Variety of questions regarding Rethink's functions

[DomainUser0]

Hello, I have a few questions regarding some functions and interactions Rethink may have. If some these have been referenced before I apologize. I have sifted through many discussions but have found it difficult to get a seamless answer. It may do well to have these all accumulated in one thread and answered by those qualified, that can base their answer on various factors.

DNS:

Does 'DNS booster' wipe cache when toggled off, then back on?

When 'Never proxy DNS' is enabled, do DNS requests get sent to the underlying DNS server? ie: Your ISP, if you have a wireguard connection active, with DNS being proxied through that?

Is 'Block when DNS is bypassed' redundant with 'Prevent DNS leaks' enabled? Would enabling this prevent DNS being bypassed by user apps?

Firewall:

Is 'Block when DNS is bypassed' necessary for consistently routing through DNS set through Rethink? ie: Syncthing will have thousands of requests blocked for bypassing DNS, per the relay function (via TCP on port 22067). Are these requests connecting directly to IP, with DNS not in use at all, if not, are these requests be sent with the underlying DNS of your ISP if the firewall rule isn't set?

Proxy:

ICMP traffic isn't routed, is this Rethink specific or do all android VPN services function this way? What traffic isn't routed that would be encompassed in a standalone wireguard app?

Network:

What services or apps are affected by 'Loopback proxy forwarder apps'?

Why is 'Loopback' dependent on 'Use all available networks'? will it be directed through Wi-Fi by default? Under what circumstances will it route via cellular? (as they are both now active)

If 'Choose fallback DNS' is not set, will the packet be dropped or will it route through a DNS set outside of Rethink? ie: ISP default

[ignoramous]

Does 'DNS booster' wipe cache when toggled off, then back on?

No, it doesn't. Tapping on the "refresh" icon at the top of the Configure -> DNS will (in addition to tearing down the connection pools). Don't recommend doing it often.

When 'Never proxy DNS' is enabled, do DNS requests get sent to the underlying DNS server?

No. DNS queries get sent to Network/OS provided DNS upstream when:

• System DNS is selected in Configure -> DNS.
• Fallback DNS is set to None in Configure -> Network.

Configure -> DNS -> Never proxy DNS if turned ON would not contact the DNS upstream over Orbot, SOCKS5, HTTP, Simple-mode WireGuard, Always-on Advanced-mode WireGuard proxies, if set.

Is 'Block when DNS is bypassed' redundant with 'Prevent DNS leaks' enabled?

You could say that. The behaviour is very different though. Prevent DNS leaks attempts to proxy and answer DNS queries that may otherwise "leak", whereas Block when DNS is bypassed will drop the TCP/UDP connections for which it couldn't associate a corresponding outgoing DNS query.

Is 'Block when DNS is bypassed' necessary for consistently routing through DNS set through Rethink?

Not really. It is block apps that may do their own DNS or connect to IPs straight up (like Syncthing). One can "Bypass Universal" or "Isolate" apps they trust to make them exempt from this (and other) "Universal firewall rules".

Are these requests connecting directly to IP, with DNS not in use at all

It seems like, yes.

ICMP traffic isn't routed, is this Rethink specific or do all android VPN services function this way?

Android limitation (or so we thought), but we've a workaround now to per-app split-tunnel ICMP too that will be part of the next release, v055o (due in a week or so).

What traffic isn't routed that would be encompassed in a standalone wireguard app?

The official WireGuard can route every L3 and L4 protocol (as it functions at L3). Rethink only routes TCP and UDP (it runs WireGuard as a proxy; see / mirror) today, which likely is close to almost all Internet-bound traffic. The rest of the traffic not routed by Rethink is dropped (not leaked).

Why is 'Loopback' dependent on 'Use all available networks'?

Hm. Loopback's implementation has changed in v055o significantly. We'll have to revisit if "Use all available networks" is still a valid prerequisite. Noted: #1758

will it be directed through Wi-Fi by default? Under what circumstances will it route via cellular?

• If Configure -> Network -> Use all available networks is turned OFF, Rethink selects the "active network" (as deemed so by Android), which is usually WiFi, when enabled.
• If not: Rethink first checks if any Unmetered network (usually WiFi) can route to a given destination (IPv4 / IPv6). If not, it checks if any other network (usually Mobile) can route it.

If 'Choose fallback DNS' is not set, will the packet be dropped or will it route through a DNS set outside of Rethink? ie: ISP default

System DNS is used if Configure -> Network -> Choose fallback DNS if set to None. A preset default is used (which is currently set to 8.8.4.4, which is an Android Open Source Project default too) if System DNS could not be determined (this does happen for example when both OS and the network return no DNS servers or in the interim when Rethink is "informed" of the DNS servers to use after some delay, that is, way after the tunnel is already up & running).

[DomainUser0]

Thanks so much for your thorough response

Two more questions:

What services or apps are affected by 'Loopback proxy forwarder apps'?

To ensure I'm understanding correctly, fallback dns when set to None will route DNS to 8.8.4.4, after System DNS is attempted, so the None option will essentially route outside the user preferred DNS servers. Will there be an option to completely drop DNS queries that fallback, so as to avoid DNS leaks?

[ignoramous]

What services or apps are affected by 'Loopback proxy forwarder apps'?

The kind that run servers (proxying apps like Orbot, EveryProxy or p2p apps like KDE Connect or LocalSend).

To ensure I'm understanding correctly

Fallback DNS really is Bootstrap DNS that's predominantly used by Rethink itself. No app that's routed within the tunnel uses it.

[DomainUser0]

Thanks for the clarification.