Rethink DNS

For the RethinkDNS android app configuration, you can jump to Configuring the Rethink Firewall.

If you’re in a hurry, jump to the headers that say Configuring ... or, check out the Forum post by a Rethink Dev:

• GrapheneOS Discussion Forum on Rethink

🔑 Key Terms

• IP (Internet Protocol) is the address system of the internet, responsible for delivering packets of data from a source device to a target device. IP is the main way in which connections are made, and is the backbone of the internet. It doesn’t check for errors or ensure the packets are in the correct order, that’s where TCP comes in.

• TCP (Transmission Control Protocol) is responsible for maintaining a connection through a handshake and putting the packets in the correct order. TCP will also ask for missing pieces and is known as a reliable but slow protocol.

• UDP (User Datagram Protocol) (UDP/IP): is a fast protocol used across the internet for time-sensitive transmissions such as DNS lookups or VoIP. UDP allows a computer to send data straight to another without requiring a handshake.

• DNS Server: When you search for a domain name (rethinkdns.com) it triggers a DNS lookup. Several different types of DNS servers typically work together to complete a single DNS lookup.

• Recursive resolver (DNS recursor): is typically the first stop in the series of the above servers. Its job is to receive queries from the user’s computer and track down the IP address associated with the requested domain name. It gets the query and doesn’t come back until it finds the answer.

• Interative resolver: In an iterative DNS query, each DNS server responds directly to the client with a referral to another server, and the client continues querying successive servers until it receives the IP address for the requested domain.

RethinkDNS Overview

RethinkDNS is a DNS Resolver service with custom rules and blocklists as well as a firewall.

The DNS mode gives the end-user their own unique server-endpoint and routes all DNS traffic from the mobile device to their assigned endpoint encrypted over TLS.–the-one-pager

A DNS resolver is an address book of the internet, it helps locate IP addresses of the servers given a domain name. For example, dns.google.com (a domain name) is located at 8.8.8.8 (IP address). This mapping is retrieved by a DNS resolver.

The DNS resolver runs on Fly.io and on Cloudflare Workers, a low-latency serverless environment available in over 300 cities worldwide. This broad distribution helps enhance anonymity for people using Orbot.

Orbot (Tor) can be used along side RethinkDNS as a Proxy server to change the IP address. See Orbot Integration

You can also add a WireGuard configuration to the Rethink DNS + Firewall + VPN app. See WireGuard

You can configure Rethink in your device / internet browser that supports Secure DNS (aka DNS over HTTPS).

Configure a Custom DNS resolver with Custom blocklists through Rethink website

Rethink on Android

The front-end Android app is open-source: rethink-app

RethinkDNS doesn’t capture or send any user analytics from the app.

RethinkDNS takes over your VPN Slot, it works by creating a local VPN on your device. It’s not a traditional VPN that routes your traffic to a remote server. Instead, it creates a secure tunnel on your phone that all network traffic (including DNS queries) must pass through.

Unlike Android’s Private DNS, which is a system-wide setting, Rethink gives you more granular control over how each individual app handles its network traffic. This enables you to:

• Force all apps to use the same DNS server you’ve configured through Rethink.

• Block apps that try to bypass your settings.

• Apply different rules to different apps.

• Analyze and log the DNS and network activity for every app, giving you a clear view of what your phone is doing in the background.

  • I have never used the Microsoft Link to Windows and even went into settings and disabled it and force stopped it and Link to Windows is still the most blocked app on my device constantly trying to phone home.

Rethink Firewall

It’s not a traditional firewall, but blocks TCP and UDP connections. This is sufficient for most apps as they rarely use other forms of TCP/IP transport.

The Firewall app lets you view searchable network logs per connection; lets you know which apps were blocked and when, and which apps are connected where.

With the Firewall, you can set Universal Rules.

Configuring the Rethink Firewall

Go to Configure -> Firewall -> Universal firewall rules and set:

• Block all apps when device is locked

• Block newly Installed Apps

• Block port 80 (insecure HTTP) traffic It’s said that over 90% of the web now uses HTTPS. Don’t visit HTTP sites, it’s unnecessary.

• Block when DNS is bypassed (as a website a user loads in Firefox won’t use resolvers set in Rethink’s Configure -> DNS)–Rethink dev

• From here you can get more restrictive if you so choose, I choose to Block apps not in use.

By default after enabling the Universal firewall, all the apps on your device are set to allow unrestricted networking traffic. This will give you an idea of which apps will need more than to allow traffic rule to work. (i.e., Bypass)

Configuring Rethink App rules

To restrict which Apps have network access, you will have to change that default enable rule by following the next steps: (This is setting a default deny policy similar to if we Set Block all except bypassed apps and IPs)

• Go to Configure -> Apps, and tap the 🛜(Unmetered Wi-Fi) 📶 (Metered mobile data) to block all Apps’ access to networking. Obviously, not everything needs this ability.

• Now, search for the apps you use. Think if they need network access and see if they function. If the app does need network access, does it also need mobile data access? Search for the app and tap the 🛜📶 to allow networking. Try the app again to see if it functions properly, if it doesn’t, the App probably needs extra permissions beyond basic network allowance. You can either Bypass DNS and Firewall, or Isolate them.

• When you Allow Bypass DNS and Firewall, you’re allowing the app to go directly to the systems default DNS resolver outside of the tunnel Rethink provides.

