Encrypt dns + firewall


I was using the netguard app as a firewall on my android, the problem is that I would like to encrypt the dns requests and I have found two options.

One is to use the nextdns client (it is not found in fdroid) that encrypts the dns requests and using my configuration id I can also block the advertising but, if I use nextdns I cannot use netguard because the nextdns app establishes a local vpn connection preventing me also use netguard as a firewall.

The other option is rethinkdns which has dns encryption and also includes a firewall. This app is available in fdroid but I don’t know the privacy policy of your dns server, I don’t know if it saves the logs of the dns queries on your server.

What option do you recommend? Use nextdns and lose use of netguard or better use rethinkdns?

nextdns is opensource why isn’t it in fdroid?


1 Like

You can use Invisible which is a dnscrypt-proxy client.

1 Like

What option do you recommend?

Other - use Orbot VPN/proxy.

@ignoramous will say RethinkDNS. :slight_smile: I gave it a try, but did not see benefits with Orbot and the few sites I usually use. YMMV.

1 Like

rethinkdns co-developer here

If you’re on Android 10+, you can set NextDNS as a Private DNS provider on your Android and use NetGuard concurrently with it.

Regarding the app RethinkDNS+Firewall, you can use the app to point it to any DNS resolver of your choice. You’re not beholden to use RethinkDNS’ own DNS resolver.

If you are concerned about its privacy policy, then see: https://RethinkDNS.com/privacy

NextDNS Android app isn’t open source.

NextDNS the resolver isn’t open source.

And if something isn’t on F-Droid, then it might be prudent to ask the developer about it rather than the F-Droid community, though the volunteers and the community do tend to invest a lot of their own time and effort helping FOSS developers onboard.

Do note:
DNS encryption does not hide to your ISP the websites you connect to, as they are disclosed by SNI.

RethinkDNS+Firewall mitigates this by splitting the TLS ClientHello packet which contains Sever Name Identification (SNI) into two. Unless the ISPs are running a stateful firewall (most aren’t), they won’t know.

Intra does this split, too. Libretra, as well (btw you should consider rebasing it to latest from upstream :slight_smile:

:frowning: so why bother to encrypt dns requests?

Although I just read in the other answer that RethinkDNS can patch this problem

You need to protect both.

DNS is used to resolve names to IPs: example.com -> 2606:2800:220:1:248:1893:25c8:1946

TLS ClientHello is used to identify the hostname (typically, a domain name) a client wants to connect to over that IP: 2606:2800:220:1:248:1893:25c8:1946 -> example.com.

Why is that so? Because, multiple ‘domain names’ (hostnames) can point to a singe IP (that is, a single IP can serve multiple hosts behind it).

The real reason to use dns over https isn’t really for privacy, or even security but it’s to get around a isp blocking specific website access. If you want actual privacy from the isp, use a vpn as an alternative. Although it can be tough using both a vpn and using a firewall on Android.

Even if they do find that you visited the website after words it would be too late to block you from getting to the site. Think of the recent net neutrality issues.

The isp could still throttle you if they can’t determine what website you are on and you are using a lot of bandwith (or even if you are using very little bandwith.)

I 2nd InviZible Pro
Can use it for DNSCrypt Proxy, Tor, & I2P also includes a Firewall.

Usually a Rooted device is needed to run both a VPN and encrypted DNS.

RethinkDNS allows for custom servers, for DNSCrypt use, you can goto https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/public-resolvers.md
and find servers that say no-logging to choose.
Then choose Relays https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/relays.md

Thanks for the info but I am confused. Are relays an alternative to dns servers or do you have to configure both?

Relays sit between the dns resolver and the client. They’re routing proxies, if you will.

In a regular setup, the dnscrypt-resolver knows both who’s the client (dnscrypt-header) and what’s the query (dns-packet).

In a relay setup, the dnscrypt-resolver knows what’s the query (dns-packet) but not who sent it (dnscrypt-header), while the relay knows who’s the client (dnscrypt-header) but not what’s in the dns-packet (query).

Regular setup:

dnscrypt-client ----[encrypted(dnscrypt-header + dns-packet)]---->  dnscrypt-resolver


dnscrypt-client ----[encrypted(dnscrypt-header(encrypted(dns-packet))]----> dnscrypt-relay ----[encrypted(dns-packet)]----> dnscrypt-resolver 
1 Like


I am searching the net but I cannot find an updated tutorial to configure dnscrypt in linux and configure the relays, do you know any web where it is explained how to configure it?

https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux ?