NixOS Blog
  1. Home
    2.  » 
  2. Posts
    3.  » 

RethinkDNS_User_Guide

RethinkDNS Users Guide

RethinkDNS logo
✔️ Click to Expand Table of Contents

I’m not affiliated with RethinkDNS in any way, I’m just a technologist with privacy concerns.

🔑 Key Terms

✔️ Click to Expand Key Terms

  • IP (Internet Protocol) is the address system of the internet, responsible for delivering packets of data from a source device to a target device. IP is the main way in which connections are made, and is the backbone of the internet. It doesn’t check for errors or ensure the packets are in the correct order, that’s where TCP comes in. When you set an IP rule this is what you’re setting, a trusted IP address.

  • Port: A port in networking is a virtual communication endpoint managed by a computer’s operating system that helps direct network traffic to specific apps or services. While an IP address identifies a device on a network, ports allow the system to know exactly which app or service should handle the incoming or outgoing data. Web traffic commonly uses port 80 (HTTP) or 443 (HTTPS), so when data arrives for those ports, it’s routed to the web server application on the device. When we block port 80, we block insecure HTTP connections.

  • TCP (Transmission Control Protocol) is responsible for maintaining a connection through a handshake and putting the packets in the correct order. TCP will also ask for missing pieces and is known as a reliable but slow protocol.

  • UDP (User Datagram Protocol) (UDP/IP): is a fast protocol used across the internet for time-sensitive transmissions such as DNS lookups or VoIP. UDP allows a computer to send data straight to another without requiring a handshake.

  • DNS Server: When you search for a domain name (rethinkdns.com) it triggers a DNS lookup. Several different types of DNS servers typically work together to complete a single DNS lookup.

  • Recursive resolver (DNS recursor): is typically the first stop in the series of the above servers.

  • Interative resolver: In an iterative DNS query, each DNS server responds directly to the client with a referral to another server, and the client continues querying successive servers until it receives the IP address for the requested domain.

  • Proxy: A proxy, in relation to Orbot with Rethink, is an intermediary service that routes internet traffic from your device through the Tor network to provide privacy and anonymity.

  • Bypass DNS and Firewall: When you choose this setting, it does exactly that. The app that is allowed to bypass will not have it’s traffic routed through the Rethink encrypted tunnel and will fall back to your systems Private DNS setting. Rethink will still be aware of the app but it won’t route its traffic.

  • Bypass Universal: Similar to Bypass DNS and Firewall with the added bypass of any filters or blocklists. So your extreme privacy blocklist won’t block this app. Rethink will still be aware of said app.

  • Exclude: Rethink will not be aware of this app and it will not be routed through RethinkDNS.

  • 🛜(Unmetered Wi-Fi): Wi-Fi settings, either blocked or allowed.

  • 📶 (Metered mobile): Mobile data settings, either blocked or allowed.

RethinkDNS Overview

The DNS mode routes all DNS traffic generated by all apps to any user chosen DNS-over-HTTPS, DNS-over-TLS, DNSCrypt, or Oblivious DNS-over-HTTPS resolver.

Firewalls like Rethink that block both UDP and TCP connections are usually sufficient because nearly all applications rely on these two protocols for their networking and communication. Almost every app communicates over TCP or UDP, so blocking these protocols effectively restricts most network traffic from and to apps, preventing them from connecting without permission.

I will share how I use RethinkDNS, obviously feel free to make changes based on your threat model and needs.

Getting Started

DNS

Go to Configure -> DNS -> Other DNS:

  • Choose the type of resolver you want, I use DNSCrypt. Once you click you can choose the specific resolver you want such as Quad9. You may notice that it says Failed: using fallback DNS. This is only because we haven’t turned it on yet, we will recheck this once we turn it on.

  • If you want a relay in a specific country, you can click the Relays tab. For DNSCrypt you are given the choice between the Netherlands, France, Sweden, Los Angeles, and Singapore. You might do this if you were trying to circumvent censorship.

Rules set the following:

  • Advanced DNS filtering (experimental): Assign unique IP per DNS request.

