Question Question about Rethink: DNS + Firewall + VPN app.

Please provide comments and solutions that are helpful to the author of this topic.
Morro

Morro

Level 21
Thread author
Verified
Top Poster
Well-known
Forum Veteran
Jul 8, 2012
1,034
1
4,311
1,969
56
Netherlands
I saw this app mentioned here on MT, and I decided to give it a try on my cell phone. It's great that such an app is free and open source, but I am not sure about one thing.

Before I just installed Rethink DNS, I was using DNS4EU on my phone (just like on my desktop), and the Rethink DNS app warned me that I should deactivate my phone's private DNS so that it can use its own Rethink default DNS. I know I can change it back to the system DNS in Rethink DNS settings, but does anyone know how good and safe the Rethink DNS is? I trust DNS4EU, but I have no idea how Rethink DNS compares to DNS4EU.
 
  • Like
Reactions: Zero Knowledge, Marko :), Sorrento and 2 others
I did not use the app before, but used their DoH.

It was nice; almost the same speed of controld and customizable without creating account.
I cannot recall which one advised me not use (Marko or SeriousHoax), so moved to controld after adguard.
 
  • Like
  • Thanks
Reactions: Marko :), Sorrento and Morro
Morro said:
I saw this app mentioned here on MT, and I decided to give it a try on my cell phone. It's great that such an app is free and open source, but I am not sure about one thing.
Click to expand...
You probably saw it mentioned by me as I use it on my phone all the time.
Morro said:
Before I just installed Rethink DNS, I was using DNS4EU on my phone (just like on my desktop), and the Rethink DNS app warned me that I should deactivate my phone's private DNS so that it can use its own Rethink default DNS.
Click to expand...
The app does that to avoid conflict with DNS. When you use Private DNS feature in Android, depending on which DNS servers you use, you're using either DoH or DoT. If you use Google Public DNS and Cloudflare 1.1.1.1 DNS in the setting, then you're using DoH, but if you use any other DNS service, you're using DoT.
Google Public DNS and 1.1.1.1 are hard coded into Android which is why any other DNS resolvers use DoT—this cannot be changed.

Don't worry, this is completely normal. DoH is superior standard to DoT you were using with Private DNS feature. DoT is often blocked on public networks because it has separate port while DoH can't be blocked (easily) due to using port HTTPS websites use.
Morro said:
I know I can change it back to the system DNS in Rethink DNS settings, but does anyone know how good and safe the Rethink DNS is? I trust DNS4EU, but I have no idea how Rethink DNS compares to DNS4EU.
Click to expand...
Rethink DNS is two things under the same name: DNS service and an app. My recommendation is that you do not use their DNS service. While it is very stable and fast because it uses Cloudflare's servers, they rarely update blocklists which is simply not enough. That means newer trackers might not be blocked or that broken websites won't be fixed until they update the blocklist.

What I can recommend you is to use their Rethink DNS app along with 3rd party DNS servers. I'll also recommend you to download their app either from F-Droid, their website or GitHub as it has more features than the Play Store version.
Parkinsond said:
I did not use the app before, but used their DoH.

It was nice; almost the same speed of controld and customizable without creating account.
I cannot recall which one advised me not use (Marko or SeriousHoax), so moved to controld after adguard.
Click to expand...
I think it was me. Why? Because of this:

Screenshot_1.png
 
  • +Reputation
Reactions: Parkinsond and Morro
Marko :) said:
What I can recommend you is to use their Rethink DNS app along with 3rd party DNS servers.
Click to expand...
By doing this, the user is utilizing the app's "Firewall" features to block certain apps entirely and using DNS blocking, provided by services like ControlD, to filter and block questionable hosts for other apps. Am I reading this right?
 
Wrecker4923 said:
By doing this, the user is utilizing the app's "Firewall" features to block certain apps entirely and using DNS blocking, provided by services like ControlD, to filter and block questionable hosts for other apps. Am I reading this right?
Click to expand...
So the app has three modes:

1. DNS (battery saver)
This mode works just like regular DoH client. You enter desired DoH address and it simply forwards all DNS requests to it.

2. Firewall
Firewall mode doesn't use DNS, just firewall feature. Allowing you to allow/block internet access to apps, you can block certain domains, IPs and ports. There are also bunch of rules you can set such as app accessing internet only when screen is on, or only in certain time. You can also set whether is the app allowed to use Wi-Fi or mobile data or neither.

3. DNS and Firewall (default)
This combines both features; you get secure DNS and ability to control internet access for apps. This mode allows you to use anti-censorship tools and you can even use Wireguard/Tor at the same time. Yes, app has Tor and Wireguard functionality built-in so you can add your Wireguard profile and use it without using separate app. There's also an option to forward all DNS traffic from port 53 to your DoH, so even the apps that use their own DNS server are filtered.

Worth to note: DNS and Firewall mode lowers down the speed of your internet connection, but realistically you're not feeling it during surfing (at least I didn't). I'm using this mode only when I'm at work as WhatsApp then functions normally.
 
