celzero
v055u: Intermittent IP leaks with Private DNS & WireGuard?
This is a summary of all the errors (other than already mentioned issues) I encountered while using Rethink on latest version and a fix for these is much appreciated .
Description: Device/OS: OnePlus device running Oxygen OS 16 (first stable build, based on Android 16). Non-rooted. Using mobile data only (ISP forces IPv4+IPv6; forcing IPv4-only APN breaks internet entirely). No WiFi testing possible.
Setup Overview:
Using Rethink as always-on VPN with lockdown mode enabled in Rethink settings and in Android Settings > VPN > Block connections without VPN + Always ON are enabled . Proxy: WireGuard configs from Proton VPN : Tested in both cases : i> Original .conf files [Only supporting ipv4 , rethink set to ipv4 only] ii> As per https://gist.github.com/mikaeldui/12127c91ccece42ea375c9f42d94aa8a Enabled IPv6 manually but default settings did not work for me , So used fd54:20a4:d33b:b10c:0:2:0:2 as per one of the comments + Rethink set to ipv4+ipv6 mode . (IPv4+IPv6 dual-stack in this case; AllowedIPs in both cases= 0.0.0.0/0, ::/0 confirmed optimal) In wireguard : Tried changing dns to next dns + also tested with default and as as well as per https://gist.github.com/mikaeldui/12127c91ccece42ea375c9f42d94aa8a So , All cases were tested and with same issue .
Tested with both single proxy ON or with Multiple endpoints : Mainly NL,NO,JP free servers but IP leak tests (ipleak.net, dnsleaktest.com) always show system DNS (NextDNS) as provider, which is desired even though when testing ipv4+ipv6 , Dns was set to Proton in wireguard .conf files . Rethink's DNS: Forwarded to System DNS (NextDNS). Type: System DNS. Fallback DNS: Off (but set to System DNS despite being off; previously on, but Rethink fell back often which it still does but DNS tests still showed NextDNS (desired) ). Advanced DNS Settings (all on, per update; IPv6 works with them enabled but rarely fails (Still an issue) ): Never Proxy DNS: On - previously off to avoid limiting to IPv4 [occasionally causes IPv6 proxy failures (e.g., connections drop to IPv4-only), so please investigate/fix.], Also same result when Off . Prevent DNS Leaks: On (Same as never proxy dns) , Also same result when off . Use Fallback DNS as Bypass: On (Also same) , Same result when Off . All Other settings in DNS section : (except blocklists) : ON .
Firewall Settings (Universal): Block When Source App is Unknown: On , Rest : Off . Block UDP Except DNS and NTP: Temporarily enabled for testing, but leaks persisted so disabled. Block When DNS is Bypassed: Off (enabling blocks all internet; always been the case, even when proxies were IPv4-only) - Hoping for a fix here ... Block Port 80 (Insecure HTTP Traffic): Temporarily enabled for testing, but leaks persisted so disabled.
Network Settings : Enable Network Visibility: Off. Stall on Network Loss: On. Do Not Route Private IPs (Experimental): Off . Use All Available Networks (Experimental): On. Always Metered: Off. Meter Mobile Networks: Off. Loopback (Experimental): On. Choose Fallback DNS: Set to System DNS (but fallback off overall). Connection Change Policy: Auto. Proxy > Loopback Proxy for Forwarder Apps: Off. Do Not Randomize WireGuard Listen Port: On [Turning ON - Breaks internet for me - Hoping for a fix here] TCP/IP: Shorter TCP Keep Alive: On. Endpoint-Independent Mapping: Off. Idle Timeout: 20m. Bandwidth Booster: Off. Choose IP Version: IPv4 & IPv6 , Tested with ipv4 only too on ipv4 proxies (same result) .
