[APP][6.0+] RethinkDNS: Anti-Censorship + Adblocker + Firewall + VPN [open source] [no root]

Search This thread

Nastrahl

Senior Member
My understanding is that this app bypasses my blocking rules from the /etc/hosts file, right?

Is there a benefit to using this app instead of energized protection magisk module + a custom dns server? (ISP cannot see requests bc they are encrypted with https?).
Or any drawbacks? (More battery usage than hosts file?)

Thanks for any advice .
Editing the HOSTS file is the worst method actually.

It's slow. Hosts file needs to be cached in RAM by the DNS client and that takes time + processing power.

When the DNS cache is flushed, it needs to cache it again.

Internet may be completely unresponsive during the caching

It takes an enormous quantity of RAM especially if you use energized because their lists are huge

There's a high risk of blocking useless domain because you'll never try to resolve in the first place so it's a waste of resources.

It's non optimized as it's supports no filtering rules.

Using a VPN means that it will ignore system's hosts file for the VPN's database so it's an other waste of resources

If you already use a custom DNS server there's no need to use the hosts file. Instead, let the DNS server to filter domains out by importing energized lists in it.

The benefit i see is than you can also make use of the firewall to block locally everything you need per apps, while hosts file/ DNS filtering are system wide.

You can customize a lot of rules based on your preferences also.

I don't know if it can do cosmetic blocking to hide placeholders of ads on websites though
 
Last edited:
  • Like
Reactions: ignoramous

buddy96

Senior Member
Aug 22, 2018
71
22
Moto G6
Moto G50
Just came across it whilst looking for an alternative to blokada as I wanted the ability to block specific apps. Amazing ! and I've only scratched the surface. I'm surprised this has not attracted more attention from users with non-rooted devices.

Thank you !
 
  • Like
Reactions: ignoramous

celestialspring

Senior Member
Sep 19, 2010
212
48
I am waiting for the next version because it will have some features that i must have in such an app.

The devs are working hard on it! Hopefully we will get an update soon.
 
  • Like
Reactions: ignoramous

FFW

Senior Member
May 24, 2020
74
49
I just stumbled upon this app from a comment in the weblog of Mike Kuketz - and I did not believe my eyes when I read through this thread: finally there seems a chance to have the combination of a local firewall, ad blocker AND a VPN client to forward the traffic to my own network after filtering on an unrooted Android! This is ***so*** great news!
With an integrated Wireguard client included, this app will be quite likely to replace NetGuard on my phone if it runs stable :)

Some questions I had during setup:
  • what is the difference between unblocking and whitelisting apps in the firewall module?
  • while transferring my blocked apps from NetGuard for the test, I found the grouping of the blocked apps a little irritating, especially since there is a button that switches to "unblocked" as soon as I unblock one app of the whole group (and blocks the whole group again if I accidentially press it). Can this be turned off?
  • I know from Netguard there is a switch to block/unblock apps with "root" id. Is there something similar in ReThinkDNS?
  • how are the blocklists I have chosen updated? For Netguard, I have the possbility to update the Blocklist I chose to use via tasker in a time interval I can specify (yes, not the most intuitive way to do this...).
  • can I backup/import my list of blocked/allowed apps and chosen blocklist(s) and other settings?
But: all in all, this looks very promising! I am looking forward on how this app develops!
 
  • Like
Reactions: ignoramous

ignoramous

Senior Member
Sep 22, 2012
64
54
I just stumbled upon this app from a comment in the weblog of Mike Kuketz - and I did not believe my eyes when I read through this thread: finally there seems a chance to have the combination of a local firewall, ad blocker AND a VPN client to forward the traffic to my own network after filtering on an unrooted Android!
Interesting Mike Kuketz should talk about Rethink. We're not European, you see :)

----

Re: Unblocking and whitelisting: Whitelisting is letting an app bypass all "Universal" firewall rules ("Block apps when device is locked", "Block all UDP traffic except DNS and NTP" etc that are enforced across all apps). We have renamed whitelisting to "Bypass universal" in the latest version (`v053i`) to make that more clearer.

