Unfortunately, I do need notifs for my emails :/

Annoying.

    rdns dev here

    GlytchMeister definitely interested in a guide... And even more interested in a "RethinkDNS for Dummies" sort of guide.

    I put an ad-hoc one on our subreddit: https://www.reddit.com/r/rethinkdns/comments/12ta9zo/configure_app_for_optimal_use/ / mirror: https://archive.is/Krcoh

    The gist is, allow only what you trust.

    1. From Configure -> Firewall -> Universal firewall rules, turn ON
      • Block when device is locked
      • Block newly installed apps by default
      • (if you're feeling particularly adventurous) Block when DNS is bypassed
    2. Go to Configure -> Apps, then tap on the wifi and mobile icons 🛜📶 to block all apps.
      • Search for apps you use (for me, its 7 apps of the over 400 installed), and either Bypass Universal them or Isolate them.
        • If you Isolate the app, you'll have to set up trust / allow rules for domains or IPs, over a period of time. Pretty time consuming, but once setup, it works flawlessly.
        • Bypass Universal an app named Google Play services, which is usually responsible for Push Notifications / Gaming / Backups / Payments and other such functionalities apps installed from the Play Store depend on, without which they usually don't work.
    3. From Configure -> DNS, choose or setup your favourite DNS provider. I prefer Oblivious DNS over HTTPS endpoints but there aren't many. You can also leave the default DNS settings as-is; or...
      • Turn ON Advanced DNS filtering (which is experimental and may cause connectivity issues), to make sure domain to IP address mapping isn't polluted. For example, when multiple domain names (youtube.com, mtalk.google.com, googleapis.com) may point to a same set of IP addresses (all owned by Google and hence may be used interchangeably), the Stats and per-app domain rules may behave in funny ways. With Advanced DNS filtering (which has other bugs) will possibly not.
      • Turn ON Prevent DNS leaks to trap apps sending DNS traffic themselves. This setting may break notifications for some apps.
      • Turn ON Never proxy DNS if you face connectivity issues with using your preferred DNS upstream with an egress proxy setup within Rethink (SOCKS5, Tor, or WireGuard).
    4. In Configure -> Network, you may
      • Set Choose IP version to Auto and turn ON Perform connectivity checks (if you're on networks that perform 4to6 translations).
        • Turn ON Use all available networks, if you'd want Rethink to use either wifi or mobile at the same time. Make sure you've got enough juice on mobile data, as it is usually prohibitively expensive in some countries.
        • Leave everything else in there turned OFF, unless you like living dangerously.
    5. Optionally setup WireGuard from Configure -> Proxy -> Setup WireGuard, either in Simple mode (single WireGuard, all apps routed through it, unless Bypass app from all proxies is set for that particular app) or Advanced mode (multiple WireGuards, split tunneled, manually choose apps to route through them).

    Rethink has grown to be a Frankenstein monster and I get a lot of emails on how difficult it is to use, but someday someone from the community will write one true guide to setup Rethink so I can point everyone to it.

        ignoramous THANK YOU for putting the time and energy into posting this message! I haven't yet had a chance to read and absorb all that you have given us here - it is tech heavy - but it is clearly an important read even for us who rely upon our VPNs to provide DNS service which filters badware and adware! Thanks Again!

          • [deleted]

          • Post #56
          • Edited

          Hi! ignoramous Could you please explain the reasoning behind locking local DNS filtering in Advanced proxy mode? My friend recently pointed out that Rethink's advanced proxy mode forces to use an external, non-proxy DNS, which defeats the whole purpose of VPN.

              I'm confused, are you saying that if we use the proton mail with our graphenos phone google can track us?

              ignoramous

              OK... So...

              Uh.

              What stuff can I use alongside the Mullvad App? I don't want to use wireguard and non-mullvad DNS because Mullvad has lockdown and always-on, and using non-mullvad DNS makes my fingerprint more unique.

