Rethink dns questions

Onlyfun

Hi, few questions on rdns with mullvad wg proxy. What is the lockdown option in wireguard proxy in advanced mode? And what is the always on? And what happens if they are both on?

The only way i found to not leak dns is stick to simple mode proxy and toggle on 'never proxy dns'. I've read many times that rdns is designed to route dns through the wireguard proxy. So what is the 'never proxy dns' thing?

ignoramous

rdns dev here

Onlyfun What is the lockdown option in wireguard proxy in advanced mode

In Lockdown mode, Rethink will always use the WireGuard configuration for apps that are routed through it, regardless of whether WireGuard is turned on or turned off or connected or not. This means, among other things, if the Lockdown WireGuard configuration isn't connected or is turned OFF, all apps routed through it will lose connectivity.

If a non-Lockdown WireGuard is turned OFF, the apps setup to route through it will start using the underlying network (wifi or mobile) unless at least one Always-on WireGuard is setup, in which case, those apps should then be routed through Always-on. If there are multiple Always-on WireGuards, any healthy/active one is used among them at random.

Onlyfun And what is the always on?

An Always-on WireGuard configuration will route ALL apps NOT routed by any other active (turned OFF) or Lockdown WireGuard. Think of it like the base/underlying/catch-all WireGuard.

Onlyfun And what happens if they are both on?

For WireGuards in Advanced mode, you can NOT turn OFF an Always-on WireGuard, so turning both Lockdown and Always-on ON will have the same effect as just Always-on. There's some changes with respect to how WireGuard's Allowed IPs portion will behave in Rethink when both of these are turned ON, but I don't remember exactly what changes.

Onlyfun The only way i found to not leak dns is stick to simple mode proxy

Split-tunnel DNS is coming in v055o. It will be turned ON by default on Android 12+. On Android 11 and below, folks can turn it ON from Configure -> DNS -> Split-tunnel DNS, but on Android 11 and below, doing so requires folks to turn ON Configure -> DNS -> Advanced DNS filtering, too.

Onlyfun and toggle on 'never proxy dns'. I've read many times that rdns is designed to route dns through the wireguard proxy. So what is the 'never proxy dns' thing?

Turning ON Configure -> DNS -> Never proxy DNS will do exactly what it says? It will not proxy user-set DNS (DoH/DoT/ODoH/DNSCrypt/DNS53 except System DNS and mDNS) over any proxies that may have been setup (for instance, SOCKS5, Orbot, HTTP, Simple mode / Always-on WireGuards). Note that, this is different from using a proxy-provided DNS (like WireGuard configurations do). To route both an app's TCP+UDP traffic and an app's DNS queries, v055o will support Split-tunneling DNS as mentioned above, on Android 12+ by default (and on Android 11 and below, if Advanced DNS filtering is turned ON).

looped_around

ignoramous
Taking all of this in, I understand better my issue with switching WireGuard config entries to always-on so I can rotate my outgoing IP address every 8-24h.

What would be the best solution or order process or setup?
When I get it wrong, traffic goes through without a VPN.

Onlyfun

ignoramous thank you, the proxy modes are clear now.

ignoramous For WireGuards in Advanced mode, you can NOT turn OFF an Always-on WireGuard

But there clearly is a toggle for it.

Regarding 'never proxy dns' i guess this one is clear too, though it might be good to add some details to its title in settings.

You hot all my questions cleared thank you, I appreciate it and hope this will help others cause I was not able to find this specific info online.

ignoramous

Onlyfun there clearly is a toggle [to turn off Always-on].

My bad, you're right. We've started letting users turn OFF Always-on. So then, if a Lockdown WireGuard (in Advanced mode) is also Always-on, I guess, traffic from apps going through Always-on will fail, if it is turned OFF.

looped_around What would be the best solution or order process or setup?
When I get it wrong, traffic goes through without a VPN.

Sorry it isn't clear what you're asking. Can you reword it?

Onlyfun

ignoramous I have one more question, not sure if it should be addressed to rdns or gos. but I can only see it with rdns app.
So in the apps list i have some app called 'android' with default droid icon. I am not sure how long was it there for, my concern is that it only appears in rdns in owner profile, not in any of multiple user profiles. Also the app info page is not accessible from the 'i' when opened in the rdns apps list. And there is a bunch of connected domains and ips.

If there is any info available regarding please share, or let me know if there is a better place for such inquiry!

ignoramous

Onlyfun So in the apps list i have some app called 'android' with default droid icon. I am not sure how long was it there for, my concern is that it only appears in rdns in owner profile

A couple discussion on this here: https://discuss.grapheneos.org/d/20486-rethinkdns-hundreds-of-connections-from-android-to-unknown-ips/13 / https://discuss.grapheneos.org/d/13275-rethinkdns-the-app-android-was-installed-malware/2

let me know if there is a better place for such inquiry!

This forum, for as long as the mods will allow, is as good as any. Though, I tend to check our subreddit for questions more often than here.

Onlyfun

ignoramous got you, thanks!