNS developer here.
|
| NextDNS does a _lot_ more than RethinkDNS, at this point, but
| no reason why we couldn 't implement their feature set. We
| are a team of three spread thin between the Android app and
| the stub resolver, but are continuing to make progress. Our
| focus, unlike NextDNS', is geared more towards anti-
| censorship.
|
| With RethinkDNS though, right now, you don't need an account
| and could simply select a set of blocklists and copy the
| resulting URL to any DoH client [0]. As of today, RethinkDNS,
| the resolver, is more of a limited BlahDNS / Quad9
| replacement than a NextDNS replacement. Limited, because it
| only supports DNS over HTTPS/[2|3].
|
| That said, we do plan to pick up development pace on the DNS
| side and FOSS our DNS stub resolver that one could deploy to
| Cloudflare Workers with one-click [1].
|
| And may be start catching up with NextDNS on the path it has
| trail-blazed.
|
| Besides, you could use the RethinkDNS Android app to set
| NextDNS as your resolver instead of the default preset
| resolver; if you're on Android 8 or below, or need a firewall
| and on-device DNS logs.
|
| [0] https://RethinkDNS.com/configure
|
| [1] Not ready yet, but should be by end of this month:
| https://github.com/celzero/serverless-dns
| URfejk wrote:
| Any possibility to have Tor or Purple I2P modules included
| like those in Invizible Pro: https://invizible.net/en/
|
| P.S. It crashes now and then when I try to enable
| resolvers.
|
| If I enable them and then exit the software and open it up
| again, it doesn't save the resolvers I have picked. Is it
| possible to save the settings?
| ignoramous wrote:
| RethinkDNS does support chaining out to any SOCKS5 (TCP)
| endpoint on-device. SOCK5 UDP should be on its way, too.
| https://github.com/celzero/rethink-app/issues/100
|
| I'm not sure if we'd ever embed the Tor or I2P library in
| the app (because we'd need to constantly update it with
| upstream to ensure we don't slip up on security issues),
| but never say never.
| marshallnine wrote:
| From quickly glancing over this, it sounds like its set to have
| your dns lookups proxies by servers rethink dns maintains, and
| forwards on to 1.1.1.1. Did I misunderstand?
|
| Can we set this to use another provider other than 1.1.1.?
| ignoramous wrote:
| Not right now, but it is trivial for us to add that support,
| and we intend to add it.
|
| https://github.com/celzero/serverless-dns/issues/1
| high_byte wrote:
| Exactly what I needed. Works well so far, thanks!
| ignoramous wrote:
| Glad you like it! Feel free to get in touch in case you have
| any queries or suggestions: I am mz at celzero dot com All ears
| (:
| dmje wrote:
| Can someone explain to me (like I'm 5) whether I should consider
| a dns service over and above a pihole, which I'm running already?
| Is there any benefit to setting the dns on the pihole to use this
| service, or nextdns or similar?
| [deleted]
| sergiomattei wrote:
| I don't think you're the target audience. The biggest benefit
| is simply convenience -- lots of folks, myself included, just
| don't want to have to maintain/install a local instance.
| dmje wrote:
| Sure, but my question was a genuine one - is there a benefit
| to running both?
| wnevets wrote:
| > The rethinkdns app keeps track of connections an app
| makes from the Android device and tracks its data usage
|
| Thats not something pi-hole can do.
| politelemon wrote:
| A main use case I can think of, is if you are not at home. And
| you don't use PiHole + PiVPN. Then it would be convenient for
| you if you put this app on your phone and just use it like a
| 'local' PiHole (but it's also working at an app level).
|
| I don't believe you'd get your PiHole itself to use this
| service, it's not a public DNS service that you can get your
| PiHole to point at.
|
| As for NextDNS, are you asking, would you get your PiHole to
| use your NextDNS as an upstream? You could do that, there isn't
| a huge advantage to it though... as PiHole is already doing the
| work for you. Your main motivation to do it anyway would be the
| consistency factor.
| dmje wrote:
| Thanks, yeh, the second part about using it upstream was what
| I was meaning, thanks for your help!
| cute_boi wrote:
| i wish it had added root support which doesn't need vpn to block
| ip and can use iptables directly.
|
| AFL Firewall can do this atm.
|
| The problem with blocking via VPN is if we close app vpn also
| closes (instead of running in background as service) which can
| happen due to clearing all apps.
| ignoramous wrote:
| (one of the developers here)
|
| > _The problem with blocking via VPN is if we close app vpn
| also closes (instead of running in background as service) which
| can happen due to clearing all apps._
|
| For this problem specifically, you can turn on "Always-on VPN"
| (to avoid a particular VPN app from being killed or replaced by
| another VPN app) and "Block connections without VPN" (to avoid
| traffic from leaking when the VPN app is killed or crashes)
| against any VPN app from Android's VPN Settings page.
| RethinkDNS supports both these settings.