Re: Unblock app UI: The UI has seen a considerable change in `v053i`. How do you find the new one? Still long ways to go to fix all the niggling confusing bits in Rethink... but I hope we're going in the right direction.

Re: NetGuard `root` ID: I don't know why NetGuard calls it `root`? On Rethink, `root` only appears in "All Apps" tab if it makes an internet connection. `root` is named `ANDROID` (all caps) in Rethink. There are many such `root` apps, like `GPS`, `MDNSR`, etc. You'd find Rethink track them (and show them in "All Apps") only if they make atleast one internet connection when Rethink is enabled, otherwise not.

Re: Blocklist update: We compress the blocklists and make them available for download on our servers. Users can download them on-demand (these are not auto-downloaded). We tend to update blocklists once a week. As for user setting their own blocklists, Rethink doesn't support them yet, but soon will.

Re: Backup: We're implementing this as we speak! :)

But: all in all, this looks very promising! I am looking forward on how this app develops!

Thanks. We have been doing this for a good part of 2 years now (with two long health / pandemic enforced breaks in between), and despite the bugs and lack of features, it warms our hearts that people find the app promising (we have our share of haters too).
 

ignoramous

Senior Member
Sep 22, 2012
64
54
Just came across it whilst looking for an alternative to blokada as I wanted the ability to block specific apps. Amazing ! and I've only scratched the surface. I'm surprised this has not attracted more attention from users with non-rooted devices.

Thank you !
Do you know just how they run Blokda? If you did, you'd start questioning the transparency of it all...
 
Last edited:
  • Like
Reactions: donjoe0

FFW

Senior Member
May 24, 2020
74
49
Interesting Mike Kuketz should talk about Rethink. We're not European, you see :)

No, it was one of his visitors, not the master himself. By the way - as long as your software follows the european logic of "privacy" (which it seems to do form what I can tell) it does not matter at all if you are European or not.

----

Re: Unblocking and whitelisting: Whitelisting is letting an app bypass all "Universal" firewall rules ("Block apps when device is locked", "Block all UDP traffic except DNS and NTP" etc that are enforced across all apps). We have renamed whitelisting to "Bypass universal" in the latest version (`v053i`) to make that more clearer.

Re: Unblock app UI: The UI has seen a considerable change in `v053i`. How do you find the new one? Still long ways to go to fix all the niggling confusing bits in Rethink... but I hope we're going in the right direction.
Yes, the new app list is indeed much better! Looks a bit netguard-y ;)
Just two questions about this:
1. why is it impossible to edit DNS or Firewall if I RethinkDNS is not active? I am still switching between Netguard and RethinkDNS and I would like to be able to edit the blocked/allowed apps before I activate RethinkDNS
2. Since RethinkDNS is also limited by Android App IDs, I miss the possibility to either group/sort apps by App ID (as AfWall+ does it) or to at least search for the App ID as Netguard allows.

Re: NetGuard `root` ID: I don't know why NetGuard calls it `root`? On Rethink, `root` only appears in "All Apps" tab if it makes an internet connection. `root` is named `ANDROID` (all caps) in Rethink. There are many such `root` apps, like `GPS`, `MDNSR`, etc. You'd find Rethink track them (and show them in "All Apps") only if they make atleast one internet connection when Rethink is enabled, otherwise not.
That's quite simple: App ID "0" means "Apps run with administrator rights" for Android and Admin is called "Root" for Linux and Android, so both AfWall+ and Netguard call this App ID "Root". But this is a downside of RethinkDNS then: if I understand you correctly, it cannot block these apps at all. Understandable since you definitely need to know what you do if you want to limit these - but a downside nevertheless.

Re: Blocklist update: We compress the blocklists and make them available for download on our servers. Users can download them on-demand (these are not auto-downloaded). We tend to update blocklists once a week. As for user setting their own blocklists, Rethink doesn't support them yet, but soon will.

