30 comments

[ 3.2 ms ] story [ 61.4 ms ] thread
Oh this is intersting, it's a local android app that does the same as PiHole/NextDNS/Blockada. Being on F-Droid and the ability to host your upstream DNS are pretty nice.
rdns dev here

Hi, Rethink is more in line with LittleSnitch / LuLu Firewall / Glasswire than NextDNS or Pi-Hole. And it is nothing like Blokada [0]

To illustrate that point, here's some of the features we recently released:

1. Block all connections where an app is deemed to have bypassed user-set DNS (either by using DoH like Telegram does, or connecting straight to hard-coded IPs like WhatsApp and Instagram on occasion).

2. Block all newly installed apps by default. This in particular was apparently helpful for folks in Hong Kong forced to install contact-tracing apps.

3. Per-app IP allowlists. Ideally, you'd set these for apps you tend to use the often and selectively allow it to connect to only a handful no. of IPs (for ex, GMail only to Google-owned IPs; and WhatsApp to Facebook-owned IPs, and so on).

We use a fairly effective heuristic to map DNS names with outgoing IP connections, which comes in handy to impl some of the above features.

Our immediate focus is supporting IPv6 (mostly DNS64, DSLite, & 464Xlat) and embedding WireGuard. If you have any feature requests, I am all ears (:

[0] https://www.reddit.com/r/privacy/comments/nlzyit/opinion_abo...

Sorry, I ment to say "looks like". This is all really cool, I'll definitely check it out!
This looks great, looking forward to giving it a go.

Interested to see how it works for me though my set up is some what unique in between using Tailscale and NextDNS on my mobile phone. Thanks for creating this, Android is in desperate need of more tools like this.

Thank you for working on this problem space. Solutions are sorely needed.

I am a current NetGuard user, and, at least on a non-rooted device, there is a disclaimer that apps which use Google Play services for their data transfers cannot be individually blocked. Is this a problem to which you have managed to find a solution?

Thanks for your kind words.

> ...there is a disclaimer that apps which use Google Play services for their data transfers cannot be individually blocked.

Well, inter-process communication (IPC) in Android is such that, a firewalled app can still ask another unblocked app to do its biding. This isn't an Android thing but rather a limitation for any multi-tasking OS that has mechanisms for IPC (pretty much establishing the need for MicroVMs, Containers, Jailers and what not).

In Google Play services (GPS) case, of course, the firewalled app can communicate with it and ask it to fetch notifications and such on the app's behalf, and this would succeed. This isn't a firewall leak, because from the firewall's point of view (which isn't a jailer), if GPS isn't firewalled, then its connections are allowed, regardless of whichever app it is connecting on behalf of.

> Is this a problem to which you have managed to find a solution?

A network firewall cannot solve for this unless it MiTMs GPS traffic (which isn't straight-forward on Android since Android supports certificate-pinning). What I'd do instead is either disable or force stop apps I don't use. And the ones I use but want firewalled, I accept that there are IPC mechanisms which provide escape hatches for the app. And short of the OS itself implementing mitigations, there isn't much that a userspace app can do.

(comment deleted)
Can the app be used with an external DNS provider? Or would that impact the IP > DNS mapping
Yeah it can, the app provides quite a few different options as well as user defined DNS maps/resolvers.
i wish iphone had such apps and such apps didn't require vpn etc.
Rethink will support connecting to WireGuard upstreams sometime in the coming months. We are actively working on it.

Apparently, macOS has a nice bunch of NetworkExtension APIs intended for Firewalls (though, first-party Apple apps can bypass those firewall rules pretty much on-demand). As for iOS, afaik, there are no equivalent NetworkExtension APIs.

How does this compare to the TrackerControl app?
TrackerControl has a different target audience and sports a brilliantly designed UI. It can be much more easier to use than Rethink if all you're trying to do is block spyware and attentionware across all apps to the extent DNS blocking allows.

Otoh, Rethink is a userspace firewall (in line with LittleSnitch / Glasswire). Primarily meant as a way for Android users to keep tabs on network activity of installed apps and tame it where possible.

