What is rethinkDNS?
rethinkdns is a fast, secure, private, transparent, configurable DNS resolver and a firewall. A DNS resolver is an address book of the internet-- it helps locate IP addresses of the servers given a domain name. For example, dns.google.com (a domain name) is located at 126.96.36.199 (IP address). This mapping is retrieved by a DNS resolver.
- Fast: With end-to-end median latency as low as 30ms, our resolver is quite fast, though not the fastest. Primary reason is that the resolver runs in over 200+ locations worldwide in Cloudflare’s data centers, and the user requests are routed to the closest possible server.
- Secure: Security means a lot of different things to different people. Rethinkdns is secure in the sense it only responds over TLS, a secure protocol that underpins the world-wide web. This means primarily two things: The Internet Service Providers and the Governments could no longer track your browsing behaviour through DNS requests that were previously sent in plain-text; and it helps overcome DNS Manipulation Attacks that are widely employed to censor the Internet in most countries.
- Private: Each user gets their own endpoint which pretty much functions as if the resolver was setup and running solely for the user.
- Transparent: The resolver, optionally, can send per-user logs for analysis, and to generate analytics and reports; so a user can see what’s up.
- Configurable: Users can choose from preset blocklists to define firewall rules according to their preferences.
Rethinkdns companion app for Android doubles up as a firewall and includes rules such as, block apps by category, block when app is in the background, block an app when device is locked, or block an app forever.
What rethinkdns is not?
It isn’t a VPN, at least not yet. Though, it is effective in circumventing internet censorship in most if not all countries. Rethinkdns uses VPN APIs to only route the DNS traffic and not the actual internet traffic.
Rethinkdns isn’t a tracker. Rethinkdns logs DNS requests if a user opts-in. Rethinkdns doesn’t sell any user information or use it for anything else other than to provide analytics and reports to the user.
Is rethinkdns a recursive resolver?
Rethinkdns is a stub resolver, and not a recursive resolver-- rethinkdns forwards user requests to another recursive resolver like Cloudflare’s 188.8.131.52 or Quad9’s 184.108.40.206, but does so in a way that doesn’t reveal who really the actual user is. Think of it like a proxy resolver that sits in-between a recursive resolver and you, the user.
Is rethinkdns a content-blocker?
Yes, rethinkdns functions are similar to a pi-hole and it "blocks content" by blackholing traffic intended for certain domains. Most operating systems, including Android and Windows, resolve DNS requests on behalf of apps installed on the device (though this isn’t strictly always true that apps use OS or network provided DNS resolver, it mostly is). If these DNS requests are blackholed, it effectively means every app on the device is then unable to initiate a connection to that domain, since an IP address is required to establish such a connection in the first place, which wasn't supplied by the DNS resolver. For example, if one chooses to block all requests to facebook.com, rethinkdns would simply return 0.0.0.0 as the IP Address for facebook.com, effectively blackholing the traffic from all apps installed on the device to facebook.com, for example. Read more.
Where is rethinkdns?
Rethinkdns, the resolver, is running in 200+ locations world-wide. Rethinkdns, the app (if you’ve installed it), should be on your Android.
What is DNS over HTTPS?
DNS requests aren’t encrypted today. DNS over HTTPS is simply DNS traffic tunneled within HTTPS. This has the benefit of not only bypassing most firewalls but being fast and secure at the same time. Again, security isn’t really about just the traffic flow, but DNS over HTTPS is a good start towards a more secure internet infrastructure. Mozilla Firefox, Google Chrome, Microsoft Windows all support DNS over HTTPS out-of-the-box or will do so in the near future. Read more.
What is DNS over TLS?
DNS over TLS is quite simply DNS connections encrypted with the TLS protocol. This protocol is arguably better than DNS over HTTPS in the sense that it isn’t really abusing another protocol to transport its own payload, and sticking to the original vision of seven OSI layers describing an ideal network stack. Read more.
When would you support DNS over TLS?
