[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-7268":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":22,"archived":23,"fork":23,"defaultBranch":24,"hasWiki":25,"hasPages":23,"topics":26,"createdAt":10,"pushedAt":10,"updatedAt":43,"readmeContent":44,"aiSummary":45,"trendingCount":16,"starSnapshotCount":16,"syncStatus":46,"lastSyncTime":47,"discoverSource":48},7268,"rethink-app","celzero\u002Frethink-app","celzero","DNS over HTTPS \u002F DNS over Tor \u002F DNSCrypt client, WireGuard proxifier, firewall, and connection tracker for Android.","https:\u002F\u002Frethinkfirewall.com\u002F",null,"Kotlin",4969,291,53,587,0,7,24,132,23,29.4,"Apache License 2.0",false,"main",true,[27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42],"android","android-app","android-application","android-firewall","anti-censorship","anti-surveillance","censorship-circumvention","censorship-resistance","dns","dns-over-https","dnscrypt","firewall","internet-freedom","open-source","privacy-enhancing-technologies","wireguard","2026-06-12 02:01:37","## Rethink DNS + Firewall + VPN for Android\nA [WireGuard](https:\u002F\u002Fgithub.com\u002Fwireguard\u002Fwireguard-go) client, an [OpenSnitch](https:\u002F\u002Fgithub.com\u002Fevilsocket\u002Fopensnitch)-inspired firewall and network monitor + a [pi-hole](https:\u002F\u002Fgithub.com\u002Fpi-hole\u002Fpi-hole)-inspired DNS over HTTPS, DNS over TLS, DNSCrypt client with blocklists.\n\n[\u003Cimg src=\"https:\u002F\u002Ffdroid.gitlab.io\u002Fartwork\u002Fbadge\u002Fget-it-on.png\"\n     alt=\"Get it on F-Droid\"\n     height=\"70\">](https:\u002F\u002Ff-droid.org\u002Fpackages\u002Fcom.celzero.bravedns\u002F)\n[\u003Cimg src=\"https:\u002F\u002Fplay.google.com\u002Fintl\u002Fen_us\u002Fbadges\u002Fimages\u002Fgeneric\u002Fen-play-badge.png\"\n     alt=\"Get it on Google Play\"\n     height=\"70\">](https:\u002F\u002Fplay.google.com\u002Fstore\u002Fapps\u002Fdetails?id=com.celzero.bravedns)\n[\u003Cimg src=\"https:\u002F\u002Fraw.githubusercontent.com\u002FImranR98\u002FObtainium\u002Fb1c8ac6f2ab08497189721a788a5763e28ff64cd\u002Fassets\u002Fgraphics\u002Fbadge_obtainium.png\"\n     alt=\"Get it with Obtainium\"\n     height=\"70\">](https:\u002F\u002Fapps.obtainium.imranr.dev\u002Fredirect.html?r=obtainium:\u002F\u002Fadd\u002Fhttps:\u002F\u002Fgithub.com\u002Fcelzero\u002Frethink-app)\n\n\u003Csup>*Release certificate SHA-256 digest*: `1f32d432e81a1dc5c00aafeb0c6636cd7819965d174420e59db9675dff7a88e9`.\u003C\u002Fsup>\n\nIn other words, \u003Cem>Rethink DNS + Firewall + VPN\u003C\u002Fem> has three primary modes, VPN, DNS, and Firewall. The VPN (proxifier) mode supports multiple WireGuard upstreams in a split-tunnel configuration. The DNS mode routes all DNS traffic generated by apps to _any_ user-chosen DNS-over-HTTPS \u002F DNS-over-TLS \u002F DNSCrypt resolver, or to WireGuard-configured DNS in a split-tunnel configuration. The Firewall mode lets the user deny internet-access to entire applications based on events like screen-on \u002F screen-off, app-foreground \u002F app-background, unmetered-connection \u002F metered-connection; or based on play-store defined categories like Social, Games, Utility, Productivity; or additionally, based on user-defined domain & IP denylists.\n\n![2](https:\u002F\u002Fgithub.com\u002Fcelzero\u002Frethink-app\u002Fassets\u002F56958445\u002F618bb47c-586c-41b9-ba1c-f62c2bbc9649)\n![3](https:\u002F\u002Fgithub.com\u002Fcelzero\u002Frethink-app\u002Fassets\u002F56958445\u002Fc74f3485-7197-4e5b-860f-c2b11c556cee)\n![4](https:\u002F\u002Fgithub.com\u002Fcelzero\u002Frethink-app\u002Fassets\u002F56958445\u002Fa2032d44-f07c-45e9-801b-7abe0cac0ead)\n![5](https:\u002F\u002Fgithub.com\u002Fcelzero\u002Frethink-app\u002Fassets\u002F56958445\u002Fb9973e69-d45e-4be9-bd42-b80fb2768ec5)\n\n\u003Csup>*screenshots from [`v055e`](https:\u002F\u002Fgithub.com\u002Fcelzero\u002Frethink-app\u002Freleases\u002Ftag\u002Fv0.5.5e).