Re: Backup: We're implementing this as we speak! :)
This is good to hear :) I would however also vote to add some kind of auto update for the blocklists.
Thanks. We have been doing this for a good part of 2 years now (with two long health / pandemic enforced breaks in between), and despite the bugs and lack of features, it warms our hearts that people find the app promising (we have our share of haters too).
Please do not let such assh***s come close to you. But I really wonder (as I do in the case of Netguard) how many of these haters might be paid by marketing companies who do not like such apps at all. With PiHole at home and Netguard or RethinkDNS on my phone, I rarely see any ads at all - and I ****love**** it.

From my point of view, RethinkDNS seems a viable Alternative to NetGuard - with the main drawbacks that
- you are limited to the provided blocklists that also don't auto-update since it seems you have a large monolithic blocklist file
- you cannot block anything running with App ID 0

But: your app is new, and you are working on it and enhancing it with every release.
And there is a chance you implement Wireguard which would enable a user to use your firewall and then forward the traffic to his VPN without a rooted device - and as soon as that happens I think RethinkDNS really is a leap forward.
 
  • Like
Reactions: ignoramous

ignoramous

Senior Member
Sep 22, 2012
64
54
No, it was one of his visitors, not the master himself.

Gotcha. I don't expect the master to review us, though.

why is it impossible to edit DNS or Firewall if I RethinkDNS is not active?
That's because we do a bunch of "reactive" stuff when rules change (like re-hydrate the firewall-rules cache, for example). And if the firewall / dns isn't active, these reactive changes may result in unexpected behaviour (including app crashes). In short, the limitation is with the code base, as it is setup currently. We would have to untangle and fight with it to let users add rules when the app is inactive. I'd rather we spend whatever time we have on other important feature requests. So: I wouldn't expect this to get done anytime soon.

Besides, the way I envision it, Rethink is not meant to be used in intervals; it is meant to be used as an Always-on VPN.

But this is a downside of RethinkDNS then: if I understand you correctly, it cannot block these apps at all. Understandable since you definitely need to know what you do if you want to limit these - but a downside nevertheless.
You understood what I said incorrectly. Rethink can (and does) absolutely block UID 0 (aka root) if its traffic happens to tunnel over Rethink's local-VPN. The thing with root is, it can easily bypass such a restriction (since it is root!). NetGuard cannot prevent it either. May be, AfWall+ (needs a clever implementation) does; not sure.

I would however also vote to add some kind of auto update for the blocklists.
It is rote work to do auto-updates, but we're thinking about it: https://github.com/celzero/rethink-app/issues/564

how many of these haters might be paid by marketing companies who do not like such apps at all
Nah, don't think that's the case. Unlike NetGuard, Rethink has a very, very tiny userbase. Probably like 100x smaller. The haters are more likely because they are unable to communicate their criticism without expressing extreme emotion.

- you are limited to the provided blocklists that also don't auto-update since it seems you have a large monolithic blocklist file
Yeah, but we want to add ability to let users point Rethink to any blocklist. Coming in probably 3 months or so: https://github.com/celzero/rethink-app/issues/237

- you cannot block anything running with App ID 0
Rethink can.

And there is a chance you implement Wireguard which would enable a user to use your firewall and then forward the traffic to his VPN without a rooted device - and as soon as that happens I think RethinkDNS really is a leap forward.
I had this impl in March, but we never get around to releasing it. May be this December in we do!

Btw, thanks for your feedback. Appreciate it :)
 
Last edited:
I am a little bit stuck here. Had to reinstall RethinkDNS app while Always-On VPN was active. Due uninstalling the VPN profile was gone. But now RethinkDNS thinks the profile is still there and active. I cannot start RethinkDNS and get the error "Always-On VPN active. Do you really want to stop?" or something like that.

Any idea how to solve this and start the connection?

Best regards and thanks for this great app/service.
 

celestialspring

Senior Member
Sep 19, 2010
212
48
I am a little bit stuck here. Had to reinstall RethinkDNS app while Always-On VPN was active. Due uninstalling the VPN profile was gone. But now RethinkDNS thinks the profile is still there and active. I cannot start RethinkDNS and get the error "Always-On VPN active. Do you really want to stop?" or something like that.

Any idea how to solve this and start the connection?

