[APP][6.0+] RethinkDNS: Anti-Censorship + Adblocker + Firewall [open source] [no root]

Search This thread

ignoramous

Member
Sep 22, 2012
38
21
apple-icon-120x120.png


RethinkDNS is an anti-internet censorship tool with DNS-based adblocking and a firewall built-in for Android 6+ devices.

The app itself is free to use and comes with RethinkDNS (previous name BraveDNS) resolver with support custom denylists, allowlists, ability to store DNS logs for later analysis, view those logs consolidated from multiple devices in a single interface and so on: Pretty much a pi-hole in the cloud.

Why'd we build this?

As concerned Android users
: It absolutely irks us that people who do care enough about privacy still couldn't use privacy-enhancing apps without requiring a degree in computer science. We saw this pattern unfold multiple times and a lot of tools over the years have done a tremendous job of making niche security tools accessible to naive users. We wanted to further that conversation on Android with a vision for what we think such a tool should look like:

1. Anti-censorship: Enable open internet. DNS over HTTPS (and the imminent ESNI standard) is going to effectively break censorship as implemented in a lot of countries without requiring to route the traffic through VPNs. VPNs (and distributed tech like IPFS and mesh networks like Lantern) are still required in countries that employ Deep Packet Inspection. That's something we'd like to tackle in the near future.

2. Anti-surveillance: Expose apps, their activity logs, network logs, and provide some actionable insights to the users on what they could do next. Exodus Privacy does a good job at statically analyzing an app and laying bare the trackers and permissions in-use, whilst the evergreen NetGuard does ever-so-well in revealing an app's connectivity history. We believe, there's a lot more that can be done than simply firewall an app: For instance, you could disable it, uninstall it, remove its permissions, remove the so-called special permissions (like read notification permission, read SMS permission, read app-usage statistics permission etc). Basically, empower the user with whatever control is available without-root in a neat little interface (think CleanMaster vs using the stock Settings app but being actually effective and not lie).

The current version of RethinkDNS (previous name: BraveDNS) is a start in the direction laid out above partly because we want such an app ourselves and partly because we feel people deserve more such tools, and we hope to build it with this community's input, because god knows we have been wrong plenty when it comes to "what people really want".

As privacy enthusiasts: We were frustrated that if we wanted to use NetGuard we couldn't use another VPN app, or if we wanted to use a DNS changer like Blokada then we couldn't use NetGuard (though, NetGuard + Private DNS feature alleviates the problem on Android 9+). We wanted something that wasn't as restrictive because we knew it could be built and so we did.

Key points:
1. Easy configuration.
2. No root required.
3. Free and open source (forked from Intra).
4. No built-in trackers or analytics.
5. In continuous development.

Current features:
1. DNS over HTTPS (circumvent censorship and prevent surveillance of DNS logs by ISPs and everyone else), DNSCrypt v2 with Anonymized Relays, and DNS over Tor.
2. View DNS logs, including latencies and other metadata.
3. Ad-block through RethinkDNS (previous name: BraveDNS) free resolver and local blocklists.
4. Add your own DNS over HTTPS / DNSCrypt v2 servers.
5. Firewall by app categories.
6. Firewall individual apps.
7. Firewall individual IP addresses.
8. Firewall when apps are in the background (not-in-active-use).
9. Firewall when device is locked.
10. Forward DNS and TCP connections to Orbot (Tor as a proxy).
11. Forward HTTP connections to any HTTP proxy.
12. Forward TCP connections to any SOCKS5 endpoint or to Orbot.
13. Forward DNS connections to any app running locally on-device or any endpoint (either local or on the Internet).
14. [v053g / Sep '21] Firewall when apps bypass DNS (for example, block connections to IPs that apps resolve themselves).
15. [v053g / Sep '21] Pause: Pause the Firewall and DNS for a brief time-period.
16. [v053g / Sep '21] DNS Trap: Proxy all requests made on Port 53 to user-set DNS endpoint (for instance, this traps and redirects all custom DNS requests WhatsApp sends to Google's `8.8.8.8` DNS servers to the DNS endpoint of a user's choice).

Planned (in order):
0. Custom DNS allowlists/denylists.
1. WireGuard VPN integration.
2. Firewall based on metered (LTE) or unmetered connection (Wifi).
3. Per-app DNS and VPN (route traffic to multiple VPNs / DNS based on which app is making those connections).
4. IPv6 support.


See: github/celzero/rethink-app/feature-backlog.

We can't emphasize this enough: Let us know what you'd like to see us build and more importantly what'd make this tool use-able for other Android users who care enough but aren't as tech-savvy.

If you'd like to contribute, please feel free to send pull requests our way.

Thanks.