|
| > _i wish it had added root support which doesn 't need vpn to
| block ip and can use iptables directly._
|
| The only available VPN slot going to a non-VPN app is indeed a
| deal breaker for many, and so, we plan to add support for
| WireGuard soon.
| aclelland wrote:
| I use DNS66 to as a VPN ad blocker. You can lock the app so
| that clearing running apps won't shut it down, should work for
| this app too. Just long press on the running window and a lock
| option should show up. It works for me and I only ever need to
| manually start it after rebooting my phone.
| cute_boi wrote:
| it doesn't seem to block some system apps? I have blocked all app
| except youtube and I see redmi mi related query in dns?
| ignoramous wrote:
| You can navigate to the "Network Log" tab in the "Firewall"
| screen and _search_ to see which app made connections to the IP
| address you see resolved in the DNS logs.
| NotChina wrote:
| So it's OK to censor ads, and legit tracking, but not hate-facts?
| There should be laws against circumvention of the protections
| Google/Twitter/Amazon, and others provide. We need a GPLv4 that
| limits the use of our software for these illegitimate purposes.
| What next? Nuclear powered baby mulchers running GPL code?
| ldng wrote:
| Really curious on _where_ those services (RethinkDNS, NextDNS,
| ...) are actually run. AWS ? Azure ? GCP ? In-house ?
| ignoramous wrote:
| RethinkDNS' DoH-only (open source) stub-resolver, written in
| JavaScript, runs on Cloudflare Workers.
|
| NextDNS runs unbound, a recursive-resolver, on rented servers
| (CoLo not cloud) worldwide, from what I gather.
|
| If I were to deploy a public DNS recursive-resolver globally
| today it'd probably be on fly.io or on AWS behind its Global
| Accelerator product.
| [deleted]
| McDev wrote:
| Off-topic but I'm glad to see them offering the APK download
| right under the Google Play link. More organisations should do
| this!
| dheera wrote:
| I think this is because they're probably vulnerable to being
| kicked off the Google Play store since it conflicts directly
| with Google's revenue model.
|
| I agree with you though, Google and Apple shouldn't be playing
| gatekeeper between me and my phone which I bought with my
| money.
| kenniskrag wrote:
| or they should provide a flag to show these apps.
| unicornporn wrote:
| Or even better, (if open-source) put it on F-droid.
| politelemon wrote:
| Looks like it's preparing:
| https://github.com/celzero/rethink-app/issues/210
| URfejk wrote:
| It is open source.
| unicornporn wrote:
| I was thinking of Android software in more general terms.
| U8dcN7vx wrote:
| The largest annoyance with app based solutions is they don't work
| if you need to run a VPN at the same time, since they all depend
| on the Android VPN API to force all traffic to go through their
| program. Setting a custom DNS resolver often requires the same,
| an app acting as a VPN provider so it can assert the DNS servers
| that must be used. PiHole is slightly easier in that it asserts
| the resolver to use via DHCP which Android mostly obeys but
| having an app enforce that can be a safety net. So since the not-
| really-a-VPN app can't coexist with another actually-a-VPN app if
| I connect to work and if work doesn't have the same notions about
| what should be blocked I start to leak/see what I hoped to avoid.
| Not always terrible but also not what some might hope for. Some
| of these apps will chain via SOCKS v5, though too many won't work
| unless they are not the start of the chain, worse some things
| don't at all, e.g., Cisco AnyConnect certainly isn't willing to
| be a SOCKS server, nor a SOCKS client, so can't be the beginning,
| ending or in a chain.
| gsich wrote:
| Android has DoT support, so you could setup adblocking there.
| tuxracer wrote:
| It's possible to change the DNS server on Android without a VPN
| or app since Android 9 Pie. You can set a custom DoH or
| traditional DNS server system wide from the connection
| settings.
| anotherevan wrote:
| I use AFWall+ which works directly on the iptables and not as a
| VPN. It can coexist with a VPN. It does require root though.
|
| https://play.google.com/store/apps/details?id=dev.ukanth.ufi...
| ignoramous wrote:
| Yeah, this is a problem but not one without a solution (unless
| Android bundles in a built-in Firewall API that other apps
| could use [0]): RethinkDNS already supports chaning via SOCKS5,
| and it would also soon support connections to/from WireGuard
| endpoints: https://github.com/celzero/rethink-app/issues/52
|
| And since RethinkDNS' underlying tunnel implementation is in
| Go, I'm fully expecting wireguard-go to fit in seamlessly.
|
| [0] https://www.xda-developers.com/google-restricted-
| networking-...
| lrae wrote:
| Seeing that this seemingly launched as "BraveDNS" only a couple
| of months ago (thus still using bravedns.com as domain), did
| Brave Browser knock on the door?
| dsissitka wrote:
| It doesn't look like Brave did but it looks like they were
| concerned Brave would.
|
| https://github.com/celzero/rethink-app/issues/69#issuecommen...