  • Thanks
  • Like
  • +Reputation
Reactions: Morro, Zero Knowledge, Parkinsond and 1 other person
Morro said:
I saw this app mentioned here on MT, and I decided to give it a try on my cell phone. It's great that such an app is free and open source, but I am not sure about one thing.

Before I just installed Rethink DNS, I was using DNS4EU on my phone (just like on my desktop), and the Rethink DNS app warned me that I should deactivate my phone's private DNS so that it can use its own Rethink default DNS. I know I can change it back to the system DNS in Rethink DNS settings, but does anyone know how good and safe the Rethink DNS is? I trust DNS4EU, but I have no idea how Rethink DNS compares to DNS4EU.
Click to expand...
My mythology and that's just me is to spread my love. Love peace and flowers. I never employ all layers of my defense from the same vendor since that's a single point of failure/compromise. I cast a wide net so it one vendor goes rouge the other will catch it (incentive is to take their customer base so they will be more than happy to discover a vulnerability of their competitors)
 
Marko :) said:
You probably saw it mentioned by me as I use it on my phone all the time.

The app does that to avoid conflict with DNS. When you use Private DNS feature in Android, depending on which DNS servers you use, you're using either DoH or DoT. If you use Google Public DNS and Cloudflare 1.1.1.1 DNS in the setting, then you're using DoH, but if you use any other DNS service, you're using DoT.
Google Public DNS and 1.1.1.1 are hard coded into Android which is why any other DNS resolvers use DoT—this cannot be changed.

Don't worry, this is completely normal. DoH is superior standard to DoT you were using with Private DNS feature. DoT is often blocked on public networks because it has separate port while DoH can't be blocked (easily) due to using port HTTPS websites use.

Rethink DNS is two things under the same name: DNS service and an app. My recommendation is that you do not use their DNS service. While it is very stable and fast because it uses Cloudflare's servers, they rarely update blocklists which is simply not enough. That means newer trackers might not be blocked or that broken websites won't be fixed until they update the blocklist.

What I can recommend you is to use their Rethink DNS app along with 3rd party DNS servers. I'll also recommend you to download their app either from F-Droid, their website or GitHub as it has more features than the Play Store version.

I think it was me. Why? Because of this:

View attachment 294287
Click to expand...
Week+ for a blocklist update in 2026 might as well be 3 years.
 
Marko :) said:
Firewall
Firewall mode doesn't use DNS, just firewall feature. Allowing you to allow/block internet access to apps, you can block certain domains, IPs and ports. There are also bunch of rules you can set such as app accessing internet only when screen is on, or only in certain time. You can also set whether is the app allowed to use Wi-Fi or mobile data or neither.
Click to expand...
I believe this works as a VPN, right?
 
  • Like
Reactions: Wrecker4923
cartaphilus said:
Week+ for a blocklist update in 2026 might as well be 3 years.
Click to expand...
Yep! They don't have a financing to update the filters more often. I asked them why don't they just reduce the amount of blocklists only to those popular that people use the most, like HaGeZi, OISD, 1Hosts, never got the reply unfortunately.
Divine_Barakah said:
I believe this works as a VPN, right?
Click to expand...
Yes. All three modes need to create local VPN in order to work correctly.
 
  • Thanks
Reactions: Wrecker4923 and Morro
It is probably outdated (or not), but it is worthwhile to go through nonetheless.

FAQs | Rethink

3B+ Android users deserve access to a safer and open Internet. RethinkDNS is a private, secure, and fast DNS resolver with custom rules, blocklists, and analytics that lets you block websites temporarily with time-based rules, or permanently through 190+ pre-defined blocklists...
rethinkdns.com rethinkdns.com
 
Morro said:
It is probably outdated (or not), but it is worthwhile to go through nonetheless.

FAQs | Rethink

3B+ Android users deserve access to a safer and open Internet. RethinkDNS is a private, secure, and fast DNS resolver with custom rules, blocklists, and analytics that lets you block websites temporarily with time-based rules, or permanently through 190+ pre-defined blocklists...
rethinkdns.com rethinkdns.com
Click to expand...
If you opt to use their DNS service regardless, I recommend you to stick to less aggressive blocklists. If you use HaGeZi Pro++/Ultimate and find something that isn't working, it could take months before it gets fixed even though HaGeZi fixes everything in the matter of minutes/hours after report. Some ads/tracking domains might not get blocked as well so keep that in mind.

Play Store version of the app differs from the website, GitHub and F-Droid because there used to be some issues with one of the never versions so the developer decided to rarely update the app and instead push only major version updates to Play Store. This is the reason why website, GitHub and F-Droid version have new features, while Play Store doesn't. It will get them once they push the update.

Website and GitHub version also differ from F-Droid with the only difference being optional bug reports program which F-Droid version doesn't have.
 
  • Thanks
  • Like
Reactions: Wrecker4923 and Morro
I have a question about the universal rules of Rethink DNS. Are any of the universal rules good enough to have active all the time?
 

You may also like...