rdns dev here
DNS: there's a built-in "Private DNS" (DNS-over-TLS) setting in the system settings [downside: unlike DNS-over-HTTPS this can easily be blocked in a public Wifi]
- Private DNS is neat, but Rethink also bundles in its own DNS cache which updates popular DNS queries in the background. I've been told this reduces ping time in Games.
- There's no visibility in to what Private DNS is doing (ie, there is no UI to view outgoing DNS queries and watch its incoming responses). A particularly important thing if you worry about data exfiltration or misappropriation of the DNS protocol.
- Rethink can capture ( if
Prevent DNS leaks
setting is turned ON) ALL traffic on port 53 to trap any app trying to connect to preset DNS servers (Signal does this, preset to 1.1.1.1
).
- Rethink can detect and block ALL traffic to IPs that were not resolved by a user-preferred DNS resolver; for example in cases where a DNS-over-HTTPS resolver is embed within apps (like Telegram).
filter lists: could just use a public DNS that filters ads and trackers, e.g. Adguard DNS or NextDNS
- The DNS Logs in Rethink show exactly which blocklists have blocked a particular domain.
- Rethink lets user "allow" any blocked domain through (an on-device allowlist, if you will).
firewall: GrapheneOS can deny the "Internet" permission to apps
Yep, denying this permission is way better on battery and effectiveness. But, it is an all encompassing, "deny" everything setting.
- In Rethink, one could put an app in "Isolate" mode so that it only connects to domains / IPs the user has explicitly allowed.
- Or, block connections when device is locked, or block just UDP connections, or block just newly installed apps, and so on...
- If Rethink is put in VPN Lockdown mode (ie, "Block connection without VPN" turned ON), Android guarantees that Rethink is free from ANY traffic leaks (ie, no traffic going out without going through Rethink's VPN tunnel).
VPN: can just use your providers app if you dont need RethinkDNS
True, if VPN is one's primary need, and if one does not require any of the other functionalities Rethink brings to the table, then using it would only result in unnecessary power use, especially on an already pretty hardened OS like Graphene.