Issue Details:
Original IPv6 (non-WireGuard) leaks in NextDNS logs once every 15-40 mins at random, despite no DNS leak (tests show NextDNS as provider). Leaks mostly on telemetry domains , google domains (90% blocked by NextDNS blocklists): gstatic.com, improving.duckduckgo.com, favicons for NextDNS, Rethink's telemetry, youtubei.googleapis.com, other Google domains (even non telemetry essentials such as youtube or www.google.com) , Rarely on app calls (e.g., Instagram Google APIs, YouTube when not blocked). Persists across setups: Previously IPv4-only WireGuard (Rethink set to IPv4 only; same leaks. Now dual-stack IPv4+IPv6 still leaks .
Partial Workaround: Use IPv6-only WireGuard for apps like YouTube (closes some leak surface - now in this case YouTube domains show only wireguard's ipv6), but Instagram/etc. fail without IPv4 (app and other limitations) , Only workaround is forcing ipv6 proxies wherever possible .
Proxy Inconsistencies: Endpoints sometimes fail or drop speed after heavy usage (despite Proton's no-limits claim). No IPv4 leaks - only IPv6. Happens on mobile data; can't disable IPv6 systemwide for already mentioned reasons .
Steps to Reproduce:
Set up as above. Use apps like YouTube/Instagram for 15-40 mins. Check NextDNS logs (my.nextdns.io) for original IPv6 on telemetry domains. Run IP/DNS leak tests - DNS shows NextDNS, but IP leaks in logs sometimes especially on ipv4 only proxies or when ipv6 isn't forced .
Expected: No original IP exposures with always-on/lockdown. Actual: Intermittent IPv6 leaks on specific domains/calls.
Additional details : 1)Many times though using system dns (NextDNS) , It many times uses fallback (also set to system) despite it is turned off in settings . 2)Concerns over IP , Since this has shown that Rethink's always on + lockdown mode could still leak . While switching between proxies , Please make sure this does not leaks IP .
Rethink's telemetry
Rethink doesn't have telemetry. What do you mean?
favicons
Yeah, Rethink will download favicons if you have turned ON Configure -> DNS -> Show website icon in DNS logs.
Note that, the connections that Rethink itself makes (which you can see in Configure -> Logs -> Rethink as you have Configure -> Network -> Loopback turned ON) aren't routed through WireGuard and/or user-set DNS from within Rethink (in this case, NextDNS). Rethink's DNS queries are sent to either Configure -> Network -> Fallback DNS or over DNS-over-HTTPS to Quad9 / Cloudflare endpoints (hard-coded in a few places in the app for anti-censorship reasons).
ipv4only.arpa
That's a DNS64/NAT64 query sent by Rethink.
- See: #2379
Do Not Randomize WireGuard Listen Port: On [Turning ON - Breaks internet for me - Hoping for a fix here]
Do you spot any WireGuard related errors when you turn Configure -> Network -> Do not randomize WireGuard Listen port in the Configure -> Settings -> App logs UI (you can use the search bar to look for "wg" or "wg"+wireguard-id (ex: wg1, wg3, etc), which is shown in Configure -> Proxy -> Setup WireGuard next to the names of the WireGuard configurations).
Proxy Inconsistencies: Endpoints sometimes fail or drop speed after heavy usage (despite Proton's no-limits claim).
Are you on a paid plan? If so, if you're using multiple Proton WireGuards (or are using Rethink's WireGuard multi-hop feature) at the same time, Proton's anti-abuse systems may not like it.
Block When DNS is Bypassed: Off (enabling blocks all internet; always been the case, even when proxies were IPv4-only) - Hoping for a fix here ...
It shouldn't, unless you're using Android's Private DNS, or using apps that may directly connect to IPs (like WhatsApp and Instagram) or apps that do their own DNS resolution (like Telegram). You can "Bypass Universal" these apps from *Configure -> Apps -> (search for the app name) -> (tap on the entry) -> (look for "Bypass Universal" under "Firewall rules for this app" heading).
You may also want to turn OFF all settings marked "experimental", too.
Tested with both single proxy ON or with Multiple endpoints : Mainly NL,NO,JP free servers but IP leak tests (ipleak.net, dnsleaktest.com) always show system DNS (NextDNS) as provider, which is desired even though when testing ipv4+ipv6 , Dns was set to Proton in wireguard .conf files
You'll have to turn ON Configure -> DNS -> Split DNS for Rethink to use WireGuard's DNS for apps selected to be routed through it.
Use Fallback DNS as Bypass: On (Also same) , Same result when Off
Turning this setting ON will ask Rethink to use Configure -> DNS -> Fallback DNS as the resolver for every allowlisted/whitelisted domain or apps that have been setup to "Bypass DNS & Firewall".
Concerns over IP , Since this has shown that Rethink's always on + lockdown mode could still leak
Do you mean, Always-on and Lockdown mode in Configure -> Proxy -> Setup WireGuard -> Advanced or in Android's VPN settings?
If the latter, make sure to turn ON Lockdown for all Advanced mode WireGuards.
Rethink doesn't have telemetry. What do you mean?
I originally flagged ipv4only.arpa because NextDNS blocklists automatically blocked it and I mistook it for telemetry. Sorry about the confusion .
Yeah, Rethink will download favicons if you have turned ON Configure -> DNS -> Show website icon in DNS logs
I mentioned favicons for nextdns since that also uses favicons , My point was multiple telemetry domains and non telemetry domains (even if not Rethink or nextdns or something else) along with several google domains are leaking my original ipv6 connections despite every possible hardening on Wireguard [Lockdown mode , Always on - Both in rethink and Android settings] - Check my current settings , I already mentioned in original issue .
Do Not Randomize WireGuard Listen Port: On [Turning ON - Breaks internet for me - Hoping for a fix here]
Fixed that with changing some experimental settings , No help needed here.
multi-hop feature , Proton's anti-abuse systems may not like it.
I never used multi-hop or multiple Proton configs at the same time. The tunnel very rarely goes into “Failing” state on its own and rarely drops connection speed , I think that's not a rethink issue but server load issue , Thanks for clarification , No help needed here either .
It shouldn't, unless you're using Android's Private DNS
I was on Private DNS the entire time because putting nextdns's doT or doH directly within rethink never worked for me , It just gets stuck on starting every single time that's why I can't turn on Block when DNS is bypassed ...
You'll have to turn ON Configure -> DNS -> Split DNS
It was already ON (my original issue contains current settings) .
Fallback DNS
What I meant was turning it ON or OFF didn't matter - ipv6 was leaking in both the cases , Also mentioned the same for several other settings .
Do you mean, Always-on and Lockdown mode in Configure -> Proxy -> Setup WireGuard -> Advanced or in Android's VPN settings? make sure to turn ON Lockdown for all Advanced mode WireGuards.
It was ON the entire time (Both for rethink and for Android settings) , ipv6 still continued to leak .
Thanks.
Search in Configure -> Logs -> DNS for the domains you see leaking your IPv6 in the NextDNS logs. And when you find any entries there corresponding to the timestamp you see in NextDNS, tap on those entries and a bottomsheet should come up, which should have more information about the query, the answer, the DNS resolver used, the app that sent the query (only shown on Android 12+). Check if:
- The app name that appears there has been "Bypass form all proxies" setup or is "Isolated" / "Bypass DNS and Firewall".
- If the domain name shown there in has been "allowlisted" / "trusted".
I was on Private DNS the entire time because putting nextdns's doT or doH directly within rethink never worked for me
It should. Either way, use of Private DNS explains why Rethink was blocking connections with "Block when DNS is bypassed" was turned ON... because all DNS queries were essentially being served outside of the VPN's DNS resolver.
The app that sent the query (only shown on Android 12+)
The app is not shown in next dns (Tried both app and web) no matter what I do , Confirmed with AI - This feature is not present . Its very hard if not impossible to see that in rethink because of unknown connections and multiple apps are sending requests at the same time [Also , connections for Unknown apps are blocked] BUT "I might have an answer - Instagram" , Its atleast one of those apps that are leaking if not the only one , Others could be YouTube , MicroG ...,
- The app name that appears there has been "Bypass from all proxies" setup or is "Isolated" / "Bypass DNS and Firewall".