Eventually, yes. It is a top priority item, but requires its own merry time to implement, especially given the current infrastructure that is exclusively HTTPS-only which gives us a bit of an advantage with respect to powering not only a highly accessible backend but also a highly available one. We expect to see no availability issues with the current infrastructure whatsoever (given that software bugs don’t take the resolver down). We take availability very seriously and continuously look to mitigate as many availability threats we encounter (the “known knows”).
How do I block content using rethinkdns?
Choose form a predefined set of blocklists that power some of the most popular content-blockers on the web. These blocklists define rules to firewall traffic to a predetermined and vetted set of endpoints, usually that of spyware, malware, and ransomware web properties. If you’re on Android, install our app to use rethinkdns. On other platforms, use a DNS over HTTPS client and point it to rethinkdns endpoint specific to you. Try it out, no sign up required.
How do I set it up for Firefox?
The steps are a bit involved, we ought to release a Firefox extension but until then:
- Go to Preferences. Scroll to Network Settings, and click on Settings.
- Check Enable DNS over HTTPS.
- Set Use Provider to Custom.
- Type in the rethinkdns endpoint specific to the signed-in / registered user.
- Make sure by visiting about:config that network.trr.mode is set to 3 (the default is 2, which results in Firefox leaking DNS queries to System resolver).
A blocklist I need isn’t available, what do I do?
We continue to add blocklists based on user-requests. Please write to us, and we would add yours too. Please note that due to inherent complexity in supporting regular expression (wildcard) based lists, we currently may not be able to add them, but don’t let that stop you. Let us know if it is a deal-breaker for you. We promise, we’d try everything to make it work.
I still see ads on instagram and youtube despite using rethinkdns?
Rethinkdns is ways off being a bullet-proof content blocker. There, unfortunately, are many scenarios where content simply couldn’t be blocked by rethinkdns. Some companies take extensive measures to evade content-blocking of which, perhaps, DNS based content blocking remains easy to circumvent, but despite that, not many apps employ tactics to counter it, but some popular ones do, like instagram and youtube.
How do I write my own blacklist and whitelist?
Adding support for custom blacklists and whitelists is a top-priority item and we are actively working on it.
Do you support time-based backlists?
No, we don’t, yet, but we are working on it as we speak. Btw, DNSCrypt-Proxy does and we recommend checking the project out.
The app doesn’t work? The blocklists don’t work?
For support queries, please reach out to us with more information.
Do you require registration to use rethinkdns, the resolver?
To use rethinkdns (the resolver) without registration, go here. rethinkdns would require registration to provision per user endpoints for non-free services such as DNS logs storage, analytics, and threat analysis; and bill the user for consumption of those.
Is this a free service?
On-device firewall is free. The in-the-cloud rethinkdns content-blocking resolver has both free (public beta) and paid tiers (private beta). Currently, pricing isn’t implemented and so the private beta is essentially also free till then.
Does the rethinkdns resolver support EDNS client subnet?
What about DNS Name Uncloaking?
Yes, rethinkdns follow CNAME redirects and match them against the domains in the blocklist to counteract DNS CNAME cloaking.
Should the DNS requests be sent over HTTP POST or GET?
Currently, we support both. HTTP GET requests are cached and might be a tad faster than POST.
Does rethinkdns support the latest protocols: HTTP/3 and TLS v1.3?
Yes. Note that the rethinkdns companion Android app communicates over HTTP/2 and TLS v1.3 for now.
Where are user DNS logs stored?
DNS logs of users who sign up for paid services (which are in private beta), are stored encrypted with AWS servers in the United States. There’s no way to change the location where the logs are stored today. We plan to add the ability to choose the location of the logs storage in the near-future.
Why are the logs stored?
Logs aren’t stored by default and as matter of fact not stored at all for users in the free-tier; however, if you, a paying user, should so opt-in to have logs stored, you would be able to analyze those to answer questions such as:
- Which countries are your devices connecting to and when?
- What percentage of connections are to known trackers, malware, spyware, ransomware, and other such web properties?
- Which blocklists are the most effective?
- How many connections per app are made from your devices?
- and so on...
Is rethinkdns "No logs"?
Yes, by default, no logs are sent or stored. Only if you, a paying user, choose to enable logs are they even captured; otherwise, there’s zero information that’s stored on our servers with respect to the DNS requests sent to rethinkdns' resolver. In fact, our servers have no disks, or rather, the resolver is actually "serverless".
Can I delete my logs?
Yes, you can. This will be self-service eventually, but for now, drop us a note and we’d purge our systems of your logs.
How are the logs stored?
Logs are stored in Amazon S3 encrypted with AWS KMS-managed master-key and never transmitted in plain text between different systems.
How long are logs stored for?
Logs are stored, if enabled, for 3 months by default. This will be configurable in the future to allow for storage as long as 2 years or as short as 1 day.
Are there access restrictions in place for logged content?
Users cannot access each other's logs. As for engineers at rethinkdns, they do have access to all logs, but we would work to improve that and restrict access to a need-only basis. rethinkdns is a three-person bootstrapped team right now. We must note though, the logs, as stored, are de-anonymized, as in, access to a separate user-information database is required to tie the logs to a particular user.
What information is stored about the end-users?
The information shared by the end user during signup (like email) and user configuration, user payment status, and other related metadata for metering payments are stored to provide services effectively. If the end-user opts to store their logs, then that’s stored for analysis too, at the end-user’s behest. To delete account and other related information, please write to us.
How do I delete information stored about me? How do I delete my configuration? How do I delete my account?
We’re in the processes of building a self-service front-end to let the users do so themselves, but in the interim, please write to us.
What service providers do you use to deliver this service?
What data is exposed to the service providers you use?
Cloudflare can essentially see the requests that reach our resolvers including the contents of the request and the your IP addresses. Though one may not trust Cloudflare, we believe their track record is admirable and that they truly believe in making the internet better for everyone, which is a mission we can relate to very much, besides 10% of all HTTP traffic runs through Cloudflare.
Logs, if enabled, are sent to AWS encrypted-in-transit, de-anonymized, and subsequently stored in S3 encrypted with rethinkdns-supplied master-key managed by AWS KMS. Metering information, for invoicing and billing, is sent to Stripe, and this information doesn’t have any DNS related content in them, just the count of DNS requests sent by a user in a given time period.
Other customer related information, like DNS configuration (blocklists and whitelists), email, payment status and related information is stored in Amazon Dynamo DB tables, encrypted at rest and in transit, and accessed exclusively via the AWS AppSync endpoint from the clients which has pretty tight built-in access protections.
How is data handled? Who has access to it?
Data is encrypted-at-rest and encrypted-in-transit, that is, it is never transferred or stored unencrypted. We haven’t gone through third-party audits yet, but we should eventually, especially if we continue to add more users, we’d owe this much to them. The data is currently accessible to anyone with access to our backend accounts with Cloudflare and AWS which is a team of 3 engineers (the whole of rethinkdns). This setup isn’t ideal, and we’d eventually have to improve access-control mechanisms, which we would.
How would you mitigate a potential breach?
This is worth a blog post but we acknowledge that this is a real and present danger. Access to our AWS and Cloudflare accounts remain the biggest single point of failure as far as a breach is concerned. Apart from following the usual practices of protecting the account with a strong password and two-factor authentication, disabling root account (AWS) in favour of scoped-down accounts; we haven’t really done much else. That said, we plan to continually audit the resources spun up in AWS (with help of AWS supplied tools like AWS Security Hub) and continue to scan provisioned AWS resources for any weak access protections. This is an ongoing process and hopefully we reach a point where we can afford a third-party audit that can help us get over the line.
In event of a breach; however, we plan to inform the users right away without any delay (GDPR requires us to report breaches within 24 hours anyway to any EU citizens that might be using the service) and promise to err on the side of transparency.
Has there been a third-party audit?
No, but we do plan to have one, if and when the budget permits. It isn’t a matter of time or priority, at this point. If you do have any tips or suggestions, please don’t hesitate to reach out to us.
What parts of your stack are open-source?