  • Prompt on blocklist updates

Leave all the Advanced defaults unless you want to turn on Never proxy DNS

Network

Go to Configure -> Network:

  • Set Use all available networks to ON. This enables Wifi and mobile data to be used at the same time by Rethink. (Optional, may use more battery)

  • Set your IP version: The default is IPv4, you can choose between IPv6 (experimental) and Auto (experimental) if you use IPv6.

  • Using the Loopback sounds like a good idea but it makes many of the resolvers fail.

  • Choose fallback DNS: When your user-preferred DNS is not reachable, fallback DNS will be used.

  • You may want to experiment with shutting off Enable network visibility, just keep in mind that some apps may break. Shutting this off prevents apps from accessing all available networks, stopping them from bypassing Rethinks tunnel. This caused issues with the browser when turned off.

Firewall

Go to Configure -> Firewall -> Universal firewall rules and set the following to ON:

  • Block all apps when device is locked

  • Block when DNS is bypassed

  • Block newly installed apps by default (Optional: If you use this, remember that you did)

  • Block port 80 (insecure HTTP) traffic

Turn ON DNS and Firewall

Go to Home 🏠:

  • Click the big Start button on the bottom of the screen and leave it set to the default DNS and Firewall (default)

Now that we’ve started the DNS and Firewall, we can go back to Configure -> DNS and ensure the provider we chose started successfully. You can also experiment with different types of resolvers, make sure to wait for below the chosen resolver to say Connected.

Now, all of the apps on your device have a default to allow both Wi-Fi and mobile data access through the RethinkDNS encrypted tunnel. Try some of your most used Apps to see if they function correctly.

RethinkDNS’s firewall blocks or restricts any network traffic that isn’t explicitly allowed. Although by default all apps are allowed, some apps require special permissions or bypasses due to their network behavior. Many apps rely on multiple external services, backend APIs, etc. that may be blocked by the firewall.

Apps that Don’t work

I will use Reddit as an example, the process is the same for any app. Reddit’s app and website rely on multiple third-party services and external domains beyond just reddit.com itself.

For apps that don’t work it’s important to ensure that your systems Private DNS is set to Automatic.

Go to Home -> Apps:

Search for Reddit, click on it and the Firewall Rules For Reddit will pop up. Since it is already allowed Unmetered and Metered connections and still doesn’t work, we can try one setting at a time until it does work and this is the same process for other Apps that aren’t working.

  • First, you can try allowing the app to Bypass DNS & Firewall. Try the app again, does it work? If not:

  • Bypass Universal, this allows it to ignore any filters or blocklists as well. If the app still doesn’t work you can:

  • Exclude the app. This makes RethinkDNS completely unaware of the app and is often what is required for Reddit. It is my understanding that after you Exclude Reddit for example, your systems Automatic Secure DNS will pick it up.

  • You can also Isolate an App, you then have to set up trust | allow rules for domains or IPs over a period of time which can take a while. You can go to Apps and search for the app in question, click on it and at the bottom of the screen you’ll see IP Logs, and Domain Logs to help with this.

Firefox Encrypted DNS through Rethink

First, make sure you can visit a few sites in Firefox. If you can, then your browser traffic should be routed through the Rethink tunnel, we will check here. If you can’t, go to Home -> Apps and search for Firefox, is networking enabled?

Sometimes rebooting your phone can help with this, I noticed that I couldn’t reach any site until a reboot.

RethinkDNS Settings

For the best experience routing your browser traffic through your custom endpoint (e.g., DNSCrypt) ensure the following are set:

  • Do not turn on Block any app not in use in the Universal firewall. After some Log digging, I found that this causes the browser to fail more often than not.

  • Configure -> Network -> Enable network visibility set to the default ON. I had experimented with turning this off and certain websites wouldn’t load when on Wi-Fi and none would load on mobile data. Turning it back on seemed to fix both with no leaks detected.

Double check that in Rethink’s Configure -> DNS, ensure the default, Prevent DNS leaks is set as well as the Universal Firewalls Block when DNS is bypassed.

Firefox Settings

In Firefox, plug about:config into the URL bar and scroll down to network.ttr.mode and change its value to 3. To prevent leaking DNS queries to the System resolver. I say scroll because when I did it, the search didn’t find network.ttr.mode.