Its not bypasssed or isolated in any way and should route its traffic through VPN tunnel only but its clearly leaking because every time I spend 1-3 minutes on Instagram and then check nextdns logs - The leaked ipv6 for usually : connectivity check for gstatic or developers.google.com or www.google.com are there .
- If the domain name shown there in has been "allowlisted" / "trusted".
No , Even though I have no google blocklist enabled in nextdns , I use YouTube and have white listed a select few google domains in nextdns (though no trusted domains in rethink) but not all and gstatic.com is not whitelisted (hence blocked by nextdns but it still shows leaked ipv6 below domain name even though its connection is blocked) while some like www.google.com : I have tested with both blocked and allowed - It matters not , The ipv6 still leaks with other google domains (majority) and few non-google domains .
DNS queries were essentially being served outside of the VPN's DNS resolver.
Either way , I don't want to use proton's DNS because in dns leak tests - Many times the ISP for proton (amongst multiple) is google which I hate for some reason .
The app is not shown in next dns (Tried both app and web) no matter what I do
Check in Configure -> Logs -> DNS in Rethink, because you posit that these queries are leaking from Rethink. If so, Rethink would have a record of those queries in its logs.
connectivity check for gstatic
The queries to gstatic for connectivity are expected to "leak" on Android (even in VPN Lockdown mode) as it is sent by the OS and not Rethink:
- https://github.com/celzero/rethink-app/issues/224#issuecomment-1289570948
Private DNS also its own "connectivity" test:
- https://github.com/celzero/rethink-app/issues/25#issuecomment-707263036
developers.google.com or www.google.com
In Rethink's Configure -> Logs -> DNS, check which app has sent them (as requested above). Do not forget to correlate the timestamps (from NextDNS logs and in Rethink).
Thanks for the detailed responses , I've read through all the comments and tested further based on your suggestions.
Check in Configure -> Logs -> DNS in Rethink, because you posit that these queries are leaking from Rethink. If so, Rethink would have a record of those queries in its logs.
Performed new test , Details :
- Blocked internet access for all apps (except Instagram) , including DNS for android [Handling private DNS] was blocked , Logs show that no requests other than Instagram were passed to nextdns [and nextdns shows leaks , Clearly meaning rethink is leaking ipv6 requests for Instagram] -Made sure no bypassed , isolated apps were allowed -Made sure domains that leaked were not white listed in nextdns/ rethink . -Used Instagram for 1-3 minutes. Checked NextDNS logs: Leaks occurred on Google domains (e.g , In this case : play.googleapis.com developers.google.com www.google.com connectivitycheck.gstatic.com) from original IPv6 within that 1-3 minutes timeframe in which Instagram was used and no other leaks in past 12+ hours . -Since system DNS was blocked from internet access, it couldn't reach NextDNS - suggesting only and only Instagram triggered the leaked queries . -Certain features such as GIFs in comments and some other things were unavailable during this 3 minutes testing within Instagram because private DNS's internet access was blocked by rethink , Suggesting it doesnot bypass rethink but only Instagram does in this case and there might be other similar apps to Instagram .
This aligns with my point about apps like Instagram potentially leaking, but why would it bypass the tunnel with lockdown on ?
Any other settings to force-tunnel all queries?
The queries to gstatic for connectivity are expected to "leak" on Android (even in VPN Lockdown mode) as it is sent by the OS and not Rethink
Even though I have gstatic blocked in NextDNS, the other Google domains are not , so if they leak it's still a big privacy issue .
Private DNS also its own "connectivity" test:
Made sure during this testing , Private DNS's internet connectivity was blocked and confirmed it in logs , 4 of google queries still leaked to nextdns through rethink .
developers.google.com or www.google.com
These along with gstatic and playapis are most common to leak . I repeated this Instagram test many times and queries were only leaking when I was using Instagram (2-5 per session) .
In Rethink's Configure -> Logs -> DNS, check which app has sent them (as requested above). Do not forget to correlate the timestamps (from NextDNS logs and in Rethink).
Its now confirmed one of them is Instagram , Could potentially also be other apps like YouTube , microG etc ... leaking separately but they didn't leak in this specific test because their internet access was blocked .
