Add a filter to check all apps/domains/ips which bypassed DNS.

[RohitSurwase]

I know I can block all traffic which bypasses the DNS using Universal Rule. But I had to disable it as I was facing some issues and after disabling that option, I started seeing some ads in an App. I tried isolating the App and allowing domain for that specific app, still ads are popping up. So I thought the App is bypassing the DNS and loading the ads which Rethink can not capture. Am I correct?

Anyway, there should be a filter/way to know which Apps are bypassing the DNS and for which domains/IPs?

[ignoramous]

I'm not sure just what avenues exist for apps to show ads, but if Google Play service (GPS) is involved (an app that is pre-installed on every Android), you're likely out of luck as it is also responsible for many other things including push notifications. GPS cannot be firewalled without otherwise significant loss of functionality, unless you're on GrapheneOS (which runs one sandboxed instance of GPS per app instead of running it system-wide for all apps).

tried isolating the App and allowing domain for that specific app, still ads are popping up. So I thought the App is bypassing the DNS and loading the ads which Rethink can not capture

If you Isolate an app, the app can connect only to trusted / allowed IPs & domains. So, unless you trust / allow an IP explicitly, the app shouldn't be able to connect as long as Rethink is active (and has not crashed or killed by the OS; you can mitigate this by turning ON Block connections without VPN and Always-on VPN for Rethink from Android's Settings app; in Rethink go to About -> VPN Profile and you see spot those two options if you're on Android 11+).

But I had to disable it as I was facing some issues and after disabling that option

If certain apps don't work with Block when DNS is bypassed turned ON, you can choose to Bypass Universal such apps (even Isolate works).

some ads in an App

Some apps simply serve ads over their main IPs & domains which when blocked also block the app's regular content too (think: Spotify and YouTube).

[RohitSurwase]

Thank you so much for creating a great app @ignoramous.

I understood all your points. Also, I got rid of ads from the app by playing with blocked/allowed domains in isolation.

Now, I see two approaches to handle the issue-

1. If Block when DNS is bypassed turned ON then filter apps/domains/IPs which got blocked using Logs. And then work on those apps only.
2. If Block when DNS is bypassed turned OFF then filter apps which got allowed by Bypassing the DNS and then work on those. BUT, unfortunately, there is no way to filter apps which got allowed by Bypassing the DNS.

Approach 1 is also viable but would need constant observation of Logs to find blocked apps/domains/IPs. So, I think it would be better if there there is option to filter apps which got allowed by Bypassing the DNS when Block when DNS is bypassed turned OFF. As this option is not that stricter, we can work on these Logs whenever time allows as App is allowed anyway.

Thanks, please let me know if its doable.

[RohitSurwase]

I don't think allowing network when DNS is bypassed is concerning as DNS just resolves domains into IPs. If an app already knows the IP, it would bypass the DNS. Unless, we are using DNS as content-blocker similar to Rethink-DNS. I use other DNS as I dont want to burden you guys financially as I read you pay for it from your pocket, Thanks. So an option to filter apps which got allowed by Bypassing the DNS when Block when DNS is bypassed turned OFF makes more sense to me.

Please let me know your perspective.

[ignoramous]

Thanks.

BUT, unfortunately, there is no way to filter apps which got allowed by Bypassing the DNS.

Yes, this is possible. We'll consider showing these.

[RohitSurwase]

Thanks for considering the feature request. @ignoramous I have a doubt. If I select any other DNS then whenever I try to add any App to 'Bypass DNS & Firewall' filter, app is shows a message that 'Bypass DNS & Firewall works with Rethink's DNS only' but it still lets me choose that option. Is it a bug or feature? Am I suppose to use 'Bypass DNS & Firewall' filter with Other DNS?

Also, I went through this #1300 issue and found that there was a bug where choosing 'Bypass DNS & Firewall' + Other DNS causes leaks which might have happened in my case too as I am seeing ads.

Please let me know, if required I will create a separate issue for this.

[ignoramous]

Bypass DNS & Firewall works the best with RDNS (as upstream) because it sends both a blocked response and an allowed response even when a domain is blocked by some rule.

For instance, if you use dns.adguard-dns.io, you'd never get an allowed response for adware/trackerware domains like segment.io. And hence, a "bypass" won't work because Rethink doesn't know how to (there's no alternative response from AdGuard, the upstream resolver).

Other DNS causes leaks which might have happened in my case too as I am seeing ads.

There could be "leaks" but highly unlikely. What's more likely is the app you're using has adblock protection as DNS-based adblocking is pretty trivial to circumvent.

[RohitSurwase]

Ok, I understood that Bypass DNS & Firewall works the best with RDNS. But by best, do you mean it may still work with Other DNS? Bypass DNS & Firewall + Other DNS combination is expected or not, as one can enable Bypass DNS & Firewall irrespective of selected DNS. Thanks

[ignoramous]

Ok, I understood that Bypass DNS & Firewall works the best with RDNS. But by best, do you mean it may still work with Other DNS?

Yes, it may still work with other DNS, which is why it is allowed.

Works best here means no false positives (blocked but allowed; a "leak") and false negatives (allowed but blocked). Other DNSes may block domains a user may want bypassed (false negatives).

[RohitSurwase]

Thanks so much, this was really helpful.