*\u003C\u002Fsup>\n\n### VPN \u002F Proxifier\nRethink supports forwarding TCP & UDP over SOCKS5, HTTP CONNECT, and WireGuard tunnels. Split-tunneling further helps run multiple such tunnels at the same time and lets users route different apps over different tunnels. For example, one could route Firefox over SOCKS5 connecting to Tor, Netflix over WireGuard connecting through any popular VPN provider, and Telegram or WhatsApp over censorship-resistant HTTP CONNECT endpoints at the same time.\n\n### Firewall\nThe firewall doesn't really care about the connections per se rather what's making those connections. This is different from the traditional firewalls but in-line with [Little Snitch](https:\u002F\u002Fwww.obdev.at\u002Fproducts\u002Flittlesnitch\u002Findex.html), [LuLu](https:\u002F\u002Fobjective-see.com\u002Fproducts\u002Flulu.html), [Glasswire](https:\u002F\u002Fglasswire.com\u002F) and others.\n\nCurrently, per-app connection mapping is implemented by capturing `udp` and `tcp` connections managed by [`firestack`](https:\u002F\u002Fgithub.com\u002Fcelzero\u002Ffirestack) (written in golang) and asking [ConnectivityService for the owner](https:\u002F\u002Fdeveloper.android.com\u002Fabout\u002Fversions\u002F10\u002Fprivacy\u002Fchanges#proc-net-filesystem), an API available only on Android 10 or higher. `procfs` (`\u002Fproc\u002Fnet\u002Ftcp` and `\u002Fproc\u002Fnet\u002Fudp`) is read on-demand to track per-app connections like [NetGuard](https:\u002F\u002Fgithub.com\u002FM66B\u002FNetGuard\u002F) or OpenSnitch do, on Android 9 and lower versions.\n\n### Network Monitor\nA network monitor is a per-app report-card of sorts on when connections were made, how many were made, and to where. Tracking UDP \u002F TCP (and DNS on Android 12+) is straight-forward. DNS are trickier to track on Android 11 and below, and so a rough heuristic is used for now, which may not hold good in all cases.\n\n### DNS over HTTPS client\nAlmost all of the network related code (`firestack`), including DNS over HTTPS split-tunnel, is a hard fork of [Jigsaw-Code\u002Foutline-go-tun2socks](https:\u002F\u002Fgithub.com\u002FJigsaw-Code\u002Foutline-go-tun2socks) written in golang. The UI is vastly different but borrows minimally from [Jigsaw-Code\u002FIntra](https:\u002F\u002Fgithub.com\u002FJigsaw-Code\u002FIntra\u002F). A split-tunnel traps requests sent to the VPN's DNS endpoint and relays it to a DNS-over-HTTPS \u002F DNS-over-TLS \u002F DNSCrypt \u002F Oblivious DNS-over-HTTPS endpoint of the user's choosing, logging the end-to-end latency, time of request, the DNS request query itself, and its answer.\n\n### The Rethink DNS Resolver\nA malware and ad-blocking DNS over HTTPS resolver at `https:\u002F\u002Fsky.rethinkdns.com\u002Frs` (deployed to 300+ locations world-wide via Cloudflare Workers) is the default DNS endpoint on the app, though the user is free to change that. A configurable DNS resolver that lets users add or remove denylists and allowlists, add rewrites, analyse DNS requests is launching late 2026. Right now, a free-to-use DNS over HTTPS endpoint with custom blocklists can be setup here: [rethinkdns.com\u002Fconfigure](https:\u002F\u002Frethinkdns.com\u002Fconfigure).