rethink-app icon indicating copy to clipboard operation
rethink-app copied to clipboard

Published 20 hours ago verified publisher icon celzero

Unexpected Google DNS Usage Despite Configuration for NextDNS

Open Vildnex opened this issue 9 months ago • 7 comments

Rethink DNS version: v0.5.5h Phone: Huawei P40 Custom DNS: NextDNS

When I am trying to setup my `Rethink DNS` to use my `NextDNS` link via the **Other DNS** option I will do as fallow image:

image

Also my DNS setting is set to off on my **Private DNS** settings: image2:

Screenshot from 2024-04-30 12-07-15_v2

The Problem:

Now with this setup I am expecting to use only my DNS from the NextDNS, but in reality... I am using Google DNS from some reason: image3:

Screenshot_20240430_121329_com celzero bravedns

Also on my NextDNS application is going to tell me that the Google DNS is used instead of mine: image4:

Screenshot_20240430_121335_com doubleangels nextdnsmanagement

Workaround:

The only workaround that I could find in order to use my DNS is to setup the Rethink DNS to use the System DNS instead of Other DNS and the all the traffic will go to my NexDNS, but if I will do that I will not have the option to enter into the DNS section of Rethink DNS

next time because of this error: image5:

Screenshot_20240430_122822_com celzero bravedns

Question:

This is 100% reproducible every single time, did I make some mistakes in terms of configuration or this is an issue? Or this is how it was intended to be from the beginning?

Vildnex avatar Apr 30 '24 09:04 Vildnex

I just setup DoT to dns.nextdns.io and https://which.nameserve.rs/ and https://browserleaks.com/dns both show NextDNS as the upstream.

Can you check?

8.8.8.8

Unsure but the default DNS resolver on Android usually is 8.8.8.8.

Have you enabled Configure -> DNS -> Prevent DNS leaks? That setting would trap such requests going out to 8.8.8.8 over port 53 (and port 53 only) and redirect them to user-preferred upstream (in this case, NextDNS). These redirect DNS requests would show up with a white coloured left-hand side border (and if you tap on its entry, the bottomsheet that would come up should show in the top right-hand corner a chip that goes DNS Proxied).

some mistakes in terms of configuration

Check what entries in Configure -> Logs -> swipe to DNS show? Tap on any of those entries to show a bottomsheet that contains details about the upstream used to resolve that particular query, and the final connection status (in its footer).

ignoramous avatar Apr 30 '24 22:04 ignoramous

Regarding the first check, I have to add that after some time this problem it as change. Not even if I still have the Google DNS 8.8.8.8 everywhere in my logs. When I am trying to use those 2 links you provide me I will get my DNS from my home network displayed instead of either Google or NextDNS.

screenshots from nextdns.io, which.nameserve.rs, browserleaks.com/dns: image1s

Screenshot_20240506_133618_org mozilla fennec_fdroid

image2:

Screenshot_20240506_133636_org mozilla fennec_fdroid

Also if I am going to the NextDNS page I will get this error message:

Screenshot_20240506_133807_com doubleangels nextdnsmanagement

All the setting are exactly the same as I've explained above, more then that I've also tried to restart my app and also restart the DNS but nothing changed.

Also, I had already the Prevent DNS leaks checked from the beginning, with or without it (I've tried it both ways) I will always get the same DNS calls to Google. The only exception to this is when I will set the DNS to be at the system level instead.

Vildnex avatar May 06 '24 10:05 Vildnex

Not even if I still have the Google DNS 8.8.8.8 everywhere in my logs ... Also, I had already the Prevent DNS leaks checked from the beginning, with or without it (I've tried it both ways) I will always get the same DNS calls to Google.

Entries of 8.8.8.8 in Network Logs doesn't mean Rethink is using Google DNS. Please follow this and let me know what you see:

Configure -> DNS -> Prevent DNS leaks? That setting would trap such requests going out to 8.8.8.8 over port 53 (and port 53 only) and redirect them to user-preferred upstream (in this case, NextDNS).

These redirect DNS requests would show up with a white coloured left-hand side border (and if you tap on its entry, the bottomsheet that would come up should show in the top right-hand corner a chip that goes DNS Proxied).

The only exception to this is when I will set the DNS to be at the system level instead.

