You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
I'd like to disable DNS by default to prevent leaks, but enable it for selected apps for which I've enabled VPN (Orbot), with DNS going via the VPN for these.
In AFWall+, selecting "Disable DNS via netd" works as advertised1, in that it blocks all DNS via netd (regardless of whether the app is VPN-enabled). When a VPN-enabled app tried to use DNS, I saw in the log that netd attempted to send UDP to 10.10.10.10:53, which I guess is a "magic" address for DNS via VPN. I added the following custom rules and now it seems to work the way I'd like:
So the only "problem" here is it took many hours of learning and experimentation (e.g. I knew nothing about iptables when I started) to achieve this, or even realise that it was possible. Since AFWall's UI has separate settings for whether apps can send data via VPN and not-VPN, it seems desirable for the UI to have this for DNS too, without needing custom rules.
Describe the solution you'd like
As well as the existing "Enable DNS via netd" and "Disable DNS via netd" settings, add "Enable DNS via netd for VPN only" or similar.
Describe alternatives you've considered
This feature isn't needed if #1047 is ever fixed (add DNS proxy to allow per-app firewalling of DNS), which would obviously be far superior.
Additional context
In Android settings, Private DNS needs to be disabled to make it send DNS via the VPN (for VPN-enabled apps). Otherwise it bypasses the VPN!
Footnotes
Well, actually I found the wording a little misleading. At first, I expected this to make apps send DNS requests direct instead of via netd. It was only via experimenting that I found what it actually does. "Block DNS via netd" might be better wording. ↩
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
I'd like to disable DNS by default to prevent leaks, but enable it for selected apps for which I've enabled VPN (Orbot), with DNS going via the VPN for these.
In AFWall+, selecting "Disable DNS via netd" works as advertised1, in that it blocks all DNS via netd (regardless of whether the app is VPN-enabled). When a VPN-enabled app tried to use DNS, I saw in the log that netd attempted to send UDP to 10.10.10.10:53, which I guess is a "magic" address for DNS via VPN. I added the following custom rules and now it seems to work the way I'd like:
So the only "problem" here is it took many hours of learning and experimentation (e.g. I knew nothing about iptables when I started) to achieve this, or even realise that it was possible. Since AFWall's UI has separate settings for whether apps can send data via VPN and not-VPN, it seems desirable for the UI to have this for DNS too, without needing custom rules.
Describe the solution you'd like
As well as the existing "Enable DNS via netd" and "Disable DNS via netd" settings, add "Enable DNS via netd for VPN only" or similar.
Describe alternatives you've considered
This feature isn't needed if #1047 is ever fixed (add DNS proxy to allow per-app firewalling of DNS), which would obviously be far superior.
Additional context
In Android settings, Private DNS needs to be disabled to make it send DNS via the VPN (for VPN-enabled apps). Otherwise it bypasses the VPN!
Footnotes
Well, actually I found the wording a little misleading. At first, I expected this to make apps send DNS requests direct instead of via netd. It was only via experimenting that I found what it actually does. "Block DNS via netd" might be better wording. ↩
The text was updated successfully, but these errors were encountered: