Your app is awesome. Keep going. We are your users!
Attempty, beautifully written. Internet would be a lot awesomer place if a person could get such a precise reply to every question. Registered just to say thanks.
What would be the benefit of using two different providers for VPN and DNS? If it’s just about filtering ads & malware, you could just use the local filters in RethinkDNS?
There would be no benefit if you want to blend in with the crowd that’s using the same VPN server as you.
If you don’t care about that then there’s no difference really, unless you don’t trust your VPN’s DNS and want to use more trusted or robust one, like NextDNS or your own DNS resolver with your own blocklists.
By the way, DNS filtering is not only about blocking ads and malware, on your own resolver (and NextDNS too to a degree) you can assign your own domain names for different devices on your network, translate one domain to another.
An example, if you're interested
If you have a remote host with a web interface on some port you can map the address of this host to a short domain like
web-ui.pepe:12345/ instead of typing in it’s IP. (Of course, there’s bookmarks for that, but that’s also cool, right?)
Or you can name all your clients this way and if they ever need to change their LAN IP you only have to update DNS records rater than to go and change all the hardcoded addresses on all other clients that need to communicate with this one. It works just like with the real Internet IP’s and domain names, but on your own network.
And about Rethink, it only works on Android, remember? Your exact question touches a broad spectrum of use cases: iOS, PC, home server, IOT etc…
The benefit of using a custom DNS with a vpn are probably:
1)More control on filters eg: Blocking specific sites, usage of a custom blocklist
2)Logging of Dns queries for later on analysis
sorry if I’ve missed this somewhere, but what would you recommend when using Rethink in combo with Mullvad VPN? Is it better to use Rethink’s default DNS or add Mullvad’s DNS?
If you need to “blend in with the crowd”, use Mullvad DNS of the server that you have set up as your Wireguard proxy. I suppose the DNS IP should be in the config file.
Otherwise it doesn’t really matter. Rethink’s default has some malware blocking, but you can customize blocklists on the RDNS Plus option, don’t forget to checkmark it afterwards to enable it.
But if you’re gonna bother with blocklists, i’d recommend local blocklists because you’d be able to manually whitelist some false positively blocked domains that you want unblocked. I’m not sure if it’s possible to whitelist domains if you choose blocklists for RDNS Plus, i suppose in this case blocking happens remotely and uncontrollably to you.
I see. That makes sense. Thank you, attempty.
Hm actually I was thinking, if you use separate VPN + encrypted DNS providers, wouldn’t you be able to hide your IP from the website and DNS provider (as you’re behind the VPN) and hide the website you’re visiting from your VPN provider (as you use a separate and encrypted DNS → VPN provider only sees the IP you’re connecting to, which could be shared by many websites)? So nobody has all the information needed to know what you’re doing? Am I missing something?
Hmmm… Feels like there should be something wrong, but seems suspiciously and surprisingly correct. I can’t refute that on the spot. Never thought of this like that. Huh.
It is possible to do so with the app, yes. The app will respect user-set “allowlist” / “whitelist” even for RDNS+.
Two bodies have information now (: That’s what you’re missing.
This is also one reason why I consider using multiple DNS upstreams a bad idea.
Yes, but no useable/identifiable information, or?
Similar and useable information, yes.
Wouldnt it be a poor man’s version of Oblivious DNS, where the proxy is the VPN?
Let’s say I set up RethinkDNS with DNS-over-HTTPS to Quad9 and Wireguard to ProtonVPN. Now, Quad9 can’t see where the request is coming from (the connection comes from the ProtonVPN IP), and Proton doesn’t know what kind of request I’m making (the DNS request is encrypted between me and Quad9).
I have a feeling it’s not so easy but I can’t see where’s the flaw in this logic?
You’re assuming DoH is tunneled over WireGuard. Then yes, what you say makes sense (but it isn’t quite equivalent to ODoH except that there’s a “hop” between the client and the resolver).
In Rethink, DNS isn’t yet tunneled via proxies (WireGuard included). This is however changing in the upcoming version
v055b, due by end of this week or next.
Very cool, that is a great feature.
If I may ask (as you’re very knowledgable on the topic) - do you know what happens if you use the built-in Android “Private DNS” (DoT) feature in combination with a VPN app? Or does that depend on the specific VPN app?
On Android 10+, VPN app “sees” only encrypted DNS traffic when Private DNS is set (say, to
dns.google). It doesn’t see plaintext DNS traffic like it normally would except for when Android tries to resolve the Private DNS domain name (in our case,
The VPN app can chose to either block resolution of Private DNS domain (
dns.google in our case) or block ALL traffic on port
853 to completely block Private DNS, if they so wish.
For code references, ref: Bypass Private DNS · Issue #25 · celzero/rethink-app · GitHub
Is it possible to do this with ProtonVpn or atleast Windscribe? If yes, So how to do this?
For Proton go to protonvpn.com and sign in, then go to this page, scroll down to Wireguard Configuration, set a name, choose your OS, server and press “Download” at the one you want. A window will appear, press “Download”, save the file and then import it as described above.