Maybe because of app link verification? https://grapheneos.org/usage#app-link-verification
NotJamie At the moment, I "isolated" ANDROID in RethinkDNS.
Not sure this is a good idea. Could possibly cause unexpected issues.
RethinkDNS: Hundreds of connections from "Android" to unknown IPs
Maybe because of app link verification? https://grapheneos.org/usage#app-link-verification
Thanks for the idea. I just took away network permissions from it "Intent Filter Verification Service" but I still see requests in RethinkDNS.
Not sure this is a good idea. Could possibly cause unexpected issues.
I was thinking the same. But I would like what is causing this :)
What is bothering me it that requests are coming from "ANDROID" according to RethinkDNS. what is "ANDROID" here? GrapheneOS? Some kind of internal requests? It does not look like that, especially with so many different IPs.
OK, I thing I identified the problem. I disabled all apps with network and started one by one.
Syncthing-Fork is creating these connections according to my tests.
That is still really strange. I see Syncthing-Fork also as standalone app in RethinkDNS but as soon as I start it, these requests are being created.
I am deactivating Syncthing-Fork for the moment because this is really strange.
While not having investigated further, I believe RethinkDNS is buggy with how it displays the origin of established connections or DNS lookups. I see this mostly with my own domain, where supposed requests will go out to different subdomains, that are definitely in no way related to that app. I also wasn't able to pin down what "Android" means in case of RethinkDNS. It has a culmination of requests from different apps that are also made by the apps themselves. Which leads me to believe it's just a bug.
I did a (very) quick check for some of the IPs and it looks sketchy at best, some looks to be a residential IPs..
Are you sure this was Syncthing-fork doing this queries? Was syncthing doing calls to same domains under it's name?
n3t_admin While not having investigated further, I believe RethinkDNS is buggy with how it displays the origin of established connections or DNS lookups.
Let's see if @ignoramous is interested in this thread.
NotJamie RethinkDNS can't attribute everything to apps since there are APIs to make connections through the OS such as DownloadManager, although that's an app and would be attributed to it. The connections are definitely made by the OS for an app you have installed. Doesn't seem clear that you identified the correct app.
It is definitely Syncthing. I was able to reproduce this multiple times today. As soon as I start it, it contacts hundreds of IPs. And RethinkDNS identifies it as ANDROID instead of Syncthing. I suppose, these IPs are cached Syncthing peers but it is still sketchy.
8 days later
NotJamie A few seconds later I saw a lot of parallel connections in RethinkDNS from ANDROID to hundreds of IPs
ANDROID is a preset system user 0 (see this discussion on our github).
NotJamie How to find out what is causing this, what is the source?
At times, when getting owner UID for a socket, the Android APIs return ANDROID instead of the actual owner UID (in your case, you've empirically deduced that it was Syncthing). Rethink doesn't know any better and trusts what the Android API tells it.
NotJamie I don't have a good feeling about this.
This doesn't happen often, but I've predominantly seen it with apps that create a LOT of ephemeral (very short-lived) UDP sockets. Syncthing could be doing that for NAT traversal? I am not sure, you could clarify with the Syncthing developers.
n3t_admin I believe RethinkDNS is buggy with how it displays the origin of established connections or DNS lookups.
There may be bugs that we haven't fixed or don't know about, but for the most part Rethink is pretty accurate (given the Android APIs that Rethink uses are accurate) in accounting for network packets.
n3t_admin I see this mostly with my own domain, where supposed requests will go out to different subdomains, that are definitely in no way related to that app
The way domains <> IPs are mapped is what's problematic. A single group of IPs can be shared by multiple domains (common with Games and BigTech apps, like Google apps). It is also possible for a single domain to point to different group of IPs each time it is queried for. Rethink may end up mixing domains <> IPs mapping in a bid to be consistent with what the DNS layer in Android may have cached. That is, the "implementation details" (of the interaction between dnsproxyd in Android and Rethink's resolver) are what brings about the issues you're reporting.
For the next version, v055o (due in weeks from now... but I've been saying this since Sept 2024 ;), we'll see if there's a better way (without disabling caching in dnsproxyd) to keep dnsproxyd (and by extension, all Android apps that use it) happy and not incur this mixup.