|
| https://twitter.com/bravedns/status/1320519852788887552
| lrae wrote:
| I see, stumbled upon this thread when I wrote the comment and
| it seemed like they didn't really think it's a problem.
|
| https://www.reddit.com/r/Adblock/comments/ia5ics/bravedns_ad.
| ..
|
| Guess that changed within that month.
| ignoramous wrote:
| What changed is half my energy went in discussing about the
| name (BraveDNS) on various online forums versus actually
| discussing about the app itself.
| riedel wrote:
| How does it compare to PersonalDNS or Blockada?
| ignoramous wrote:
| Hi all, one of the developers of RethinkDNS here.
|
| I have been working on this full-time with a couple other friends
| since May 2020. We won a grant from Mozilla as part of their
| FixTheInternet initiative [0] last year in July, which has meant
| we could afford to give away the initial versions for free as we
| continue to work on stability and advanced feature-set that we
| could charge for.
|
| RethinkDNS is a no-root firewall for Android: It is a mix of both
| LittleSnitch and Pi-Hole. I believe, it might be the only open
| source DNSCrypt v3 client for Android.
|
| The website points to bravedns.com because that's the name we
| launched with. A lot of untangling is required to completely move
| to rethinkdns.com (for example, older clients still use
| bravedns.com and do not seem to respect 301/302 redirects), which
| we intend to do sooner rather than later.
|
| The core firewall is written in Golang, whilst the UI is all
| Kotlin/Android. We are evaluating a move to Flutter to take this
| cross-platform, but the immediate focus has been stability and
| adding support for WireGuard [1].
|
| Currently, the firewall only tracks TCP/UDP flows. We are in the
| process of rewiring the firewall's network stack to use gVisor's
| TCP/IP implementation, and we presume that should improve things
| considerably.
|
| RethinkDNS, which is a fork of getintra.org, is also an anti-
| censorship tool. It can, bypass SNI based censorship in most
| countries like Iran, India, Saudi Arabia (but not all).
| Eventually, we forsee adding a mesh-VPN like capability to
| WireGuard (a la tailscale.com) in the app to enable people who
| "friend eachother" to share each others connections and IPs,
| similar to now-defunct uProxy [2], to bypass censorship.
|
| RethinkDNS relies on its namesake stub DoH-only resolver for DNS
| based content-blocking which is deployed to Cloudflare Workers.
| This is open source, as well. We are working towards making it
| one-click deployable so that others may run their own stub
| resolver; Workers' free-tier supports well over 3 devices worth
| of DNS queries a month. The stub resolver, as of today, supports
| blocking over 5M domains from around 171 lists. We plan to
| support all 2400+ blocklists listed on filterlists.com
| eventually.
|
| Since the app and the resolver are both super early, I did not
| expect it to land on HN. It is what it is, but please be kind :)
|
| [0] https://news.ycombinator.com/item?id=23194178
|
| [1] https://github.com/celzero/rethink-app/issues/52
|
| [2] https://en.wikipedia.org/wiki/UProxy
| karlzt wrote:
| These types of tools on Google play are an oxymoron.
|
| I would only use it if it is kicked off the Google play store
| because is against Google's revenue model.
| williesleg wrote:
| Pihole and a vpn, problem solved inside and out of the house.
| Darmody wrote:
| Apparently it blocks ads on Youtube, something that Blokada is
| not able to do.
| libertine wrote:
| It's not blocking youtube ads for me, weird.
| Darmody wrote:
| I can see the yellow dots on the video progress bar but
| that's all, the ads don't show up.
| newscracker wrote:
| It says "for Android" right in the title, but I'm sure there are
| people who'd like to know if there will be an iOS release (and if
| yes, when that may be likely). I couldn't find answers to this in
| the FAQ.
|
| For iOS, there's Lockdown (lockdownprivacy.com), which is
| _slightly_ similar to this.
| ignoramous wrote:
| Hi, one of the developers here. Did not expect this to land on
| HN.
|
| For iOS, my understanding was that Apple already provides a
| built-in firewall?
|
| Besides, the APIs to track connections/flows per application
| aren't necessarily available on iOS [0]?
|
| I used to hack on AOSP for a living, so kind of right at home
| with Android, right now.
|
| [0}
| https://developer.apple.com/documentation/networkextension/f...
| angott wrote:
| That API you're linking is only available on macOS (see the
| column on the right side of the page).
| ignoramous wrote:
| Yeah, that was the point I was trying to make. I am not
| aware of APIs on iOS that let VPN apps track and block per
| app connections flows.
|
| Digging a bit deeper in the developer docs, it looks like
| it may be possible? https://developer.apple.com/documentati
| on/networkextension/a...
|
| Given that the core firewall is implemented in Go, we
| should be able to port it to iOS without much worry. But
| first, must arrange funds to purchase a Mac and an iPhone
| :)
| machello13 wrote:
| Just a heads-up that at the end of that support doc, it
| says the API is only available for managed devices on
| iOS.
___________________________________________________________________
(page generated 2021-02-14 23:00 UTC)