In Firefox Settings -> Privacy & Security, set DNS over HTTPS to Default Protection, this enables Firefox to use RethinkDNS’s DNSCrypt resolver or whatever you chose.

Checking for DNS Leaks

Go to:

https://dnsleaktest.com

Also crosscheck with:

https://ipleak.net

ipleak.net may show many more servers but as long as they are all related to your resolver (i.e., WoodyNet for Quad9) you are not leaking to your ISP or other third-parties.

For DNSCrypt with Quad9 Security, dnsleaktest found 5 servers all with the ISP WoodyNet indicating success through Quad9. Quad9 relies on Packet Clearing House, that’s where the WoodyNet name comes from.

When on mobile data, when going to https://dnsleaktest.com the results may show more servers. As long as they are all the same ISP you’re good.

A different solution could be to experiment with more strict RethinkDNS settings and just use the browsers built-in DNS over HTTPS on max protection. Having more strict defaults for Rethink with all of your apps and configuring your browser separate may be a better option, the choice is yours.

When hunting down a solution you can go to Configure -> Logs, then try to visit the site that wouldn’t work while watching the logs. You should see Firefox pop up, click it, in the top right of the pop up should be the reason it was blocked.

DuckDuckGo

I also tested DuckDuckGo with its stock configuration and dnsleaktest.com showed that DDGs traffic was successfully tunneled through Rethink to Quad9s' servers.

dnsleaktest.com showed all WoodyNet ISPs indicating success.

Chromium Based Browsers (Brave)

Brave would not work when routed through Rethink and Chrome completely ignored it. Brave is definitely better if you must use a Chrome derivative.

  • I tried disabling the Brave Shield Use Secure DNS to see if that helped, it didn’t. There may be more you could do here to get it working…

  • I do have Chrome and google apps disabled on my main device and only active in the Secure Folder which is like a sandboxed environment. This could very well be the reason it ignored Rethink, I don’t care to test further…

  • EU Hits Google with 3.5 Billion Antitrust

More Fine Grained Control & Enhanced Privacy

❗ NOTE: If you are happy with the functionality as is it is unnecessary to follow these steps. If you already only install the minimal apps needed on your phone (i.e. Only install what you use) you can probably just go to individual Apps and block their networking that you are worried about such as Facebook and Google. Routing all of your Apps through Rethink already gives you great privacy and security benefits.

If you read the following GrapheneOS discussion Forum:

It suggests you Go to Home -> Apps and right under Showing all apps click on the grayed out 🛜📶 to set a rule to block both Metered and Unmetered connections to all apps by default.

The point here is that not every App on your device needs network access all the time or at all in some cases. Watch your Logs and see which apps “phone home” the most. Think about which Apps would leave you the most vulnerable and either block network access completely or block and unblock as needed based on your threat model.

I would recommend removing network access from your password manager until you need it or better yet use something completely offline like KeePassDX.

I have never used Link to Windows and I Disable & Force Stop it and Link to Windows is still my most blocked App of all time by Rethink…

If you go for the default deny, you will have to search for every app that you use and start by enabling networking and then following the Apps that don't work section for each app until they work as expected. If you really think about it, the number of apps that require constant networking should be limited.

Tor

If you want to learn how Tor works, I suggest reading the following in this order:

  1. PrivacyGuides In Praise of Tor

  2. PrivacyGuides Tor Overview

Tor is at risk, and needs our help. Despite its strength and history, Tor isn’t safe from the same attacks oppressive regimes and misinformed legislators direct at encryption and many other privacy-enhancing technologies.–How to Support Tor

✔️ Click to Expand Tor Section

The following is a summary of some of the Tor Overview, all credit goes to them. It is important to spread the word when you can! You can read the full article Here. If you are interested in learning how Tor works, I suggest starting with [In Praise of Tor]

If you are fortunate to live outside of oppressive regimes with extreme censorship, using Tor for every day, mundane activities is likely safe and won’t put you on any harmful “list.” Even if it did, you’d be in good company, these lists mostly contain great people working tirelessly to defend human rights and online privacy worldwide.