The front-end Android app is open-source under the Apache License, Version 2. The "serverless" DNS resolver is open-source under the Mozilla Public License, Version 2. Of course, you are welcome to contribute to the codebase or report issues at the project’s github page. The AWS backend and the website sources are closed, primarily because the code is very specific to the infrastructure we have built and it is likely in an incomprehensible and inconsumable state from all the constant influx in changes that it sees on a day-to-day basis. We do plan to blog about the engineering challenges we faced building a service like this that would lift the covers a bit on the secret sauce that isn’t really ground-breaking anyway, if we are being honest.
What else are you working on?
Apart from adding features to the existing product, we’re working on a VPN next (primarily, as an anti-censorship tool); and plan to start working on a cloud-based browser. Things we've considered but aren't likely to pursue: An on-device no-root Android application sandbox, an custom Android distribution, start a ISP, a MVNO...?
If you'd like to collaborate, partner with us, or generally have any ideas you want to share, feel free to write to us.
Are you backed by Venture Capital money?
Not yet (as of February, 2021). Would we take VC money is a better question. May be, but VCs aren’t exactly lining up to fund us.
Who are you?
We're Mohammed, Murtaza, and Santhosh three friends with 20 years of software development experience between us at Amazon, IBM, and Scientific Games. We are based out of Coimbatore, a sleepy city on the foothills of the Western Ghats in South Western India.
Will you sell data, ever? What if you get acquired?
No, we won't; we will never be in the business of selling user data. That's not us. That's not what rethinkdns is. And in the hypothetical scenario that we do get acquired, it really depends on the other hypotheticals on what the outcome would be (for example, would we have a significant enough a say to veto a sale, say). From our experience in talking to investors and their general outlook on the fate of consumer startups let alone security focused ones such as us, it is safe to say it'd be a cold day in hell if and when that happens (the acquisition or funding, that is). That said, in all seriousness, we believe in working with like-minded partners and so, hopefully, things won’t change that much post-acquisition by a company that puts users over profits (hypothetical again); and hopefully, we pick up investors that don't veer off-track and stand-firm with us on protecting user's data.
In any case, users won't be sucker-punched. We promise to be transparent about such situations if and when they arise.
Why can't I use DNS and Firewall at the same time?
On devices with Android 9 (or lower versions), support required to run both DNS and Firewall at the same time isn't available, and so any one of them could only be running at any given point in time. On Android 10 (and higher); however, both should be able to run side-by-side.Of course you can on all Android 6+ versions.
What's DNS mode? What's Firewall mode?
The DNS stops requests from being sent to known adware, malware, spyware, and ransomware servers across all apps whilst Firewall prevents an app from making TCP and UDP connections to any server whatsoever. DNS mode, in addition, may circumvent internet censorship and prevent surveillance of your browsing behaviour (by analysing your DNS requests) by the Internet Service Provider (and every other malicious actor on the network).
Is it a "real" Firewall?
No, it is not a traditional firewall in the sense most firewalls are. Currently, as implemented, the Firewall only monitors and blocks TCP and UDP connections. This is all that's required to firewall most apps since they rarely use other forms of TCP/IP transport. ICMP, which is the only other popular protocol not monitored by the app, will get support soon.
Where is the code?
Here. You're welcome to contribute to it, suggest features, or fork it.
Why does rethinkdns require VPN permission when it isn’t a VPN?
Rethinkdns uses VPN APIs on Android to selectively route only a device’s DNS requests to rethinkdns' servers and to build Firewall functionality. It isn't like other VPN apps that relay the entire device's internet bound traffic via their remote VPN servers.
Does the app itself track me?
No, it doesn’t. Rethinkdns doesn’t capture or send any user analytics (“phone home”) from the app.
Why does the app require Accessibility permission?
The app’s firewall feature lets users disable and enable internet traffic for an app depending on whether it is in the foreground (allow) or background (disallow). For example, consider games, not all games really need internet connectivity when they are in the background, but may need it when they’re in the foreground. To track which applications are in the foreground and background the app uses the Accessibility permission. Rethinkdns doesn’t send any information captured through Accessibility permissions back to its servers.