\n\nThe resolver, sponsored by [FLOSS\u002Ffund](https:\u002F\u002Ffloss.fund\u002F), is deployed to [Fly.io](https:\u002F\u002Ffly.io\u002F) at `max.rethinkdns.com`, and [Deno Deploy](https:\u002F\u002Fdeno.com\u002Fdeploy) at `rdns.deno.dev` too, apart from the default deployment on [Cloudflare Workers](https:\u002F\u002Fworkers.dev). The resolver is open source software: [serverless-dns](https:\u002F\u002Fgithub.com\u002Fserverless-dns\u002Fserverless-dns).\n\n### The Rethink Proxy Network\nRPN is a multi-party relay, with connections hopping over serverless proxy (hosted on Cloudflare Workers) exiting through Windscribe. Users would be able to self-host the first hop or use the ones run by us. At launch in Dec 2025, this service would cost $3\u002Fmonth for unlimited bandwidth.\n\nThe proxy is open source software: [serverless-proxy](https:\u002F\u002Fgithub.com\u002Fserverless-proxy\u002Fserverless-proxy).\n\n### Community\n[\u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fsponsors\u002Fserverless-dns\"\n     alt=\"GitHub Sponsors\">](https:\u002F\u002Fgithub.com\u002Fsponsors\u002Fserverless-dns)\n- The telegram community is super active and full of crypto-bros. Kidding. We are generally a welcoming bunch. Feel free to get in touch: [t.me\u002Frethinkdns](https:\u002F\u002Ft.me\u002Frethinkdns).\n- Or, if you prefer Matrix (which is bridged to Telegram): [`#rethinkdns:matrix.org`](https:\u002F\u002Fmatrix.to\u002F#\u002F#rethinkdns:matrix.org) (or: [`!jrTSpJiEkFNNBMhSaE:matrix.org`](https:\u002F\u002Fmatrix.to\u002F#\u002F!jrTSpJiEkFNNBMhSaE:matrix.org)).\n- Or, email us: [hello@celzero.com](mailto:hello@celzero.com) (we read all emails immediately and reply once we fix the issues being reported).\n- We regularly hangout in our subreddit: [r\u002Frethinkdns](https:\u002F\u002Freddit.com\u002Fr\u002Frethinkdns).\n- We're also kind of active on the bird and toot apps, mostly nerd-sniping other engs or shit-posting about our tech stack: [twitter\u002Frethinkdns](https:\u002F\u002Ftwitter.com\u002Frethinkdns), [mastodon\u002Frdns](https:\u002F\u002Fmastodon.social\u002F@rdns).\n\n### Translation\nHelp [translate Rethink DNS + Firewall + VPN](https:\u002F\u002Fhosted.weblate.org\u002Fengage\u002Frethink-dns-firewall) on [Weblate](https:\u002F\u002Fweblate.org\u002F):\u003Cbr>\u003Cbr>\n[![](https:\u002F\u002Fhosted.weblate.org\u002Fwidgets\u002Frethink-dns-firewall\u002F-\u002F287x66-black.png)](https:\u002F\u002Fhosted.weblate.org\u002Fengage\u002Frethink-dns-firewall)\n\n### What Rethink DNS + Firewall + VPN is not\nRethink is *not* an anonymity tool: It helps users tackle unabated censorship and surveillance but doesn't lay claim to protecting a user's identity at all times, if ever.\n\nRethink does *not* aim to be a feature-rich traditional firewall: It is more in-line with [Little Snitch](https:\u002F\u002Fwww.obdev.at\u002Fproducts\u002Flittlesnitch\u002Findex.html) than IP tables, say.\n\nRethink is *not* an anti-virus: Rethink may stop users from phishing attacks, malware, scareware websites through its DNS-based blocklists, but it doesn't actively mitigate threats or even look for them or act on them, otherwise.\n\n### What Rethink DNS + Firewall + VPN aspires to be\nTo turn Android devices into user-agents: Something that users can control as they please without requiring root-access. A big part of this, for an always-on, always-connected devices, is capturing network traffic and reporting it in a way that makes sense to the end-users who can then take a series of actions to limit their exposure but not necessarily eliminate it. Take DNS for example-- for most if not all connections, apps send out a DNS request first, and by tracking just those one can glean a lot of intelligence about what's happening on their Androids and which app's responsible.