rethink-app icon indicating copy to clipboard operation
rethink-app copied to clipboard
verified publisher icon celzero

v0.5.5t (f-droid) Violation of DNS settings via port 53

Open user4andre opened this issue 1 month ago • 8 comments

I have noticed that the RetinkDNS app violates the settings I have made by using system DNS via port 53.

RethinkDNS does not allow any other app to do this, but the app sends requests via port 53!

My settings: Image

observation:

Image

user4andre avatar Dec 07 '25 18:12 user4andre

Rethink needs a bootstrapping resolver for its own use. This is, by default, set to System DNS. You can change that from Configure -> Network -> Fallback DNS. Only a few well-known servers are allowed, and all endpoints listed therein use DNS-over-HTTPS (with the exception of None aka System).

ignoramous avatar Dec 07 '25 18:12 ignoramous

Fallback DNS (in Configure -> Network -> Fallback DNS) was and is set to Rethink, but the app used the DNS Server in normal setting Mullvad Ad-Block (defined protocol by setting: DoT, selected form Settings> DNS other DNS > DoT) but open Port 53 and DoH was used.

user4andre avatar Dec 07 '25 19:12 user4andre

but the app used the DNS Server in normal setting Mullvad Ad-Block (defined protocol by setting: DoT, selected form Settings> DNS other DNS > DoT) but open Port 53 and DoH was used

Sorry, I don't understand. You can convey your bug in your native language, if that's convenient.

ignoramous avatar Dec 07 '25 21:12 ignoramous

German:

Als DNS ist in der App eingestellt: Mullvad Ad-Block über DoT Fallback DNS in der App ist Rethink In Android wird über DHCP der lokale Router als DNS eingestellt.

Verbindungen im Log (oben) sind zu Mullvad Ad-Block über DoH und DNS-53. Das stimmt weder mit den Einstellungen für DNS noch für Fallback-DNS überein.

Ich möchte, dass die App den DNS Dienst und das Protokoll nutzt, dass ich eingestellt habe.

user4andre avatar Dec 08 '25 09:12 user4andre

Gotcha.

Can you please tap on one of those "DNS 53" entries sandwiched between the "DoH" entries in Configure -> Logs -> DNS & share the screenshot?

ignoramous avatar Dec 08 '25 10:12 ignoramous

(1 day later) not exactly the same

No DoH entries today. Image Image Image Image

user4andre avatar Dec 09 '25 16:12 user4andre

Requests to ipv4only.arpa is expected to be sent to the underlying network's resolver (System). These are sent to determine DNS64/NAT64 prefix.

  • #2379

I was more worried about requests to other domains (like adblock.dns.mullvad.net in the screenshot shared in the first comment) being sent to "DNS 53" (perhaps, to System).

ignoramous avatar Dec 09 '25 18:12 ignoramous

Sorry my knowledge in IT is not enough to follow your last explanation.

user4andre avatar Dec 09 '25 18:12 user4andre

ipv4only.arpa is a IPv6 thing. It is queries for using System DNS to detect presence of IPv4 to IPv6 conversion service.

So queries to ipv4only.arpa are not really leaking over DNS 53 (System DNS).

But, if there are queries for any other domain that are sent to System DNS (when it isn't set as Configure -> Network -> Fallback DNS) despite Configure -> DNS -> Use System DNS for undelegated domains turned OFF, then that's possibly a "leak". And the screenshot of the bottomsheet of such a "leak" from Configure -> Logs -> DNS would help.

ignoramous avatar Dec 14 '25 01:12 ignoramous

This time like first report: Image Image Image Image Image Image Image

p.s. F-Droid Domains are allowed by domain names. (app isolatesd)

user4andre avatar Dec 15 '25 19:12 user4andre

OK, the DNS 53 request is sent to "localhost" in the hope that something on the Android device will know to resolve the domain name. This is only done when the user-set Fallback DNS itself stops working. This is because, for key functionality within Rethink, the Fallback DNS must be working at all times...

I take that this fallback behaviour for the Fallback DNS may not be desirable in all cases, and so, I will remove it from the upcoming version v055v.

ignoramous avatar Dec 16 '25 12:12 ignoramous