rethink-app icon indicating copy to clipboard operation
rethink-app copied to clipboard
verified publisher icon celzero

Avoid ipv4only.arpa DNS requests on network change

Open userero0 opened this issue 2 months ago • 3 comments

Problem:

After toggling off WiFi, with cellular enabled, two ipv4only.arpa DNS records are logged for the Rethink app.

One resolves ipv4only.arpa to 192.0.0.170 by rethink.zero.rethinkdns.com using DoH (IPv4).

The other is resolved by cellular DNS through port 53, as a IPv6 query. The record has a 64:ff9b:1 prefix with 192.0.0.170 embedded.

The issue is that cellular DNS should not be contacted for any reason, even for nonsensitive lookups.

Configuration:

DNS - DoH DNS Set Split DNS - Enabled Prevent DNS Leaks - Enabled

Firewall - Universal Firewall Rules Block when source app unknown - Enabled Block when DNS is bypassed - Enabled Block newly installed apps by default - Enabled

Proxy - Advanced wireguard Always-on Lockdown mode

Network Do not route Private IPs (experimental) - Enabled Chose fallback DNS - Rethink Chose IP Version - IPv4

userero0 avatar Nov 07 '25 05:11 userero0

Thanks the detailed report.

Will you pls confirm Configure -> DNS -> Use System DNS for undelegated domains is also turned OFF?

The other is resolved by cellular DNS through port 53, as a IPv6 query.

Oh wait, I think we query ipv4only.arpa for DNS64/NAT64 purposes. To avoid doing so is undesirable. From what I know, Android's built-in mechanism will query for DNS64/NAT64 even if Rethink doesn't.

The record has a 64:ff9b:1 prefix with 192.0.0.170 embedded

This means, you're on a DNS64/NAT64 enabled network (cellular networks in Europe & NA usually use this technique).

Chose IP Version - IPv4

Though, it seems like you don't really use IPv6 anyway... Hmmm

ignoramous avatar Nov 08 '25 01:11 ignoramous

Will you pls confirm Configure -> DNS -> Use System DNS for undelegated domains is also turned OFF?

It is turned off.

To be more specific about the issue, the DNS query is sent to my wireless carriers DNS server, while using a wireguard connection & routing DNS through my specified server in the wireguard config. Not using the specified resolver is the issue, not the queries themselves.

userero0 avatar Nov 08 '25 06:11 userero0

To be more specific about the issue, the DNS query is sent to my wireless carriers DNS server

This isn't an "issue". It is expected behaviour: A standard way to figure out presence of DNS64/NAT64 on the underlying (mobile/wifi) network.

As mentioned above, Android sends these too (outside of the VPN tunnel).

ignoramous avatar Nov 08 '25 18:11 ignoramous