I have no idea how people are going to defeat DNS over HTTPS, as it seems to mean (and please correct me if I am wrong) that allowing this thing on my network, well, I will just never be able to know what it is doing or to whom it is talking.
I happen to develop an open source, no-root, network monitor, and firewall for Android.
We let users block connections to IPs that have no corresponding DNS request. Of course, genuine reasons to connect directly to IPs exist, but not so much for installed apps.
I just found your app a few weeks ago and it's exactly what I had been looking for in networking control on android. Thank you for making such a wonderful tool!
My only problem now is that android seems to only allow a single VPN 'tunnel'/connection, so I can't -so far as I know- simultaneously use your app with a dedicated VPN service like Mullvad. Is there any easy-ish way to get around that?
In my searching around, at least one person has suggested using something like insular/Island with all installed apps, then use the 'VPN' service on the non-insular side, but that to me seems to leave open all the 'system apps'.
I don't actually expect that you'd help some rando with this, but it's super cool to encounter a maker of an app that I love, so I thought I would ask on the off chance.
> I can't -so far as I know- simultaneously use your app with a dedicated VPN service like Mullvad.
If your VPN app supports on-device SOCKS5 proxy, then that's one way to chain Rethink (check Settings) to it. Rethink, for example, can chain up to Orbot (Tor as a proxy over on-device SOCKS5) just fine.
> Is there any easy-ish way to get around that?
If not, wait until we release WireGuard integration. It has been complete for a good part of 5 months now, but we never built a UI for it and now in the meantime upstream impl we rely on (both gVisor/netstack and WireGuard) has changed, and we need to pick those changes up. Expect it to happen in a month or two, along with the UI bits.
Won't this stop working if DNS-over-HTTPS becomes the norm? There are good reasons to hope it does (looking at you, ISPs), but if it happens then you won't be able to differentiate.
To handle that scenario, we implemented a per-app network sandbox / isolation mode a few months back. An app is only allowed to connect to IPs one explicitly trusts for that particular app.
The other one is to use the web browser more (since the likes of Firefox have super effective content blockers baked in) and not install apps.
1. have separate vlan (named vspy ;) for all the external devices like appletv etc
2. all traffic to internet dns ports (53, 853 etc) is completely blocked from this vlan
3. all trafic to ips list (using ipset matching for speed) containing manually curated few dozens of publicly known DoH servers (including 8.8.8.8 et. al) is completely blocked from this vlan
In other words: use my own dns server or go away.
all services works fine (apple,google, tv/movies streaming etc.) while being in this vlan, and I see "my" devices continuously hit the 2&3 bariers.
What if they use a lesser known DOH server, or run their own in EC2?
My setup is similar (hairpin NAT for DNS to rewrite UDP 53 to my own server, seperate VLAN), but I also have squid set up (whitelist only) with TLS bumping, and have installed my root CA on the TV. The ipset method is good thinking, but you're playing cat and mouse.
With DNS-over-HTTPS, after the DNS query is performed, does the client machine then connect directly to the IP address that was resolved by the DNS query? If so, would it be possible to do a reverse DNS search on all IP addresses that client(s) connect to and block based on those results?