Best regards and thanks for this great app/service.
Try their telegram group for more responses.
 

y0himba

Senior Member
Sep 16, 2008
451
54
In a house.
www.y0himba.net
Just got a Pixel 7 Pro with Android 13. I am having an issue where I cannot turn on the notifications for RethinkDNS.

At your request android is blocking this app's notifications from appearing on this device

The toggle for turning them back on is greyed out and will not work. I cleared the app's cache and storage, rebooted, then reinstalled the app, rebooted. Still unable to use the notification to pause/start RethinkDNS.

I think this is the culprit:
https://developer.android.com/develop/ui/views/notifications/notification-permission

More here: https://www.singular.net/blog/android-13-push-notifications/

It's not only RethinkDNS experiencing this issue, but a LOT of other apps as well.
 

ignoramous

Senior Member
Sep 22, 2012
64
54
The toggle for turning them back on is greyed out and will not work. I cleared the app's cache and storage, rebooted, then reinstalled the app, rebooted. Still unable to use the notification to pause/start RethinkDNS.

Thanks for the bug report. We've since fixed it this issue in v053l: https://github.com/celzero/rethink-app/issues/594

But now RethinkDNS thinks the profile is still there and active. I cannot start RethinkDNS and get the error "Always-On VPN active. Do you really want to stop?" or something like that.

That's a strange bug. I don't think the app is at fault. Which Android version are you on? Are you on a custom ROM or stock OEM ROM? Did reboot not fix this issue?
 

pyereciae2788

Member
Sep 10, 2020
14
2
I've been using ReThinkDNS for some time, and just happened to stumble upon this XDA thread. It's pretty reliable, although I'd say an important missing piece is custom blacklists/whitelists. Looking forward to when custom lists are added, since those will definitely be useful.

Also, by any chance, are emails checked? In the Support section of the FAQ (https://rethinkdns.com/faq#faq-support), an email address is linked, which I'm assuming is an alternative contact method for those who don't use Telegram. I'm not sure about the situation, though, since I've sent an email to there a long time ago with no repsonse.
 
  • Like
Reactions: ignoramous

ignoramous

Senior Member
Sep 22, 2012
64
54
I'm not sure about the situation, though, since I've sent an email to there a long time ago with no repsonse.
Hi there, we do check emails and reply when necessary (for example, we may not reply if we have since fixed the bug, or there might already be a discussion or issue about it on Github, or the FAQ covers it, or the email is scant on the details of the bug, and so on). I know it is frustrating to send emails into a blackhole, but if you'd see our inbox, you'd understand just why we possibly can't reply to every email we get :)

Support is always the fastest on Telegram since a plenty community members are up-to-date with the state of the development, planned changes, existing bugs, and functionality of the app.
 
  • Like
Reactions: pyereciae2788

lenny64

Member
Dec 30, 2017
29
7
@ignoramous
How can I set up a specific DNS in the app for my home wifi?
If it's not yet possible, then maybe as a new feature?

For example, it should use my local DNS (pihole) when I am conneted to my home wifi (ssid). For everything else use a different DNS server.
 

ZxPyP

New member
Nov 3, 2022
3
1
@ignoramous
When I use RethinkDNS apps I quit, automatically launch again(like Firefox, Youtube, Conversations and so on). When I use Netguard, the manually terminated apps stay closed.

Do you have any idea why the system behaves this way with RethinkDNS?
 

ignoramous

Senior Member
Sep 22, 2012
64
54
  • Like
Reactions: lenny64

ignoramous

Senior Member
Sep 22, 2012
64
54
Do you have any idea why the system behaves this way with RethinkDNS?
No clue. But the behaviour you describe is the first I have heard of it. Can you share a screen recording, if you're comfortable? Also, make sure the ROM / Android version you're using doesn't have bugs in them.

v054 is the latest rdns version, btw. Is that the one you're using?
 

donjoe0

Senior Member
Mar 21, 2013
121
27
Editing the HOSTS file is the worst method actually.

It's slow. Hosts file needs to be cached in RAM by the DNS client and that takes time + processing power.
IDK, the uBlock author says the performance penalty is negligible.
https://github.com/mtxadmin/ublock/blob/master/docs/hosts_file_performance_en.md
Nope, some testing immediately confirmed for me a large hosts file produces visible connection slowdown.