              I really just want to use RDNS to block apps like discord and proton mail from connecting to anything except what they strictly need to connect to in order to function.

              Aka, I only want the local, on-device filtering, and I don't know enough about anything to know what is local and what will mess up the Mullvad App.

                  GlytchMeister don't want to use wireguard and non-mullvad DNS because Mullvad has lockdown and always-on, and using non-mullvad DNS makes my fingerprint more unique.

                  Lockdown and always on can be done in the system VPN settings. And Mullvad DNS can be added to the wireguard config.

                    • [deleted]

                    • Post #60

                    bootloader

                    It appears that only the ProtonMail app uses Firebase.

                    Proton Mail - ProtonMail-4.0.14_9270.apk

                    Services - ProtonMail-4.0.14_9270.apk
                    androidx.appcompat.app.AppLocalesMetadataHolderService
                    ch.protonmail.android.mailnotifications.data.remote.fcm.PMFirebaseMessagingService
                    com.google.firebase.components.ComponentDiscoveryService
                    com.google.firebase.messaging.FirebaseMessagingService
                    androidx.work.impl.background.systemalarm.SystemAlarmService
                    androidx.work.impl.background.systemjob.SystemJobService
                    androidx.work.impl.foreground.SystemForegroundService
                    androidx.room.MultiInstanceInvalidationService
                    com.google.android.datatransport.runtime.backends.TransportBackendDiscovery
                    com.google.android.datatransport.runtime.scheduling.jobscheduling.JobInfoSchedulerService

                    Receivers- ProtonMail-4.0.14_9270.apk
                    ch.protonmail.android.mailnotifications.data.local.PushNotificationActionsBroadcastReceiver
                    ch.protonmail.android.mailsettings.presentation.settings.autolock.broadcastreceiver.TimeSetBroadcastReceiver
                    me.proton.core.notification.presentation.deeplink.DeeplinkBroadcastReceiver
                    com.google.firebase.iid.FirebaseInstanceIdReceiver
                    androidx.work.impl.utils.ForceStopRunnable$BroadcastReceiver
                    androidx.work.impl.background.systemalarm.ConstraintProxy$BatteryChargingProxy
                    androidx.work.impl.background.systemalarm.ConstraintProxy$BatteryNotLowProxy
                    androidx.work.impl.background.systemalarm.ConstraintProxy$StorageNotLowProxy
                    androidx.work.impl.background.systemalarm.ConstraintProxy$NetworkStateProxy
                    androidx.work.impl.background.systemalarm.RescheduleReceiver
                    androidx.work.impl.background.systemalarm.ConstraintProxyUpdateReceiver
                    androidx.work.impl.diagnostics.DiagnosticsReceiver
                    androidx.profileinstaller.ProfileInstallReceiver
                    com.google.android.datatransport.runtime.scheduling.jobscheduling.AlarmManagerSchedulerBroadcastReceiver

                    Providers - ProtonMail-4.0.14_9270.apk
                    androidx.startup.InitializationProvider
                    com.google.firebase.provider.FirebaseInitProvider
                    io.sentry.android.core.SentryPerformanceProvider
                    leakcanary.internal.PlumberInstaller
                    ####################################

                    ProtonCalendar-Android.apk

                    Services - ProtonCalendar-Android.apk
                    me.proton.android.calendar.CalendarWidgetRemoteViewsService
                    androidx.work.impl.background.systemalarm.SystemAlarmService
                    androidx.work.impl.background.systemjob.SystemJobService
                    androidx.work.impl.foreground.SystemForegroundService
                    androidx.room.MultiInstanceInvalidationService
                    com.google.android.gms.auth.api.signin.RevocationBoundService
                    com.google.android.datatransport.runtime.backends.TransportBackendDiscovery
                    com.google.android.datatransport.runtime.scheduling.jobscheduling.JobInfoSchedulerService