---

Source: github/celzero/rethink-app
Website: rethinkfirewall.com
Blog: blog.rethinkdns.com
Twitter: twitter.com/rethinkdns
FAQ: rethinkdns.com/faq
License: Apache 2.0

Download: via RethinkDNS.com | PlayStore | F-Droid.

---

v053g.home.pngv053g.dlog.pngv053g.tor.pngv053g.nlog.pngv053g.fire.pngv053g.low.png
 
Last edited:
G

GuestK00460

Guest
pls add system apps block on firewall, also block domain on dns log and dns server change
 
Last edited:

ignoramous

Member
Sep 22, 2012
38
21
Thanks.

System apps: Good catch. We'd look to put that in the coming days.

DNS block button against a domain in the logs: We do plan add that but not sure if it ends up violating PlayStore terms. May be we need two versions, one for f-droid and another for PlayStore like Blokada has.

Can you elaborate what you mean by block domain on DNS server change?
 
G

GuestK00460

Guest
Thanks.

System apps: Good catch. We'd look to put that in the coming days.

DNS block button against a domain in the logs: We do plan add that but not sure if it ends up violating PlayStore terms. May be we need two versions, one for f-droid and another for PlayStore like Blokada has.

Can you elaborate what you mean by block domain on DNS server change?
block/allow individual domains which are showed by log.
change dns servers just like nebulo app.
also proxy on tor n dnscrypt support like invizible-pro app.
 

ignoramous

Member
Sep 22, 2012
38
21
> change dns servers just like nebulo app.

Dnscrypt shouldn't be much trouble to implement but I wonder what extra protection it affords over DNS over HTTPS. That said, I've added it to our backlog.

> block/allow individual domains which are showed by log.

Gotcha but as mentioned before I am not sure if this feature breaks PlayStore terms. Added.

> also proxy on tor n dnscrypt support like invizible-pro app.

Yes! This is something that we want to do next. Once the part with Firewall and DNS is done (our immediate attention is adding missing features and later add support for Android 6+). Thanks for the heads-up: invizible-pro looks great, and exactly the kind of app that we envision to build ourselves.
 

y0himba

Senior Member
Sep 16, 2008
441
52
In a house.
www.y0himba.net
Hello, I am on a stock Pixel 2 XL, Android 10, latest security patches as of August. The app starts and runs, but tapping the start circle does nothing. DNS or Firewall doesn't start.
 

ignoramous

Member
Sep 22, 2012
38
21
Hello, I am on a stock Pixel 2 XL, Android 10, latest security patches as of August. The app starts and runs, but tapping the start circle does nothing. DNS or Firewall doesn't start.

Strange. This is unlikely related to Pixel or the latest Android Oreo update. Please check if any other VPN app has been set to "Always-on VPN" like-so (also see attached):
1. Settings -> Wifi and internet -> VPN.
2. Click on the sprocket icon against the apps.
3. Check if "Always-on VPN" is check-marked.

Disable that setting (if and only if you do not want that VPN app to be an "Always-on VPN") and BraveDNS should now prompt you for VPN access once you click "Start".

BraveDNS (or any app that requires VPN API access to function) cannot work with other VPN apps in-tandem (especially, not with "Always-on VPNs").
 

ignoramous

Member
Sep 22, 2012
38
21
So this still exposes one's real IP address, yes?

Yes, BraveDNS isn't a VPN service like ProtonVPN / Mullvad / Lantern etc are. Right now (though we do have plans to add VPN servers like Lantern et al in probably two to three months from today but that'd be only to support anti-censorship and not anonymity). See: https://github.com/celzero/brave-android-app/issues/52 and https://github.com/celzero/brave-android-app/issues/51

We're adding support for SOCKS5 and HTTPS-Proxy in the upcoming release (next week) which would help forward traffic to VPNs (like NordVPN) that support those protocols: https://github.com/celzero/brave-android-app/issues/45

Right now, BraveDNS uses VPN access on-device to change DNS and implement Firewall functionality (similar to what the excellent NetGuard app does).
 
  • Like
Reactions: pocholo36

pocholo36

Senior Member
Mar 4, 2014
122
37
Muck City
Google Pixel 6
Yes, BraveDNS isn't a VPN service like ProtonVPN / Mullvad / Lantern etc are. Right now (though we do have plans to add VPN servers like Lantern et al in probably two to three months from today but that'd be only to support anti-censorship and not anonymity). See: https://github.com/celzero/brave-android-app/issues/52 and https://github.com/celzero/brave-android-app/issues/51

We're adding support for SOCKS5 and HTTPS-Proxy in the upcoming release (next week) which would help forward traffic to VPNs (like NordVPN) that support those protocols: https://github.com/celzero/brave-android-app/issues/45

Right now, BraveDNS uses VPN access on-device to change DNS and implement Firewall functionality (similar to what the excellent NetGuard app does).

I've been looking for an all in one solution. Currently forced to use AdGuard+Nord...