And speaking of performance, @ignoramous I just read today that the AFWall+ firewall solution of using iptables has very low processing demand and battery drain. Are you forced to do it some other way in RDNS, maybe because of the configurability you want to offer, and is that why there's significant extra battery drain from your firewall? Because right now I'm thinking the optimal combination for me would be to use AFWall+ in tandem with DNS-only RDNS to get the juiciest part of RDNS working with a perfectly fine firewall for no visible battery sacrifice.
 
Last edited:

ZxPyP

New member
Nov 3, 2022
3
1
No clue. But the behaviour you describe is the first I have heard of it. Can you share a screen recording, if you're comfortable? Also, make sure the ROM / Android version you're using doesn't have bugs in them.

v054 is the latest rdns version, btw. Is that the one you're using?

I am currently using Netguard again because I noticed this bevavior with RethinkDNS.
As a long-time Netguard user, I found the behavior a bit odd. No future for Netguard, because it is no longer actively developed further. I hope RethinkDNS runs better on my smartphone in the future.

Unfortunately I can't test much at the moment, but when I have time I can open a bug report about it on github.com.
Maybe I can test it this weekend.

The problem occurred on two Samsung A52 4G, Android 13 February Security-Patch. RethinkDNS 054a from Google Play Store.
 

Top Liked Posts

  • There are no posts matching your filters.
  • 22
    apple-icon-120x120.png


    Rethink DNS + Firewall + VPN is an anti-internet censorship tool with WireGuard VPN, DNS-based adblocking, and a no-root firewall for Android 6+ devices.

    The app itself is free to use and comes with Rethink: DNS + Firewall + VPN (previous name BraveDNS) resolver with support custom denylists, allowlists, ability to store DNS logs for later analysis, view those logs consolidated from multiple devices in a single interface and so on: Pretty much a pi-hole in the cloud.

    Why'd we build this?

    As concerned Android users
    : It absolutely irks us that people who do care enough about privacy still couldn't use privacy-enhancing apps without requiring a degree in computer science. We saw this pattern unfold multiple times and a lot of tools over the years have done a tremendous job of making niche security tools accessible to naive users. We wanted to further that conversation on Android with a vision for what we think such a tool should look like:

    1. Anti-censorship: Enable open internet. DNS over HTTPS (and the imminent ESNI standard) is going to effectively break censorship as implemented in a lot of countries without requiring to route the traffic through VPNs. VPNs (and distributed tech like IPFS and mesh networks like Lantern) are still required in countries that employ Deep Packet Inspection. That's something we'd like to tackle in the near future.

    2. Anti-surveillance: Expose apps, their activity logs, network logs, and provide some actionable insights to the users on what they could do next. Exodus Privacy does a good job at statically analyzing an app and laying bare the trackers and permissions in-use, whilst the evergreen NetGuard does ever-so-well in revealing an app's connectivity history. We believe, there's a lot more that can be done than simply firewall an app: For instance, you could disable it, uninstall it, remove its permissions, remove the so-called special permissions (like read notification permission, read SMS permission, read app-usage statistics permission etc). Basically, empower the user with whatever control is available without-root in a neat little interface (think CleanMaster vs using the stock Settings app but being actually effective and not lie).

    The current version of Rethink: DNS + Firewall + VPN is a start in the direction laid out above partly because we want such an app ourselves and partly because we feel people deserve more such tools, and we hope to build it with this community's input, because god knows we have been wrong plenty when it comes to "what people really want".

    As privacy enthusiasts: We were frustrated that if we wanted to use NetGuard we couldn't use another VPN app, or if we wanted to use a DNS changer like Blokada then we couldn't use NetGuard (though, NetGuard + Private DNS feature alleviates the problem on Android 9+). We wanted something that wasn't as restrictive because we knew it could be built and so we did.

    Key points:
    0. WireGuard VPN support.
    1. Easy configuration.
    2. No root required.
    3. Free and open source (forked from Intra).
    4. No built-in trackers or analytics.
    5. In continuous development.