\n\nTo deliver the promise of open-internet for all: With the inevitable ECH (encrypted client hello) standardization and the imminent adoption of DNS-over-HTTPS and DNS-over-TLS across operating systems and browsers, we're that much closer to an open internet. Of course, *Deep Packet Inspection* remains a credible threat that can't be mitigated with just encrypted DNS, but it is one example of delivering maximum impact (circumvent internet censorship in most countries) with minimal effort (not requiring use of a VPN or access via IPFS, for example). Rethink would continue to make these technologies accessible in the simplest way possible, especially the ones that get 90% of the way there with 10% effort.\n\n## Development\n[![Release](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fv\u002Frelease\u002Fcelzero\u002Frethink-app?include_prereleases)](https:\u002F\u002Fgithub.com\u002Fcelzero\u002Frethink-app\u002Freleases)   [![CI](https:\u002F\u002Fgithub.com\u002Fcelzero\u002Frethink-app\u002Factions\u002Fworkflows\u002Fandroid.yml\u002Fbadge.svg?branch=main)](https:\u002F\u002Fgithub.com\u002Fcelzero\u002Frethink-app\u002Factions\u002Fworkflows\u002Fandroid.yml)   [![License: Apache-2.0](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLicense-Apache-blue.svg)](https:\u002F\u002Fwww.apache.org\u002Flicenses\u002FLICENSE-2.0)   [![OpenSSF Scorecard](https:\u002F\u002Fapi.securityscorecards.dev\u002Fprojects\u002Fgithub.com\u002Fcelzero\u002Frethink-app\u002Fbadge)](https:\u002F\u002Fsecurityscorecards.dev\u002Fviewer\u002F?uri=github.com\u002Fcelzero\u002Frethink-app)   [![Ask DeepWiki](https:\u002F\u002Fdeepwiki.com\u002Fbadge.svg)](https:\u002F\u002Fdeepwiki.com\u002Fcelzero\u002Frethink-app)\n\n1. Feel free to fork and send a pull request for any reproducible bug fixes.\n  1. The codebase is raw and is lacking documentation and comprehensive tests. If you need help, feel free to create a Wikipage to highlight the pain with building, testing, writing, committing code. [DeepWiki](https:\u002F\u002Fdeepwiki.com\u002Fcelzero\u002Frethink-app) and [Copilot](https:\u002F\u002Fgithub.com\u002Fcopilot?prompt=https:\u002F\u002Fgithub.com\u002Fcelzero\u002Frethink-app) may also help, but they do hallucinate.\n  2. Write descriptive commit messages that explain concisely the changes made. \n  3. Each commit must reference an open issue on the project to make sure there isn't duplicated effort and prior discussion to refer to.\n2. If you plan to work on a feature, please create a [github issue on the project](https:\u002F\u002Fgithub.com\u002Fcelzero\u002Frethink-app\u002Fissues\u002Fnew) first to kickstart the discussion before committing to doing any work.\n3. Prod releases are usually once every few months, while [alpha is released monthly](https:\u002F\u002Fgithub.com\u002Fcelzero\u002Frethink-app\u002Factions\u002Fworkflows\u002Fnightly.yml).\n\n## Tenets (unless you know better ones)\nWe aren't there yet, may never will be but these are some tenets for the project for the foreseeable future.\n\n- Make it right, make it secure, make it resilient, make it fast. In that order.\n- Easy to use, no-root, no-gimmicks features that are anti-censorship and anti-surveillance.\n  - Easy to use: Any of the 3B+ Android users must be able to use it. Think CleanMaster \u002F Instagram levels of ease-of-use. \n  - no-root: Shouldn't require root-access for any functionality added to it.\n  - no-gimmicks: Misleading material bordering on scareware, for example.\n- Anti-censorship: Features focused on helping bring an open internet to everyone, preferably in the most efficient way possible (both monetarily and technically).