A WireGuard client, an OpenSnitch-inspired firewall and network monitor + a pi-hole-inspired DNS over HTTPS client with blocklists.
<img src="https://fdroid.gitlab.io/artwork/badge/get-it-on.png" alt="Get it on F-Droid" height="70"> <img src="https://play.google.com/intl/en_us/badges/images/generic/en-play-badge.png" alt="Get it on Google Play" height="70">
In other words, Rethink DNS + Firewall has three primary modes, VPN, DNS, and Firewall. The VPN (proxifier) mode supports multiple WireGuard upstreams in a split-tunnel configuration. The DNS mode routes all DNS traffic generated by apps to any user chosen DNS-over-HTTPS or DNSCrypt resolver. The Firewall mode lets the user deny internet-access to entire applications based on events like screen-on / screen-off, app-foreground / app-background, unmetered-connection / metered-connection; or based on play-store defined categories like Social, Games, Utility, Productivity; or additionally, based on user-defined denylists.
Rethink supports forwarding TCP and UDP connections over SOCKS5, HTTP CONNECT, and WireGuard tunnels. Split-tunneling further helps run multiple such tunnels at the same time and lets users route different apps over different tunnels. For example, one could route Firefox over SOCKS5 connecting to Tor, Netflix over WireGuard connecting through any popular VPN provider, and Telegram or WhatsApp over censorship-resistant HTTP CONNECT endpoints at the same time.
The firewall doesn't really care about the connections per se rather what's making those connections. This is different from the traditional firewalls but in-line with Little Snitch, LuLu, Glasswire and others.
Currently, per-app connection mapping is implemented by capturing udp
and tcp
connections managed by firestack
(written in golang) and asking ConnectivityService for the owner, an API available only on Android 10 or higher. procfs
(/proc/net/tcp
and /proc/net/udp
) is read on-demand to track per-app connections like NetGuard or OpenSnitch do, on Android 9 and lower versions.
A network monitor is a per-app report-card of sorts on when connections were made, how many were made, and to where. Tracking TCP has turned out to be so far straight-forward. DNS packets are trickier to track, and so a rough heuristic is used for now, which may not hold good in all cases.
Almost all of the network related code (firestack
), including DNS over HTTPS split-tunnel, is a hard fork of Jigsaw-Code/outline-go-tun2socks written in golang. The UI is vastly different but borrows minimally from Jigsaw-Code/Intra. A split-tunnel traps requests sent to the VPN's DNS endpoint and relays it to a DNS-over-HTTPS / DNSCrypt endpoint of the user's choosing, logging the end-to-end latency, time of request, the dns request query itself and its answer.
A malware and ad-blocking DNS over HTTPS resolver at https://sky.rethinkdns.com/1:IAAgAA==
(deployed to 300+ locations world-wide via Cloudflare Workers) is the default DNS endpoint on the app, though the user is free to change that. A configurable DNS resolver that lets users add or remove denylists and allowlists, add rewrites, analyse DNS requests is launching late 2023. Right now, a free-to-use DNS over HTTPS endpoint with custom blocklists can be setup here: rethinkdns.com/configure.
The resolver is deployed to Fly.io at max.rethinkdns.com
and Deno Deploy at rdns.deno.dev
too, apart from the default deployment on Cloudflare Workers.
The resolver is open source software: serverless-dns.
Routing TCP connections over a serverless proxy (hosted on Cloudflare Workers) will soon be part of Rethink. Users would be able to self-host these or use the ones run by us for $1 month of unlimited bandwidth. This service is expected to be launching late 2023.
The proxy is open source software: serverless-proxy.
<img src="https://img.shields.io/github/sponsors/serverless-dns" alt="GitHub Sponsors">
Help translate Rethink DNS + Firewall on Weblate:
Rethink is not an anonymity tool: It helps users tackle unabated censorship and surveillance but doesn't lay claim to protecting a user's identity at all times, if ever.
Rethink doesn't aim to be a feature-rich traditional firewall: It is more in-line with Little Snitch than IP tables, say.
Rethink is not an anti-virus: Rethink may stop users from phishing attacks, malware, scareware websites through its DNS-based blocklists, but it doesn't actively mitigate threats or even look for them or act on them, otherwise.
To turn Android devices into user-agents: Something that users can control as they please without requiring root-access. A big part of this, for an always-on, always-connected devices, is capturing network traffic and reporting it in a way that makes sense to the end-users who can then take a series of actions to limit their exposure but not necessarily eliminate it. Take DNS for example-- for most if not all connections, apps send out a DNS request first, and by tracking just those one can glean a lot of intelligence about what's happening with the phone and which app's responsible.
To deliver the promise of open-internet for all: With the inevitable ESNI standardization and the imminent adoption of DNS over HTTPS and DNS over TLS across operating systems, we're that much closer to an open internet. Of course, Deep Packet Inspection remains a credible threat that can't be mitigated with this, but it is one example of delivering maximum impact (circumvent internet censorship in most countries) with minimal effort (not requiring use of a VPN or access via IPFS, for example). Rethink would continue to make these technologies accessible in the most simplest way possible, especially the ones that get 90% of the way there with 10% effort.
We aren't there yet, may never will be but these are some tenets for the project for the foreseeable future.
<img src="https://fossunited.org/files/fossunited-white.svg" alt="FOSS United" height="40"> <img src="https://rethinkdns.com/ico/moz-builders-2000x550.png" alt="Mozilla Builders" height="40">
Internet censorship (sometimes ISP-enforced and often times government-enforced), unabated dragnet surveillance (by pretty much every company and app) stirred us upon this path. The three of us university classmates, Mohammed, Murtaza, Santhosh got together in late 2019 in the sleepy town of Coimbatore, India to do something about it. Our main gripe was there were all these wonderful tools that people could use but couldn't, either due to cost or due to inability to grok Computer-specific jargon. A lot has happened since we started and a lot has changed but our focus has always been on Android and its 2B+ unsuspecting users. The current idea has been in the works for since May 2020, with the pandemic derailing a bit of progress, and a bit of snafu with abandoning our previous version in favour of the current fork, which we aren't proud of yet, but it is a start. All's good now that we've won a grant from the Mozilla Builders MVP program to go ahead and build this thing that we wanted to... do so faster... and not simply sleep our way through the execution. I hope you're excited but not as much as us that you quit your jobs for this like we did.