Looking forward to it. Thanks for all you guys do.
 
  • Like
Reactions: ignoramous

bladestonez

Senior Member
Mar 9, 2011
328
86
My brief experience with this is not great. Breaks several apps once turned off the app no longer opens so has to be uninstalled to turn it back on. Ad blocking did not seem to function at all.
 

y0himba

Senior Member
Sep 16, 2008
441
52
In a house.
www.y0himba.net
Strange. This is unlikely related to Pixel or the latest Android Oreo update. Please check if any other VPN app has been set to "Always-on VPN" like-....

That fixed it. I should have figured as much, but I'm getting too old for this I think. I can't wait until you offer subscriptions! This is brilliant. I hope it's on the up and up though, I'm paranoid so don't mind me.
 

ignoramous

Member
Sep 22, 2012
38
21
My brief experience with this is not great. Breaks several apps once turned off the app no longer opens so has to be uninstalled to turn it back on. Ad blocking did not seem to function at all.

So sorry this app has forced you to uninstall apps in order to use them. That definitely sounds like something went wildly wrong.

Would you please tell us more about the device, the Android version, and probably the list of steps that led to this issue you saw? You could also email us logs or a screen recording at [email protected]

We do know of crashes especially on flaky networks and on network changes, and we would eventually fix those but they have been extremely hard to track-down in production builds to a root cause (due to lack of stack trace / debug symbols for native crashes).

BraveDNS has been in development for a total of 2 months and was released three weeks back. It is a baby app :) and I fully expect stupid bugs to appear in the wild but cautiously hopeful that we'd fix most if not all.

Re: adblocking:

Adblocking is done exclusively through DNS. If the default endpoint doesn't work, you can point the app to a custom DNS over HTTPS endpoint. https://dns.adguard.com/dns-query is AdGuard's content blocking DNS endpoint. And https://doh.pi-dns.com/dns-query is another volunteer-run content-blocking DNS.
 
Last edited:

73sydney

Senior Member
Using a VPN method to firewall on a rooted device is a no from me (i can totally understand if you use this to increase your userbase to non-root users, but thats not for me), ill stick with Invisible (for DNSCrypt & its ability to load my 19Mb blacklist) and my root firewall for now.
 

chaoszero112

Senior Member
Apr 26, 2010
162
23
Burlington
Really need to change the name.

Brave = Brave Browser

A lot of people are going to assume it's a VPN by Brave.

It's like calling it FirefoxVPN.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 16
    apple-icon-120x120.png


    RethinkDNS is an anti-internet censorship tool with DNS-based adblocking and a firewall built-in for Android 6+ devices.

    The app itself is free to use and comes with RethinkDNS (previous name BraveDNS) resolver with support custom denylists, allowlists, ability to store DNS logs for later analysis, view those logs consolidated from multiple devices in a single interface and so on: Pretty much a pi-hole in the cloud.

    Why'd we build this?

    As concerned Android users
    : It absolutely irks us that people who do care enough about privacy still couldn't use privacy-enhancing apps without requiring a degree in computer science. We saw this pattern unfold multiple times and a lot of tools over the years have done a tremendous job of making niche security tools accessible to naive users. We wanted to further that conversation on Android with a vision for what we think such a tool should look like:

    1. Anti-censorship: Enable open internet. DNS over HTTPS (and the imminent ESNI standard) is going to effectively break censorship as implemented in a lot of countries without requiring to route the traffic through VPNs. VPNs (and distributed tech like IPFS and mesh networks like Lantern) are still required in countries that employ Deep Packet Inspection. That's something we'd like to tackle in the near future.

    2. Anti-surveillance: Expose apps, their activity logs, network logs, and provide some actionable insights to the users on what they could do next. Exodus Privacy does a good job at statically analyzing an app and laying bare the trackers and permissions in-use, whilst the evergreen NetGuard does ever-so-well in revealing an app's connectivity history. We believe, there's a lot more that can be done than simply firewall an app: For instance, you could disable it, uninstall it, remove its permissions, remove the so-called special permissions (like read notification permission, read SMS permission, read app-usage statistics permission etc). Basically, empower the user with whatever control is available without-root in a neat little interface (think CleanMaster vs using the stock Settings app but being actually effective and not lie).

    The current version of RethinkDNS (previous name: BraveDNS) is a start in the direction laid out above partly because we want such an app ourselves and partly because we feel people deserve more such tools, and we hope to build it with this community's input, because god knows we have been wrong plenty when it comes to "what people really want".

    As privacy enthusiasts: We were frustrated that if we wanted to use NetGuard we couldn't use another VPN app, or if we wanted to use a DNS changer like Blokada then we couldn't use NetGuard (though, NetGuard + Private DNS feature alleviates the problem on Android 9+). We wanted something that wasn't as restrictive because we knew it could be built and so we did.