🚧 Important: Any app you allow to bypass will not have its traffic routed through the RethinkDNS tunnel and therefore will not benefit from encryption or filtering provided by RethinkDNS. Make sure to set your systems Private DNS to Automatic so those bypassed apps use your systems default Secure DNS server.

• Bypass Universal from my understanding is a more comprehensive bypass setting. It bypasses any Rethink setting including blocklists and any other filtering. But, Rethink is still aware of the app with either bypass…

• If you’ve done all the above steps and your app still isn’t working, you can Exclude the app which is like you’re not using Rethink at all for that app. Rethink is unaware of the app so there will be no logs or data.

• If you do Isolate an App, you then have to set up trust | allow rules for domains or IPs over a period of time which can take a while. You can go to Apps and search for the app in question, click on it and at the bottom of the screen you’ll see IP Logs, and Domain Logs to help with this.

• Bypass Universal the Google Play services app, this is required for updates and more.

• You’ll probably want to allow Google Play Store to access networking as well. For the most privacy, you could check for updates daily and block network access the rest of the time.

Configuring Networking

Go to Configure -> Network:

• Choose a fallback DNS, this will be used in case the primary resolver becomes unavailable or unreachable.

• The app defaults to using IPv4, you can either set it to IPv6(experimental), or Auto (experimental).

• If you want Rethink to use either wifi or mobile data at the same time, turn on Use all available networks

• Many of these tips come from the following Forum:

  • GrapheneOS Discussion Forum on Rethink

Encrypted DNS in your Android Browser

(Edited: 09/10/25) ⚠️ If you need to bypass the DNS and Firewall you won’t be protected by your chosen RethinkDNS encryption protocol within your browser unless configured elsewhere.(i.e. within your browser) Until you’re able to get your browser working without bypassing, you’re better off excluding Firefox and using its built-in DNS over HTTPS so you are protected.

The following is only if you didn’t bypass anything in Rethink for your browser.

For Android Firefox, switch the DNS over HTTPS setting to "Off" Use your default DNS resolver. This will allow Firefox to use the DNS resolver you configured through RethinkDNS.

Open Firefox and go to https://dnsleaktest.com, you should only see a few servers. For example with Quad9 I see 4 Servers with the ISP WoodyNet. If you see many in many locations, Firefox’s traffic isn’t being routed correctly through the tunnel and I recommend re-enabling DNS over HTTPS through Firefox until it’s worked out.

All the servers listed on dnsleaktest receive a request to resolve a domain name to an IP address every time you enter a web address in your browser. They can associate your personal IP with the names of all the sites you visit so be careful messing with this.

In Firefox, plug about:config into the URL bar and scroll down to network.ttr.mode and change its value to 3. To prevent leaking DNS queries to the System resolver. I say scroll because when I did it, the search didn’t find network.ttr.mode.

Configuring a Custom DNS

Go to Configure -> DNS -> Other DNS. From there you have quite a few choices.

Let’s say you chose DoT for DNS-over-TLS, from there you can choose between 5 providers. Mullvad has a good reputation for keeping minimal data.

Now, any app that doesn’t bypass Rethink will be routed through your chosen protocol.

Configuring DNS

When you set a user-specified DNS endpoint (like you do with Rethink), the DNS resolver runs locally on your device or network. Your system is configured to send DNS queries to this local endpoint (loopback e.g., 127.0.0.1), instead of directly to a public DNS server like 1.1.1.1

This setup prevents DNS query leaks, meaning no DNS queries bypass the configured resolver. (What we chose in Configuring a Custom DNS).

In Configure -> DNS you can:

• Turn ON Advanced DNS filtering to make sure domain to IP address mapping isn’t polluted.(experimental)

• Turn ON Prevent DNS leaks to ensure all DNS queries go through the apps secure tunnel.

DNS uses port 53 as its standard communication channel for translating domain names into DNS queries. Preventing DNS leaks works by capturing all outgoing packets on port 53 and redirecting them to a user-specified secure DNS endpoint rather than the system or network default.

Logs

On-device logging is on by default. You can find it in Configure -> Settings. From there, you can set the log level and choose a notification action.

If anyone else uses your phone, it’s probably a good idea to enable app lock.

By default, no logs are sent or stored. Only if a paying customer enables logs are they even captured; otherwise; there’s zero information that’s stored on their servers with respect to the DNS requests sent to the Rethink DNS' resolver.

Currently, you can drop them a note to purge the system of your logs.

Go to Configure -> Logs, and try to access the app that’s not working. You should see said app at the top of the Network Logs, click it. In the top right of the tab, you’ll see the reason why it’s not working such as: App Blocked, or DNS Bypass.

You can also go to Apps and search for the App you need, click on it and at the bottom of the screen you will see IP Logs, and Domain Logs.

Once you click on the log of the app in question, you’ll be given 3 drop down options. If you set an app to Bypass DNS and Firewall settings, you will see that in the first dropdown box.

The next drop down is Block,trust this IP for this app where you can set a rule to Block or Trust.

Apps like Reddit rely on many third-party services, backend APIs etc. to work. It’s my understanding that this fine grained control isn’t fully worked out yet and some connections or domains will stay blocked even with an explicit Trust Rule. I’m still tweaking this but it seems like Reddit needs to be excluded for consistent functionality.

Resources