See if your browser app (Firefox?) is "Excluded" from Rethink's tunnel (from Configure -> Apps). If so, un-Exclude it. You can also try enabling Android's Always-on VPN and Block connections without VPN (ref) and then check what dnsleaktest.com or browserleaks.com/dns or which.nameserve.rs report.

ignoramous avatar May 06 '24 14:05 ignoramous

I can confirm that the DNS leak issue occurs in version 0.5.5h (obtained from F-Droid). Despite attempting to toggle the website favicon setting on and off, the leak persists. I have identified it as a DNS leak by repeatedly accessing https://browserleaks.com/dns using various browsers, where version 0.5.5h consistently reveals the IP addresses of my system resolver. Upon uninstalling version 0.5.5h and reinstalling version 0.5.4c, the leak ceased; however, version 0.5.4c lacks the ability to set the fallback DNS to None.

vomw avatar May 07 '24 07:05 vomw

@ignoramous

The Firefox (which in my case is Fennec) is not excluded and the VPN is already set to use Rethink VPN

image

Also, the results of the dnsleaktest.com or browserleaks.com/dns or which.nameserve.rs are the same as the ones I've already posted, nothings change.

PS: Also my Rethink app is from F-Droid

Vildnex avatar May 07 '24 12:05 Vildnex

Also, I've just updated my rethink app to version v0.5.5i, but the issue persists.

Vildnex avatar May 07 '24 13:05 Vildnex

I can confirm that the DNS leak issue occurs in version 0.5.5h (obtained from F-Droid). I have identified it as a DNS leak by repeatedly accessing https://browserleaks.com/dns using various browsers, where version 0.5.5h consistently reveals the IP addresses of my system resolver.

Can you confirm if you setup Block connections without VPN and the leaks persisted?

Either the browsers are doing their own DNS (for example, Chrome has "Secure DNS", Firefox has "Trusted Recursive Resolver"), or something with Rethink's setup has gone whack.

Unfortunately, we are unable to reproduce these leaks, nor has anyone else reported it. If you're technical enough, go to Configure -> Settings -> Log level and set it to Verbose, then will you please capture logs when you're running leak tests on browserleaks.com/dns or dnsleaktest.com or which.nameserve.rs and email adb logcat (ref) output to mz at celzero dot com (do mention this github issue)?

Despite attempting to toggle the website favicon setting on and off, the leak persists.

These website-based "DNS leak" tests aren't a fool-proof. Turning ON website favicon download in Rethink doesn't leak DNS, but instead confuses these services in thinking there is one.

Upon uninstalling version 0.5.5h and reinstalling version 0.5.4c, the leak ceased; however, version 0.5.4c lacks the ability to set the fallback DNS to None.

In the latest versions, setting Fallback DNS to None is equivalent to setting it to System DNS.

ignoramous avatar May 07 '24 17:05 ignoramous

Can you confirm if you setup Block connections without VPN and the leaks persisted?

I only use this app as a dnscrypt client and I do not need the firewall or proxy feature, so I leave the other settings as default.

Either the browsers are doing their own DNS (for example, Chrome has "Secure DNS", Firefox has "Trusted Recursive Resolver"), or something with Rethink's setup has gone whack.

The browsers I'm using do not support encrypting DNS and only use global DNS.

Turning ON website favicon download in Rethink doesn't leak DNS, but instead confuses these services in thinking there is one.

You are right. I tested v0.5.5h again, changing most settings do not cause DNS leak.

In the latest versions, setting Fallback DNS to None is equivalent to setting it to System DNS.

This is the DNS leak I was talking but misunderstood the fallback setting. I thought that setting fallbacks to "none" meant disabling all fallbacks, but in fact it was falling back to the system resolver, which is unencrypted and less secure. If a user enters the wrong DNS address or the DNS server suddenly fails to connect, because the fallback DNS is "none" and the app notification still shows "protected" and "connected to DNS", they may not realize that they are actually using system DNS.

Is there a way to disable all fallbacks even if the user-preferred DNS fails?

vomw avatar May 08 '24 11:05 vomw

because the fallback DNS is "none" and the app notification still shows "protected" and "connected to DNS", they may not realize that they are actually using system DNS.

Fallback DNS is used in 2 scenarios:

  1. If Fallback DNS replaces a permanently unconnectable user-preferred DNS, then Rethink's homescreen would show "using fallback dns".
  2. For domains that Rethink itself needs to resolve, it uses Fallback DNS.

Is there a way to disable all fallbacks even if the user-preferred DNS fails?

No as Rethink would stop working. See point #2 above.

Can you confirm if you setup Block connections without VPN and the leaks persisted?

I only use this app as a dnscrypt client and I do not need the firewall or proxy feature, so I leave the other settings as default.

Now I am confused.

  1. Are you using DNSCrypt?
  2. Block connections without VPN has nothing to do with Rethink. It is in fact an Android setting to prevent connection leaks (ref)

You are right. I tested v0.5.5h again, changing most settings do not cause DNS leak.

Thanks for the confirmation. Closing this issue (feel free to reopen; and please share logs, if you can. It seems like there's lot of confusion here)

ignoramous avatar May 08 '24 14:05 ignoramous