Appreciate your help; Screenshots/Logs:
Thanks.
Checked NextDNS logs: Leaks occurred on Google domains (e.g , In this case : play.googleapis.com developers.google.com www.google.com connectivitycheck.gstatic.com) from original IPv6 within that 1-3 minutes timeframe in which Instagram was used and no other leaks in past 12+ hours .
You must use NextDNS from within Rethink (set it up Configure -> DNS -> Other DNS); then check Configure -> Logs -> DNS to correlate "leaks" you see in NextDNS logs (based on matching timestmaps and domain names).
If NextDNS is setup as Private DNS, then the DNS itself isn't flowing through Rethink, but directly to the Private DNS endpoint (as you can see there's no entry for developers.google.com / play.googleapis.com / google.com in Rethink's Configure -> Logs -> DNS meaning, it didn't handle those DNS queries). This means, the "leak" of your IPv6 isn't happening due to Rethink as it isn't even serving those DNS requests.
Also, make sure no app is "Excluded" from Rethink (Rethink's homescreen itself shows this information in the "Apps" dashboard).
@ignoramous Thanks ... I tested different scenarios , I will now present : -Under all the scenarios private DNS was not used (OFF) . -Split DNS was OFF [Because it would then send dns requests to wireguard's dns - Proton's dns so we won't be able to see logs in next dns] , Also tried with Split DNS ON but failed because internet connectivity was lost [Normally up until now Split DNS was ON but internet connectivity was retained and even with Split DNS ON up until this , Under any dns leak tests - The dns was always next dns and not proton's DNS providers likely because Android's private DNS takes priority over others] -Block when DNS is bypassed was ON,OFF [in firewall] because private DNS was not used so I was able to turn this ON , I was not able to connect to internet with this ON sometimes though so I also tested with this OFF . -Rest of the settings were exactly the same. -Checked that nextdns app on android showed green tick means nextdns was being used with secure configuration . -No bypassed or isolated apps and internet for all apps (except Instagram) blocked .
Scenario 1 : (ipv4 only proxy) Perfect Or so I thought Update/Edit : I had forgotten that I had changed my ISP so I thought my ipv4 was my old one but upon carefully looking in next dns logs and IP leak tests , All tests showed my Original IPv4 , In IP leak tests : DNS leaks were also seen : Sometimes it was Nextdns , Sometimes cloudflare (as in proton's DNS provider) while in rethink : It was configured only to nextdns . Also Latency was almost double or more than normal [when private dns was being used previously] hence extremely slow .
Scenario 2 : [Critical , ipv4+ipv6 proxy] This was a failure , Not only nextdns within rethink was slow but IT LEAKED ALL OF THE DNS QUERIES - LITERALLY ALL - Not only Instagram but all other apps too - Every single IPv6 query was leaked not only google ones . I even tested this 2 times more , even after restarting device , The result was the same - everything leaked . This is likely a serious privacy issue with ipv6 which was previously unknown to me . I hope a fix for this is made available as soon as possible . Help regarding this is much appreciated .
Update : Even if I block that domain within rethink's domain rules and even if I block it as wildcard - It still reaches nextdns even if app is not bypassed or isolated . Some common domains that leaks are : [These have atleast once or more leaked , Suggesting Instagram is not the only leaker] improving.duckduckgo.com firebaseinstallations.googleapis.com httpdns-push.heytapmobile.com ipv4only.arpa www.google.com play.googleapis.com connectivitycheck.gstatic.com favicons.nextdns.io oversea-nebula-in.heytapmobi.com icons.duckduckgo.com developers.google.com youtubei.googleapis.com www.youtube.com i.ytimg.com android.apis.google.com play-fe.googleapis.com play.google.com www.googleapis.com
Logs/Screenshots:
(For ipv4+ipv6 without private DNS testing in which everything began to leak)
Thanks for the detailed reports. Appreciate it (:
This was a failure , Not only nextdns within rethink was slow but IT LEAKED ALL OF THE DNS QUERIES - LITERALLY ALL - Not only Instagram but all other apps too - Every single IPv6 query was leaked not only google ones .
