Hello f-droid community! I have a problem, my phone is running on a non-free firmware, (due to the fact that it is normal and safe not to flash it) and I installed the application with f-droid ‘‘Rethink: DNS + Firewall’’ and it says that it can jam phone requests to the servers of the manufacturer’s company, + blocking metrics and so on. But the problem is that he does not do this ;( and in the description of the domain (to which the smartphone was connected) it is written that ‘‘rdns plus’’ himself allowed this request, but I did not want and do not want it. I configured it differently, which application that dns.It doesn’t work. Please help me.
(Can you also hear the answer from the developer?)
The manufacturer can setup some apps to escape a non-root firewall (so Rethink and Netguard) as described in this GitHub issue. If you have found another GitHub issue that mentions that, could you share it.
With v054a (released last month), the domain names (ex: badsite.com) are indeed blocked as defined but at connection time (TCP/UDP) instead of at name-resolution time (DNS), and hence you’d see these connections appear as “blocked” in Network Log UI and not in the DNS Log UI.
This is done because otherwise there is no way to apply per-app DNS rules, like trust (allow) / block (deny) domain names for a specific app.
In the upcoming v054b release (due in a week), we intend to switch to the old behaviour iff the user has not set any per-app DNS rule.
I know that the current behaviour is confusing and so, we are also trying to add some UI elements and improvements that would make the current behaviour much clearer, so unsuspecting users won’t panic (:
While system apps can bypass any VPN tunnel at whim, in practice I haven’t found that to be the case. That said, the OEM / ODM control not only the (userspace) system apps which have elevated privileges, but they pretty much also control the kernel and the hardware itself. So, in theory they could do a whole lot more than merely bypass a userspace VPN … That is, even apps using root don’t stand a chance.
With v054a (released last month), the domain names (ex: badsite.com) are indeed blocked as defined but at connection time (TCP/UDP) instead of at name-resolution time (DNS), and hence you’d see these connections appear as “blocked” in Network Log UI and not in the DNS Log UI.
This is done because otherwise there is no way to apply per-app DNS rules, like trust (allow) / block (deny) domain names for a specific app.
I’m not a telecom expert and I don’t know if this can work in practice: what if the DNS stage “tags” the connection, by resolving to a unique “placeholder” address; the firewall stage remembers the domain which was mapped to the “tag” address, then does the real DNS (rules + resolution).
The DNS is queried for example.org. It resolves to an unused address (10.1.2.3), and saves 10.1.2.3 -> example.org in an associative array.
Immediately after, the firewall sees MyApp requesting 10.1.2.3/index.html. It queries the associative array, to get example.org. Now Rethink has the info (MyApp, example.org, /index.html) and applies DNS rules for MyApp, resolves the real example.org, applies the firewall rules.
In the upcoming v054b release (due in a week), we intend to switch to the old behaviour iff the user has not set any per-app DNS rule.
Unfortunately, some websites need Google’s stuff to load correctly, so I imagine that some users will make an exception for the browser (uhm, there could still be a chance to detect this use case however, as the app is in foreground)
This works and this is exactly what Rethink does starting v054a, when Advanced DNS Filtering setting is enabled. It has its downsides, though. It also was not easy to implement
Rethink can detect foreground apps if it has been granted “Accessibility” permissions. It is quite a battery drainer though, so I don’t usually recommend folks enabling it unless they absolutely need Rethink to allow/block IPs/domains according to whatever app is in the foreground.
