[HN Gopher] Rethink-app: DNS over HTTPS, firewall, and connectio...
___________________________________________________________________
Rethink-app: DNS over HTTPS, firewall, and connection tracker for
Android
Author : thunderbong
Score : 87 points
Date : 2022-05-30 04:32 UTC (4 days ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| Melatonic wrote:
| I was super interested in this but it looks like it may not be
| getting a ton of development?
|
| Currently I use NextDNS and have been looking at adding a more
| advanced firewall to my Android phone (mainly to block common DNS
| resolver IP's so apps can't go direct and then use encrypted DNS
| and bypass my settings)
| honeybadger1 wrote:
| It seems great so far for me, intuitive to use as well for
| customization.
| NabiDev wrote:
| It would be better if the logs can be exported.
| 867-5309 wrote:
| what would be the advantage of configuring this for every
| (andoid) device versus a PiHole or pfSense box managing
| configuration for every (agnostic) device on the network?
| ignoramous wrote:
| PiHole is a DNS based content-blocker (not a IP firewall),
| whilst PfSense is a packet filter (it doesn't know which app's
| packets its allowing/dropping, for example).
|
| The RethinkDNS android app is comparable to Glasswire /
| LittleSnitch / LuLu firewalls that are OS-specific and can help
| keep tabs on the network activity of installed apps and
| services.
| 867-5309 wrote:
| thanks. can't wait to try it once multiple VPNs and wireguard
| are supported
| srijan4 wrote:
| You can use it when roaming.
| heythere22 wrote:
| Have been using it for a while now. The best feature is the
| ability to block apps from accessing the Internet altogether.
| With the added bonus of a bit of adblocking. The only downside,
| IPv6 is not supported. The Internet connection is IPv4 only using
| the app.
| SahAssar wrote:
| Is there any technical reason to not support IPv6?
| ignoramous wrote:
| _developer here_
|
| In the dns-only mode, IPv6 _should_ work.
|
| The reason for not supporting IPv6 in the firewall-mode is
| two fold:
|
| 1. Firewall today simply stores classless IP address rules as
| strings in a sqlite table fronted by a lfu cache backed by a
| typical hash-map. With IPv6, I'd imagine, this won't scale.
| So, we need a more economical in-memory data-structure (like
| a crit-bit trie [0] or an art tree [1]).
|
| 2. Apparently LwIP has problems with _HappyEyeballs_ (I
| personally never saw it, but got a couple of reports from
| users about it that it was an unrecoverable error once the
| connectivity was lost, and the firewall had to be restarted
| to get internet back up). We 're in the process of replacing
| LwIP with gvisor/netstack now [2], just to get IPv6 support
| back on track.
|
| ---
|
| That said, I'd imagine the app should work just fine over
| IPv6-only networks thanks to 464xlat [3]. I may be wrong,
| because I've never tested it on a IPv6-only network with
| support for it.
|
| [0] https://github.com/agl/critbit
|
| [1] http://www.hariguchi.org/art/art.pdf
|
| [2] https://github.com/celzero/firestack/issues/3
|
| [3] https://sites.google.com/site/tmoipv6/464xlat
| codethief wrote:
| > The best feature is the ability to block apps from accessing
| the Internet altogether.
|
| In my case I don't use any app for that but GrapheneOS (on my
| Pixel device) which makes Android's Internet permission user-
| facing, meaning that I get to choose for every app.
| hereme888 wrote:
| Love the app! Was using NetGuard, but it doesn't let me use my
| custom NextDNS in DoH or DoT. Yours lets me do a local firewall,
| with a list of pre-defined rules, custom rules, and whatever gets
| through I can try stopping at NextDNS while allowing me to stay
| within their free-tier category. Perfect use case for me. I
| switched to your program! Hope the blocking of individual domains
| gets added soon.
| mnahkies wrote:
| I'm quite surprised that this appears to not require root - will
| give it a try
| meheszjeno wrote:
| It creates a VPN, this is why rooting is not required. BTW, I
| use NetGuard with similar functionality.
| jdoconnor wrote:
| Blockada is also a similar app (local vpn that filters by
| dns)
|
| https://blokada.org/
| ignoramous wrote:
| NetGuard and TrackerControl (which is based on NetGuard)
| are comparable alternatives.
|
| https://github.com/M66B/NetGuard
|
| https://github.com/OxfordHCC/tracker-control-android
| pr8dan wrote:
| Love TrackerControl from FDroid. You can fine tune
| access/block of each app based on classification of
| network destination (analytics, tracking, necessary, ..)
| shitshitshit wrote:
| Pr0ject217 wrote:
| I downloaded it and tried it. It seems great so far.
|
| One thing that I am curious of, is using this in conjunction with
| a separate VPN with 'Always-on-VPN', as it seems it is not
| compatible (asks me to disable 'Always-on-VPN').
| ignoramous wrote:
| Can't use another VPN app along with it (an Android
| limitation). CalyxOS (an AOSP ROM) plans to add support for
| multiple active VPNs [0] and may be other ROMs will too.
|
| The app can forward TCP over SOCKS5 to other installed apps
| that support SOCKS5 proxies (like Orbot).
|
| That said, since half our code-base is in Golang, we plan to
| embed wireguard-go once we figure how to do so [1].
|
| [0] https://gitlab.com/CalyxOS/calyxos/-/issues/349
|
| [1] https://github.com/celzero/rethink-app/issues/52
| t0astbread wrote:
| It would be great in general if Android had more flexible
| APIs for implementing network filtering/VPNs. Perhaps this
| could be solved by some kind of app that registers a VPN
| service and exposes an API over some IPC mechanism so that
| other apps can handle filtering/routing? Although I don't
| know enough about Android to judge if that's feasible.
| jedisct1 wrote:
| Does it support Anonymized DNS now?
___________________________________________________________________
(page generated 2022-06-03 23:02 UTC)