\n- Anti-surveillance: As above, but features that further limit (may not necessarily eliminate) surveillance by apps.\n- Incremental changes in balance with newer features.\n  - For example, work on nagging UI issues or OEM specific bugs, must be taken up on equal weight to newer features, and a release must probably establish a good balance between the two. However; working on only incremental changes for a release is fine.\n- Opinionated. Chip-away complexity. Do not expect users to require a PhD in Computer Science to use the app.\n  - No duplicate functionality.\n  - A concerted effort to not provide too many tunable knobs and settings. To err on the side of easy over simple.\n- Ignore all tenets.\n  - Common sense always takes over when tenets get in the way.\n- Must be distributable on the PlayStore, at least some toned down version of it. \n  - This unfortunately means on-device blocklists aren't possible; however, [Cloudflare Gateway](https:\u002F\u002Fwww.cloudflare.com\u002Fteams-gateway\u002F)-esque cloud-based per-user blocklists get us the same functionality.\n- Practice what you preach: Be obsessively private and secure.\n\n## Backstory\n[\u003Cimg src=\"https:\u002F\u002Fraw.githubusercontent.com\u002Ffossunited\u002FBranding\u002Fmain\u002Fasset\u002FFOSS%20United%20Logo\u002FExtra\u002FExtra%20Logo%20white%20on%20black.jpg\"\n     alt=\"FOSS United\"\n     height=\"40\">](https:\u002F\u002Ffossunited.org\u002Fgrants) \n[\u003Cimg src=\"https:\u002F\u002Frethinkdns.com\u002Fico\u002Fmoz-builders-2000x550.png\"\n     alt=\"Mozilla Builders\"\n     height=\"40\">](https:\u002F\u002Fbuilders.mozilla.community\u002F) \n[\u003Cimg src=\"https:\u002F\u002Ffloss.fund\u002Fstatic\u002Fbadge.svg\"\n     alt=\"FLOSS\u002Ffund by Zerodha\"\n     height=\"40\">](https:\u002F\u002Ffloss.fund\u002F) \n     \nInternet censorship (sometimes ISP-enforced and often times government-enforced), unabated dragnet surveillance (by pretty much every company and app) stirred us upon this path. The three of us university classmates, [Mohammed](https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fhussain-mohammed-2525a626\u002F), [Murtaza](https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fmurtaza-aliakbar\u002F), [Santhosh](https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fsanthosh-ponnusamy-2b781244\u002F) got together in late 2019 in the sleepy town of Coimbatore, India to do something about it. Our main gripe was there were all these wonderful tools that people could use but couldn't, either due to cost or due to inability to grok Computer-specific jargon. A lot has happened since we started and a lot has changed but our focus has always been on Android and its 3B+ unsuspecting users. The current idea has been in the works for since May 2020, with the pandemic derailing a bit of progress, and a bit of snafu with abandoning our previous version in favour of the current fork, which we aren't proud of yet, but it is a start. All's good now that we've won a grant from the [Mozilla Builders MVP program](https:\u002F\u002Fbuilders.mozilla.community\u002F) to go ahead and build this thing that we wanted to... do so faster... and not simply sleep our way through the execution. I hope you're excited but not as much as us that you quit your jobs for this like we did.\n\n","Rethink DNS + Firewall + VPN 是一款针对Android系统的网络安全应用，集成了WireGuard客户端、防火墙和网络监控功能以及DNS over HTTPS\u002FDNSCrypt客户端。其核心功能包括支持多隧道配置的WireGuard代理模式、能够将所有应用生成的DNS流量路由到用户选择的任何DNS解析器的DNS模式，以及基于多种条件（如屏幕状态、应用前后台、连接类型等）来阻止应用程序访问互联网的防火墙模式。此外，它还提供了自定义域名\u002FIP黑名单的功能。这款工具特别适合需要增强在线隐私保护、绕过审查制度或希望对设备上的网络活动进行更精细控制的场景使用。",2,"2026-06-11 03:11:30","top_language"]