                    Receivers - ProtonCalendar-Android.apk
                    me.proton.android.calendar.ProtonCalendarBroadcastReceiver
                    me.proton.android.calendar.CalendarWidget
                    me.proton.core.notification.presentation.deeplink.DeeplinkBroadcastReceiver
                    androidx.work.impl.utils.ForceStopRunnable$BroadcastReceiver
                    androidx.work.impl.background.systemalarm.ConstraintProxy$BatteryChargingProxy
                    androidx.work.impl.background.systemalarm.ConstraintProxy$BatteryNotLowProxy
                    androidx.work.impl.background.systemalarm.ConstraintProxy$StorageNotLowProxy
                    androidx.work.impl.background.systemalarm.ConstraintProxy$NetworkStateProxy
                    androidx.work.impl.background.systemalarm.RescheduleReceiver
                    androidx.work.impl.background.systemalarm.ConstraintProxyUpdateReceiver
                    androidx.work.impl.diagnostics.DiagnosticsReceiver
                    androidx.profileinstaller.ProfileInstallReceiver
                    com.google.android.datatransport.runtime.scheduling.jobscheduling.AlarmManagerSchedulerBroadcastReceiver

                    Providers - ProtonCalendar-Android.apk
                    androidx.startup.InitializationProvider
                    io.sentry.android.core.SentryPerformanceProvider
                    ################################################

                    Proton Drive

                    Services - Proton Drive
                    androidx.work.impl.background.systemalarm.SystemAlarmService
                    androidx.work.impl.background.systemjob.SystemJobService
                    androidx.work.impl.foreground.SystemForegroundService
                    androidx.room.MultiInstanceInvalidationService
                    com.google.android.datatransport.runtime.backends.TransportBackendDiscovery
                    com.google.android.datatransport.runtime.scheduling.jobscheduling.JobInfoSchedulerService

                    Receivers - Proton Drive
                    me.proton.android.drive.receiver.NotificationBroadcastReceiver
                    me.proton.core.notification.presentation.deeplink.DeeplinkBroadcastReceiver
                    androidx.work.impl.utils.ForceStopRunnable$BroadcastReceiver
                    androidx.work.impl.background.systemalarm.ConstraintProxy$BatteryChargingProxy
                    androidx.work.impl.background.systemalarm.ConstraintProxy$BatteryNotLowProxy
                    androidx.work.impl.background.systemalarm.ConstraintProxy$StorageNotLowProxy
                    androidx.work.impl.background.systemalarm.ConstraintProxy$NetworkStateProxy
                    androidx.work.impl.background.systemalarm.RescheduleReceiver
                    androidx.work.impl.background.systemalarm.ConstraintProxyUpdateReceiver
                    androidx.work.impl.diagnostics.DiagnosticsReceiver
                    androidx.profileinstaller.ProfileInstallReceiver
                    com.google.android.datatransport.runtime.scheduling.jobscheduling.AlarmManagerSchedulerBroadcastReceiver

                    Providers - Proton Drive
                    androidx.startup.InitializationProvider
                    androidx.core.content.FileProvider
                    me.proton.core.drive.documentsprovider.data.DriveDocumentsProvider
                    me.proton.core.drive.documentsprovider.data.DriveFileProvider
                    io.sentry.android.core.SentryInitProvider
                    io.sentry.android.core.SentryPerformanceProvider
                    leakcanary.internal.PlumberInstaller
                    ####################################

                    Proton VPN - ProtonVPN-5.3.93.0.apk

                    Services - ProtonVPN-5.3.93.0.apk
                    com.protonvpn.android.vpn.wireguard.WireguardWrapperService
                    com.protonvpn.android.vpn.openvpn.OpenVPNWrapperService
                    com.wireguard.android.backend.GoBackend$VpnService
                    com.protonvpn.android.components.QuickTileService
                    com.protonvpn.android.ui.settings.AppInfoService
                    androidx.work.impl.background.systemalarm.SystemAlarmService
                    androidx.work.impl.background.systemjob.SystemJobService
                    androidx.work.impl.foreground.SystemForegroundService
                    androidx.room.MultiInstanceInvalidationService

