search

celzero / rethink-app

DNS over HTTPS / DNS over Tor / DNSCrypt client, WireGuard proxifier, firewall, and connection tracker for Android.
https://rethinkfirewall.com/
Apache License 2.0
3.02k stars 154 forks source link

Wrong *DNS Bypassed* Detection #1726

Closed SevenFactors closed 1 month ago

SevenFactors commented 1 month ago

From time to time Rethink app blocks Obtainium connections under DNS Bypassed

Most times these connections work without issues. Other times I get a connection timeout socked #### mentioning X, Y and/or Z app repos. When I check the logs on Rethink app, under Network the Obtainium connection is blocked for the reason of DNS Bypassed

If I were to turn off Rethink and start it again, these connections work again. The issue comes and goes.

Why is this the case?

When I check the IP being blocked, these seem to be regular IPs. No 8.8.8.8 or any DNS IP that I can recognize nor info that I can find of it being DNS IP. Most apps I get via Obtainium are from github but also one or 2 from codeberg and fdroid release (due to lack of apk release on their repos)

The reason I have Block when DNS is bypassed is to enforce my preferred DNS. The expected behavior I expect is for Rethink to block the bypassed DNS queries and re-route these DNS queries to my preferred set DNS provider but this is not the behavior I am experiencing. Bypassed DNS queries get blocked but the DNS query dies there. The connection gets blocked, never re-routed to my set preferred DNS.

Why is this. Is this what is supposed to happen? If so, having these DNS bypasses blocked and re-routed and answered by the user's preferred DNS provider, is a much better solution. Please implement this behavior.

Thanks.

EDIT: I am using DOH

Sample images. img0: ![161840](https://github.com/user-attachments/assets/9af30171-e71a-4582-a31f-7aa4ac13ec0d) img1: ![163250](https://github.com/user-attachments/assets/9d758efa-a1ef-4ec9-878f-46ebde4119e8)
ignoramous commented 1 month ago

Thanks for the detailed report. Appreciate it.

Why is this. Is this what is supposed to happen?

A question for Obtanium.

If I were to turn off Rethink and start it again, these connections work again.

Guess that's because DNS caches (OS, network, app) are being flushed clean.

If so, having these DNS bypasses blocked and re-routed and answered by the user's preferred DNS provider, is a much better solution

This is, unfortunately, impossible to do.

No 8.8.8.8 or any DNS IP that I can recognize nor info that I can find of it being DNS IP.

You misunderstand what Block when DNS is bypassed means. It looks like you may want to turn it OFF.

(closing as the issue here seems to be either with Obtanium or with understanding what Block when DNS is bypassed* does, but feel free to reopen in case you think we are mistaken, instead :)

SevenFactors commented 1 month ago

Thank you for your response.

Can you please explain what "Block when DNS is bypassed" means for Rethink app?

As I understand it is just as it reads. If any app tries to bypass the users set DNS provider, Rethink app firewall will block said DNS query/s made to any other DNS providers that is not the one set by the users under Rethink DNS settings.

For which I had expect Rethink to then direct said DNS queries to the user set DNS provider under Rethink app. (Feature you state it is not possible) I can understand this. Technical limitation, etc.

With that said, please, I ask of you to take some time to explain what exactly "Block when DNS is bypassed" means/does for Rethink app firewall?

This will greatly clarify things for me and surely other users who might run into similar issues with the Rethink app firewall. Furthermore, this will help me understand if indeed there is anything to ask/report to Obtainium. As I see, the app is merely contacting the repos I have added to the list. Which is why it lead me to think that somehow Rethink firewall is misinterpreting some connections as DNS connection made to DNS provider other than the user set DNS provider.

Thank you.

ignoramous commented 1 month ago

Can you please explain what "Block when DNS is bypassed" means for Rethink app? ... For which I had expect Rethink to then direct said DNS queries to the user set DNS provider under Rethink app.

You understand it partially right. It is worded Block and not redirect. If an app connects to an IP directly, without first having resolved a domain name through Rethink, that connection is blocked.

An app can connect straight to an IP due to many reasons, a few being:

  1. The app does it own DNS resolution (ex: Telegram).
  2. The app doesn't need DNS resolution at all (ex: some VPN apps).
  3. The app caches previous answers from a previous (name) resolution for far longer than it should (ex: Instgram).
  4. The app bypasses (name) resolution to evade possible censorship (ex: WhatsApp).

Furthermore, this will help me understand if indeed there is anything to ask/report to Obtainium.

You could ask Obtanium if there's any case at all (including aggressive caching) that it would connect without going through network-provided DNS resolver.