TrackerControl also supports viewing network activity for each app, and then blocking network access entirely or for specific hosts.

Is their any additional features in Rethink ?

Thank you for building this application BTW.

> TrackerControl also supports viewing network activity for each app, and then blocking network access entirely or for specific hosts.

Rethink blocks based on IP addresses (rather than host names). TrackerControl (TC) may be doing something similar (since it runs NetGuard underneath), but in the UI it appears as so that TC is blocking based on host names?

For DNS (host name) based blocks, Rethink bundles in 180+ popular host files (like StevenBlack, 1Hosts, GoodbyeAds, OISD, CPBL) in the app (on GitHub and F-Droid versions only). We are in the process of implementing a allowlist/whitelist and denylist/blocklist for individual host names, as we speak. Release in perhaps a month or so.

I hope pricing will be one time charge, not monthly subscription. Please.
Thanks for sharing our app on HN! (:

The app is going to be free to use. Per our current plan, we don't intend to charge for it at all, ever.

You're welcome. It was my pleasure to share it.

I was using IodéOS that has similar blocker built-in - but it is not open source so I was looking for no root alternative to control specific app/domain connections and this blows my mind. FOSS, pleasant UI, many very useful features for prevent leaks and so on...

Btw what is different between blocking individual domains (soon in DNS) and blocking connection in firewall for specific domain?

A dns name may be mapped to multiple IPs (case 1). Same IP could be mapped to multiple dns names (case 2).

So, if you're blocking an IP, you might end up blocking multiple domains (case 2) or end up not even effectively blocking a single domain (case 1). This confuses users, and you get reports like:

1. I blocked a Google IP but my app still connects to google.com (case 1, since Google owns a gazillion IPs).

2. I blocked a cloudflare.com IP and now can't access reactjs.org (case 2, where IPs are shared).

Some folks find it easier to reason about rules on domain names than IPs. So, blocking/allowing domain names makes for a better user experience, when implemented right.

> The app is going to be free to use. Per our current plan, we don't intend to charge for it at all, ever.

How do you plan to keep the lights on, then?

They seem to be beta testing a paid dns service.

"On-device firewall is free. The in-the-cloud Rethink DNS content-blocking resolver has both free (public beta) and paid tiers (private beta). Currently, pricing isn't implemented and so the private beta is essentially also free till then."

Like another user pointed out, we intend to charge for a cloud-based dns service. We intend to add other anti-censorship / anti-surveillance features too that may incur charges; like reselling a Private Relay like proxy, a remote browser, a disposable chat room, calls, and so on. Of course, a lot depends on if we manage to stay upfloat. We are a small team after all: Just the 2 of us, with zero funds ;)
"On-device firewall is free. The in-the-cloud Rethink DNS content-blocking resolver has both free (public beta) and paid tiers (private beta). Currently, pricing isn't implemented and so the private beta is essentially also free till then."

Is this referring to a nextdns like service?

Yes, like NextDNS / ControlD / AdGuard etc. Just a way to generate funds for the development of the app, so it will likely be way cheaper (think 5x) than existing providers.

But we exist as an anti-censorship and anti-surveillance solution, so expect us to build more than just a content-blocking DNS.

Hi, I'm trying to use the DNScrypt functionality but Rethink app keeps telling me "Error connecting to DNScrypt server" when trying to use Quad9 or my NextDNS resolver. The other default ones (Adguard, Cleanbrowsing etc) do work though. Any ideas?
What's the point of using private DNS and local, like Rethink?
When you say "and" do you mean what are the benefits over the other, or do you mean "using both/either"?

I'm just interested in getting a comprehensive way of getting everything to go through the tunnels I want them to go through. Adblock and/or firewall is just a bonus.

This looks like a great option similar to LittleSnitch (or ZoneAlarm) for being able to selectively deny apps access to network, in an ad-hoc manner, on mobile devices.

For what it's worth, GrapheneOS has a network-level permission which can be toggled. LineageOS and other AOSP forks also have this, but it's not as... robust.

This package name is "bravedns", does this have any ties to Brave browser or anything users should be aware of?