                    Receivers - ProtonVPN-5.3.93.0.apk
                    com.protonvpn.android.OnUpdateReceiver
                    com.protonvpn.android.notifications.NotificationActionReceiver
                    com.protonvpn.android.quicktile.QuickTileActionReceiver
                    me.proton.core.notification.presentation.deeplink.DeeplinkBroadcastReceiver
                    androidx.work.impl.utils.ForceStopRunnable$BroadcastReceiver
                    androidx.work.impl.background.systemalarm.ConstraintProxy$BatteryChargingProxy
                    androidx.work.impl.background.systemalarm.ConstraintProxy$BatteryNotLowProxy
                    androidx.work.impl.background.systemalarm.ConstraintProxy$StorageNotLowProxy
                    androidx.work.impl.background.systemalarm.ConstraintProxy$NetworkStateProxy
                    androidx.work.impl.background.systemalarm.RescheduleReceiver
                    androidx.work.impl.background.systemalarm.ConstraintProxyUpdateReceiver
                    androidx.work.impl.diagnostics.DiagnosticsReceiver
                    androidx.profileinstaller.ProfileInstallReceiver

                    Providers - ProtonVPN-5.3.93.0.apk
                    androidx.core.content.FileProvider
                    androidx.startup.InitializationProvider
                    io.sentry.android.core.SentryPerformanceProvider
                    ################################################

                      • [deleted]

                      • Post #63

                      mmmm

                      The calendar app does not appear to use Firebase.

                          [deleted] Neither does Drive but both Calendar and Drive have google mentions in the lists kindly provided by CyberAU above. Are they somehow different than Firebase?

                              • [deleted]

                              • Post #65

                              MotherShipton

                              Firebase Cloud Messaging (FCM) - "Using FCM, you can notify a client app that new email or other data is available to sync." Reference: https://firebase.google.com/docs/cloud-messaging/

                              If Proton email notifications are only point-to-point encrypted, I suspect it would be possible for Google to read the content of the notifications. Thus my previous question:
                              Is Proton notification data end-to-end encrypted or only point-to-point encrypted?

                              • mmmm replied to this.

                                  newbie24689 For now, I am happy to uninstall the Mail and Drive apps and revert to using Vanadium (which I also have used when I need to access my bank). I never used Proton notifications and have no Google services installed so this is disappointing to find that Proton have this in their apps. If they are good to their word and remove this in the future, I shall reinstall them. I suppose that I am fortunate in that I find that convenience is a luxury rather then a necessity in my life.

                                    It is a bit disappointing that proton will not allow you to use another email app (for example k9 mail) with your proton mail address, they force you to use the proton mail app.

                                    [deleted] Is Proton notification data end-to-end encrypted or only point-to-point encrypted?

                                    Have you reached out to proton? Just ask them. I'm 90% certain I read somewhere they're e2ee but I'm afraid I can remember where.

                                    Edit- I found where I saw it. It was a reply to a random question on an Instagram post. If you so wish, browse the proton instagram page until you see the post regard apple and their fake privacy promises, its in the comments there. Or like I said ask them.

                                      [deleted] Could you please explain the reasoning behind locking local DNS filtering in Advanced proxy mode?

                                      Rethink's On-device blocklists should continue to work regardless of WireGuard running in Simple / Advanced modes.

                                      [deleted] My friend recently pointed out that Rethink's advanced proxy mode forces to use an external, non-proxy DNS, which defeats the whole purpose of VPN.

                                      In Advanced mode, Rethink does not split-tunnel DNS (because it isn't possible on Android to do so). And since multiple WireGuards are active, Rethink doesn't know which DNS upstream to choose and hence falls back to using user-preferred DNS as set in Configure -> DNS.

                                      If there are one or more Advanced WireGuard configurations that are set to be Always-on, Rethink would proxy user-preferred DNS over it (unless Never proxy DNS is turned ON in Configure -> DNS).