8 min read
I'd like everyone to take a deep breath and listen for a minute. - Bruce Schneier .
We are excited to share what we’ve been working on for the past few weeks at
rethinkdns.com, a configurable DNS over HTTPS resolver and a companion Android app.
The DNS over HTTPS resolver is deployed to 200+ locations to ensure low-latency and robustness. The state-of-the-art HTTP/3 and TLS v1.3 protocols are built right-in. Availability is number one priority at RethinkDNS and our deployment strategies, development practices, and the architecture reflects that, though we realise achieving high availability is much harder and so it is pretty much a continuous and an ongoing process for us.
The companion free and open-source Android app is forked from the excellent Intra project by Jigsaw. We’ve made changes to the codebase to include a firewall and changed the UX dramatically. The app itself doesn’t support HTTP/3, yet, though the resolver does.
How it works
Visit rethinkdns.com/configure. No sign-up required.
Choose from over 170+ lists to block spyware, adware, malicious websites and more.
Copy paste the resulting URL in to any DNS over HTTPS client, like the ones that ship with Firefox.
In our trials with users, we have found that a staggering 60% connections from Xiaomi and Vivo phones were blocked when the rethinkdns endpoint was configured to enable seven popular blocklists (dbl.oisd, adguard, steven-black, anudeep, yhosts, energized ultimate, and 1hosts pro) totaling around 3 million entries. The numbers were lower but not stellar for Oppo (50%), Realme (50%), and Oneplus (30%) phones either. Note that, the block-count is a function of the app usage and websites visited and not just the manufacturer of the phone. Some people using Pi-Hole for DNS content blocking have reported numbers as high as 87%, and so even though it is trivial for apps to workaround DNS based content blocking, it still remains pretty effective and cheap way to block content across all applications.
RethinkDNS is a stub resolver that forwards queries to 188.8.131.52 and by extension supports Query Name Minimization and DNSSEC but doesn’t support ECS (EDNS Client Subnet).
RethinkDNS does not log requests by default.
There is currently no charge to use DNS service itself but in the future, we plan to monetize by providing additional functionality on top of just content blocking.
The effectiveness of DNS based content blocking has seen a plethora of companies building pretty impressive products in the past few years, some of them very advanced and feature rich. The point of building yet another such service stems from our frustration in using those, though we're personally big fans and inspired by NextDNS, Cloudflare Gateway, and pi-hole ourselves.
First, RethinkDNS core focus is high availability: We try hard to prioritize it over any other decision we take. In our trial runs (albeit not super high scale), we found no traces of downtime, despite continuing to add new features. Some times focusing incessantly on availability has meant higher costs and that has meant we couldn't possibly provide the service for free, not forever at least. The RethinkDNS resolver, as of today, runs on Cloudflare Workers, but we have already begun exploring building a redundant architecture on top of other Serverless offerings, like fly.io and stackpath.com.
Second, we are on a mission to democratize security solutions for consumers and DNS is just the start. Our initial focus are mobile devices that are always-on, always-connected. We believe there's value in helping 2B+ users secure their Androids with usable security tools otherwise long relegated to the confines of large enterprises and guild of computer geeks.
Third, we deeply believe in an open internet. Routing DNS to uncensored endpoints helps circumvent censorship in countries where deep-packet inspection isn't prevalent, and with ECH (Encrypted Client Hello) around the corner, this will prove to be a very cheap but effective tactic in bringing uncensored Internet to billions of Android users, for a start.
Fourth, is we have abhor surveillance capitalism and would continue to build tools that expose it. For example, DNS requests reveal a lot of information that can inform the user about what's happening on their devices with the apps they've installed or ones that they didn't but came pre-installed. There's nothing distasteful about data collection done with regard for privacy (providing opt-outs) and state-of-the-art data-handling practices for the benefit of the users-- for example Google Photos app categorizing photos based on location, grouping them based on people, clustering them based on trips has a modicum of utility for folks that opt for it. Though, data collection just for the sake of it without a care in the world for user's privacy, without strict controls over its protection bounded by questionable user-agreements is what irks us, and letting users take control of their devices by giving them tools that they can use without requiring a computer science degree would hand them ability to resist such unabated inroads into their private lives, even if not by much, but it is a start. And we're excited to see how far we can get.
Who are you
We're concerned engineers willing to put in the work, I guess. That said, you shouldn't trust us anymore than you trust any other stranger on the internet, but hopefully, we are able to earn it over a period of time by engaging with the community and proving our credibility by walking the talk. RethinkDNS is a work of three friends from India, Mohammed, Murtaza, and Santhosh with around 20 years of industry experience between them at Amazon, IBM, and Scientific Games, who got together sometime in November 2019 to build this. If you were as excited as we are, you'd probably quit your job too :)
One more thing
Mozilla backed us early in our journey through their Fix-the-Internet MVP initiative in May 2020 and we are grateful for it.
If you want to reach out to us with suggestions or requests or regarding anything else at all, feel free to email us at firstname.lastname@example.org.
Thanks to Bart Decrem and Patrick Lu for reading drafts of this.