By using Tor regularly for ordinary browsing, you help strengthen the network, making it more robust and anonymous for everyone. This collective support makes staying private easier for activists, journalists, and anyone facing online surveillance or censorship. The writer of the PrivacyGuides article mentions using Tor when he needs to access Google Maps to protect his privacy

So, consider embracing Tor not only for sensitive browsing but also for daily routine tasks. Every user adds valuable noise to the network, helping protect privacy and freedom for all.

Setting up Orbot with a TCP-only Proxy

(Edited 09-12-25) My understanding here has changed, I apologize for any confusion this caused.

Orbot logo

TCP-Only Proxies forward all TCP-level connections from selected apps to Orbot.

They are best for Apps that use multiple TCP protocols beyone just basic web browsing (HTTP/HTTPS) like messaging apps (Signal), search apps (DDG), etc. Because it proxies all TCP traffic, it can cause some apps to slow down or break if they expect direct DNS or UDP.

First install Orbot, Open Orbot -> More -> Orbot Settings and turn on Power User Mode. This is important, if you forget this Rethinks auto Orbot will not let you choose between SOCKS and HTTP proxies.

You should also check Allow Background Starts [x].

Go to Configure -> Proxy -> Setup Orbot:

  • Click Add / Remove 0 apps, search for an app that you want to run through Orbot. For simple testing I chose DuckDuckGo with a TCP-only Proxy.

  • Set Orbot to Bypass Universal

  • On the first time starting Orbot through Rethink, you’ll have to click the Orbot> to Connect as well as grant permissions. After you start Orbot successfully, check out Rethinks Home and below the STOP button should say Protected With Tor.

Open DuckDuckGo and go to:

https://dnsleaktest.com
# Cross-Check
https://ipcheck.net

❗ You may see that ipleaktest initially shows a Tor exit relay location such as the Netherlands, once you complete a Standard Test, it still shows WoodyNet ISPs. Since I configured Rethink to use DNSCrypt with Quad9 this is completely expected. This confirms that my DNS traffic is not leaking to my ISP and is properly anonymized through Tor and Quad9. As long as you don’t see your actual ISP’s servers in the results, your setup is working as intended.

Now you can add more apps that would benefit from anonymity such as FairMail, RSS feeds, and crypto wallets. I believe for Signal, it requires that you to set up the SOCKS5 proxy to work correctly which is pretty straightforward.

See: Orbot Integration Manual Method

Look into an RSS Feed, they give you complete control of the content you consume, no algorithm involved! This blog is also in RSS format at <tsawyer87.github.io/index.xml>

This can also be useful on public Wi-Fi or other insecure networks.

  • You can also open Orbot and Choose How to Connect, if you want to hide Tor use.

  • When you’re done, you can switch Setup Orbot back to None (default). If you’re completely done with it you can click Add / Remove (1 app), search for the Apps you’ve added and de-select them.

  • Go to Home and now below Stop it should just say Protected.

  • If you live in an area where Tor use isn’t discriminated against, consider Activating your Orbot Kindness tab so others that are in oppressive regimes can use your device as a bridge. This is a great way to give back!

  • A good use for this could to switch it on and off as needed such as when you check your online banking, want to send a private email, or browse sensitive topics. It has been proven that people that feel like they are being watched are less creative and curious.

  • When it really matters consider using Tor Browser through Tails OS or Whonix.

Logs

On-device logging is on by default. You can find it in Configure -> Settings. From there, you can set the log level and choose a notification action.

If anyone else uses your phone, it’s probably a good idea to enable app lock.

Go to Configure -> Logs, and try to access the app that’s not working. You should see said app at the top of the Network Logs, click it. In the top right of the tab, you’ll see the reason why it’s not working such as: App Blocked, or DNS Bypass.

This DNS Bypass means that the App in question is trying to bypass the Rethink Tunnel and being actively blocked. You can search for said app and try setting IP or Port Trust rules.

You can also go to Home -> Apps and search for the App you need, click on it and at the bottom of the screen you will see IP Logs, and Domain Logs.

Once you click on the log of the app in question, you’ll be given 3 drop down options. If you set an app to Bypass DNS and Firewall settings, you will see that in the first dropdown box.

The next drop down is Block,trust this IP for this app where you can set a rule to Block or Trust.

Resources

✔️ Click to Expand Resources Section