    Key points:
    1. Easy configuration.
    2. No root required.
    3. Free and open source (forked from Intra).
    4. No built-in trackers or analytics.
    5. In continuous development.

    Current features:
    1. DNS over HTTPS (circumvent censorship and prevent surveillance of DNS logs by ISPs and everyone else), DNSCrypt v2 with Anonymized Relays, and DNS over Tor.
    2. View DNS logs, including latencies and other metadata.
    3. Ad-block through RethinkDNS (previous name: BraveDNS) free resolver and local blocklists.
    4. Add your own DNS over HTTPS / DNSCrypt v2 servers.
    5. Firewall by app categories.
    6. Firewall individual apps.
    7. Firewall individual IP addresses.
    8. Firewall when apps are in the background (not-in-active-use).
    9. Firewall when device is locked.
    10. Forward DNS and TCP connections to Orbot (Tor as a proxy).
    11. Forward HTTP connections to any HTTP proxy.
    12. Forward TCP connections to any SOCKS5 endpoint or to Orbot.
    13. Forward DNS connections to any app running locally on-device or any endpoint (either local or on the Internet).
    14. [v053g / Sep '21] Firewall when apps bypass DNS (for example, block connections to IPs that apps resolve themselves).
    15. [v053g / Sep '21] Pause: Pause the Firewall and DNS for a brief time-period.
    16. [v053g / Sep '21] DNS Trap: Proxy all requests made on Port 53 to user-set DNS endpoint (for instance, this traps and redirects all custom DNS requests WhatsApp sends to Google's `8.8.8.8` DNS servers to the DNS endpoint of a user's choice).

    Planned (in order):
    0. Custom DNS allowlists/denylists.
    1. WireGuard VPN integration.
    2. Firewall based on metered (LTE) or unmetered connection (Wifi).
    3. Per-app DNS and VPN (route traffic to multiple VPNs / DNS based on which app is making those connections).
    4. IPv6 support.


    See: github/celzero/rethink-app/feature-backlog.

    We can't emphasize this enough: Let us know what you'd like to see us build and more importantly what'd make this tool use-able for other Android users who care enough but aren't as tech-savvy.

    If you'd like to contribute, please feel free to send pull requests our way.

    Thanks.

    ---

    Source: github/celzero/rethink-app
    Website: rethinkfirewall.com
    Blog: blog.rethinkdns.com
    Twitter: twitter.com/rethinkdns
    FAQ: rethinkdns.com/faq
    License: Apache 2.0

    Download: via RethinkDNS.com | PlayStore | F-Droid.

    ---

    v053g.home.pngv053g.dlog.pngv053g.tor.pngv053g.nlog.pngv053g.fire.pngv053g.low.png
    2
    Thanks. Nice work.
    Unfortunately, it usually comes down to firewall or VPN

    Would love to see what you guys do (if at all) to allow third party VPNs
    2
    Just want to say many thanks for this app, I can finally use custom private DNS, firewall and VPN together. Waiting now for the next update :)
    1
    So this still exposes one's real IP address, yes?

    Yes, BraveDNS isn't a VPN service like ProtonVPN / Mullvad / Lantern etc are. Right now (though we do have plans to add VPN servers like Lantern et al in probably two to three months from today but that'd be only to support anti-censorship and not anonymity). See: https://github.com/celzero/brave-android-app/issues/52 and https://github.com/celzero/brave-android-app/issues/51

    We're adding support for SOCKS5 and HTTPS-Proxy in the upcoming release (next week) which would help forward traffic to VPNs (like NordVPN) that support those protocols: https://github.com/celzero/brave-android-app/issues/45

    Right now, BraveDNS uses VPN access on-device to change DNS and implement Firewall functionality (similar to what the excellent NetGuard app does).
    1
    I just started using this app again on a new android 10 device and so far no crashes!

    I have a couple of questions:

    1. Is it possible to block apps in my work profile? I currently don't see them in the app list (I don't think I can run this app in my work profile and my main profile at the same time...)

    2. Are you thinking of implementing separate blocking for different networks (e.g. unmetered WiFi vs cellular)? Something similar to what NetGuard can do? That would be awesome but I know probably a lot of work.

    Currently your app is the best firewall/adblocker that I have found so thank very much for it!

    Thanks, v053g (released Sep 15) must be even more stable (live on both F-Droid and Google Playstore). We refactored a lot of things and paid up the accumulated technical debt (but it took us 5 months to do it, unfortunately).

    Re: Your queries:

    1. We haven't tested the app in Work Profile or in multi-user mode, so it may or may not work. As far as limitation in Android is concerned: One can definitely run the same app (even a VPN app) in both the profiles at the same time.

    2. Yes, this is coming in v054, due end of this month (October)... or next, depending on how the development goes.