    Current features:
    1. DNS over HTTPS (circumvent censorship and prevent surveillance of DNS logs by ISPs and everyone else), DNSCrypt v2 with Anonymized Relays, and DNS over Tor.
    2. View DNS logs, including latencies and other metadata.
    3. Ad-block through RethinkDNS (previous name: BraveDNS) free resolver and local blocklists.
    4. Add your own DNS over HTTPS / DNSCrypt v2 servers.
    5. Firewall by app categories.
    6. Firewall individual apps.
    7. Firewall individual IP addresses.
    8. Firewall when apps are in the background (not-in-active-use).
    9. Firewall when device is locked.
    10. Forward DNS and TCP connections to Orbot (Tor as a proxy).
    11. Forward HTTP connections to any HTTP proxy.
    12. Forward TCP connections to any SOCKS5 endpoint or to Orbot.
    13. Forward DNS connections to any app running locally on-device or any endpoint (either local or on the Internet).
    14. [v053g / Sep '21] Firewall when apps bypass DNS (for example, block connections to IPs that apps resolve themselves).
    15. [v053g / Sep '21] Pause: Pause the Firewall and DNS for a brief time-period.
    16. [v053g / Sep '21] DNS Trap: Proxy all requests made on Port 53 to user-set DNS endpoint (for instance, this traps and redirects all custom DNS requests WhatsApp sends to Google's `8.8.8.8` DNS servers to the DNS endpoint of a user's choice).
    17. [v053i / Jul '22] IPv6 support.
    18. [v053i / Jul '22] Firewall based on metered (LTE) or unmetered connection (Wifi).
    19. [0v54 / Apr '23] Custom DNS allowlists/denylists.
    20. [v055 / Aug '23] Multi- WireGuard VPN integration.
    21. [v055a / Sep '23] IPv6 support for WireGuard.

    Planned (in no particular order):
    1. Per-app DNS and VPN (route traffic to multiple VPNs / DNS based on which app is making those connections).
    2. Import popular domain blocklists.
    3. Bandwidth usage and control.
    4. Redesign: Material You.
    5. Android TV support.
    6. Oblivious DNS over HTTPS support.
    7. HTTPS filtering.

    See: github/celzero/rethink-app/feature-backlog.

    We can't emphasize this enough: Let us know what you'd like to see us build and more importantly that'd make this tool use-able for other Android users who care enough but aren't as tech-savvy.

    If you'd like to contribute, please feel free to send pull requests our way.

    Thanks.

    ---

    Source: github/celzero/rethink-app
    Website: rethinkfirewall.com
    Blog: blog.rethinkdns.com
    Twitter: twitter.com/rethinkdns
    FAQ: rethinkdns.com/faq
    License: Apache 2.0

    Download: via RethinkDNS.com | PlayStore | F-Droid.

    ---

    v053g.home.pngv053g.dlog.pngv053g.tor.pngv053g.nlog.pngv053g.fire.pngv053g.low.png
    3
    a feature planned to add your own VPN, for example for public networks?

    Not our own VPN service, but yes, you'd be able to connect to any upstream WireGuard endpoint (not OpenVPN as it's too complex).

    In fact we just completed making changes to our network engine to support that (commit). Only UI work is pending (which is a lot of work), which I expect to be finished in about 2 to 4 weeks.
    3
    Thanks. Nice work.
    Unfortunately, it usually comes down to firewall or VPN

    Would love to see what you guys do (if at all) to allow third party VPNs
    2
    I am a little bit stuck here. Had to reinstall RethinkDNS app while Always-On VPN was active. Due uninstalling the VPN profile was gone. But now RethinkDNS thinks the profile is still there and active. I cannot start RethinkDNS and get the error "Always-On VPN active. Do you really want to stop?" or something like that.

    Any idea how to solve this and start the connection?

    Best regards and thanks for this great app/service.
    Try their telegram group for more responses.
    2
    Just want to say many thanks for this app, I can finally use custom private DNS, firewall and VPN together. Waiting now for the next update :)