That's because you're not using Configure -> DNS -> Split DNS (meaning, DNS queries aren't sent to WireGuard, which is what you want)...
AND
You've indicated in the previous replies that you have also turned ON Configure -> DNS -> Never proxy DNS. Turn if OFF and possibly all those "leaks" of your IP to your resolver (NextDNS) goes away...?
As far as I've understood it , Its like this :
When using private DNS , Irrespective of Rethink settings or android settings (even if never proxy dns is ON or OFF ) - Leaks will persist on ipv6 .
When not using private DNS : (Fallback dns also disabled but set to cloudflare) Wireguard having next dns's ipv4,ipv6 : Not desirable : ipv6 connectivity is lost
- ipv6 connections will break leaving connectivity to only ipv4 .
Wireguard not having next dns's ipv4, ipv6 (having original ones): •When split DNS is OFF : Not desirable : Connections same - slower (almost unusable along with connectivity breaks and proxy failures are common) Never proxy DNS ON , Prevent DNS leaks ON : Everything leaks Never proxy DNS OFF , Prevent DNS leaks ON OR Both OFF : It is the only one with NO LEAKS in entire rethink where nextdns is being used but Reasons not to use it : 1)Sometimes DNS resolution is slower than 15 tor relays combined if its not failing already . 2)Proxy fails many times due to lost connectivity to doT or doH (set to nextdns) within rethink 3)Even if sometimes connectivity is retained , doT or doH used within rethink (set to custom nextdns) is at the very least 680ms and at maximum around 10000ms , Normally it is around 1000ms compared to normal Android's Private DNS (same next dns endpoint) at 1-40ms (at max) , I can even provide a video of screen recording showing how slow it becomes compared to normally if needed . Never proxy DNS ON , Prevent DNS leaks : OFF : Everything leaks
•When split DNS is ON , Prevent DNS leaks ON or OFF (Same result with both) , Never proxy dns OFF : Not desirable : Next DNS is not being used as dns provider
•When Split DNS ON , Prevent DNS leaks ON OR OFF (same result with both) , Never proxy dns ON : Not desirable : Next dns is not being used as dns provider
I've tested every setup possible and hope some form of help is provided regarding this . I don't want any IP leaks but I want dns resolution speeds similar to Android's Private DNS compared to when used within rethink - As previously mentioned above , What should I do to achieve this ? Thanks .
Edit/Update (Important) :
@ignoramous
I've Updated to this setup: IPv4-only proxy, Rethink in IPv4 mode, simple mode with on-device blocklists. Never proxy DNS off, Prevent DNS leaks on, fallback DNS as bypass off. DNS forwards to ONLY WireGuard (set to NextDNS). Block when DNS bypassed ON, unknown connections blocked. Rethink and NextDNS blocklists active - Blocklists of both works , no IP leaks observed in nextdns logs .
Concerns:
- Could previous leakers (e.g., Instagram) bypass WireGuard DNS now that Private DNS is off ? [Leaks might not show in NextDNS if bypassed because they'll be able to bypass Wireguard's DNS - Set to next DNS too which then won't show leaks in logs but the setup would be leaking]
- Was previous setup (with leaks blocked by NextDNS : Mostly due to no-google blocklist) actually leak-proof ? because nextdns was able to identify leaking domains and I could have blocked them one by one , Have I worsened privacy?
- In simple mode, WireGuard lockdown is not available , but "Stall when internet lost" active , Am I Prone to VPN leaks ? Whenever connectivity is lost and regained how would this setup respond ? If I'm not prone then what's the point of having lockdown mode in advanced section ?
- While switching between proxies, after turning off previous one before starting other proxy - leaks possible? Safe with airplane mode on while switching ?
Any assistance in these questions is much appreciated , Thanks .
I was on Private DNS the entire time because putting nextdns's doT or doH directly within rethink never worked for me
It's strongly advised against simultaneous use of auto/on of Android's "private DNS" in combination with VPN apps (be it rdns, proton or any other). It's not a rdns' recommendation, it's a generic thing known also in grapheneos community
