celzero
v0.5.5t (f-droid) Error in IP server name mapping after correct DNS resolution leads to firewall malfunction
My observation: The FOSS Warn app retrieves map data. This data is incorrectly blocked.
The log shows that the IP address query (name to IP) is correct.
When processed in the firewall, this IP is assigned a different server name (used by another app).
Due to a naming rule, the connection is then incorrectly blocked.
For DNS Settings, refer to: https://github.com/celzero/rethink-app/issues/2441
What Android version are you on?
Enable Configure -> DNS -> Split DNS (if it isn't enabled already) and see if things are better?
When processed in the firewall, this IP is assigned a different server name (used by another app). Due to a naming rule
This domain name rule, is it set globally in Configure -> Firewall -> IP & Port rules -> Domain rules? If so, Rethink is acting being over cautious since more than 1 domain names map to the same IP, and one of those domains has been blocked globally.
The error only occurred sporadically. But for now, enabling Configure -> DNS -> Split DNS seems to have helped.
screenshot
Thank you!
This domain name rule, is it set globally in Configure -> Firewall -> IP & Port rules -> Domain rules?
It is blocked for the browser app. (Not by name for FOSS Warn app. But FOSS Warn is isolated and the firefox domain is not permitted.) It is not blocked globally.
The server seams to be owned by Fastly. https://www.findip-address.com/146.75.117.91
And you are right: The IP is shared. https://www.netify.ai/resources/hostnames/firefox.settings.services.mozilla.com
It is blocked for the browser app. (Not by name for FOSS Warn app. But FOSS Warn is isolated and the firefox domain is not permitted.) It is not blocked globally
OK, applying an app's domain block rule to another app which is Isolated but setup to allow the domain/IP ... sounds like a severe bug.
Can you tap on those blocked FOSS Warn entries (these have red-coloured left-hand side border) which show the technically wrong firefox.com domain name? A bottomsheet should come up with more information about the connection, including the footer with a message from the network engine and the top right-hand corner chip showing a label denoting the reason this connection was blocked.
Sorry I tried to go back to last stable v0.5.5n without success. After importing the settings stored from the newer app-version the app crashes at start. All logs are now deleted.
I think about going back and editing all settings new by hand. But therefore I need more time than I have at the moment.
(1 day later again) still v0.5.5t:
For DNS settings reference: https://github.com/celzero/rethink-app/issues/2441 (same date)
As mentioned in the previous comment, due to IP sharing among various domains, Rethink is reluctant to allow this particular request (as the other domain is not in the allowlist for the Isolated app "FOSS Warn").
We'll revisit and think on it again whether Rethink should allow such requests (to shared IPs) if any ONE domain is in the allowlist of an Isolated app...
2 more screenshots that may help you:
Others (requested by ironfox) although allowed for ironfox only.
Gotcha. We have improved how the firewall maps domains to IPs (shared between different domains) for Android 12+. It will ship in v055v, the upcoming version.