Is "Prevent DNS leaks" not working for direct queries?

[boernsen-development]

I have "Prevent DNS leaks" enabled in v0.5.5n from f-droid.

I have one app, that seems to ignore the system's DNS service and directly queries 8.8.8.8:53 and 8.8.4.4:53 via UDP, which show up in RethinkDNS's log. I isolated the app as I want to control which connections it does. Now these queries get blocked due to isolation, which breaks the app. If I allow these IPs for the app, the connections are logged as "Trusted IP", so it seems these connections are just made as shown, but not redirected/proxied to the user-set DNS as I would expect it due to the "Prevent DNS leaks" setting. When allowing the entire app for connections the connection is indeed labeled as "DNS Proxied" as expected.

Is this behavior as expected? Is this just a labeling issue in the log? In that case, how could I verify those connections are redirected/proxied?

BTW, I tried to turn on packet capture, but the output file never grows greater than 0 bytes. Not sure whether I missed something?

I am happy to provide more info or test things. Many thanks for any help!

Screenshots

[ignoramous]

BTW, I tried to turn on packet capture, but the output file never grows greater than 0 bytes. Not sure whether I missed something?

A bug which we fixed in v055n. What Rethink version are you using? Check the footer of the About page.

I have one app, that seems to ignore the system's DNS service and directly queries 8.8.8.8:53 and 8.8.4.4:53 via UDP, which show up in RethinkDNS's log. I isolated the app as I want to control which connections it does. Now these queries get blocked due to isolation, which breaks the app. If I allow these IPs for the app, the connections are logged as "Trusted IP", so it seems these connections are just made as shown, but not redirected/proxied to the user-set DNS as I would expect it due to the "Prevent DNS leaks" setting. When allowing the entire app for connections the connection is indeed labeled as "DNS Proxied" as expected.

Most likely just a labeling "issue" (as in, the app shows only ONE label among multiple that may apply, like in this case).

In that case, how could I verify those connections are redirected/proxied?

You should see the domains the app is trying to contact in the "DNS Log" (from Configure -> Logs -> Swipe to "DNS"). This may be hard to do ascertain without "Advanced DNS filtering" turned ON (from Configure -> DNS), but I'd rather you wait for v055o, the upcoming version, which has improved DNS split-tunneling and has higher accuracy and fidelity in mapping DNS requests to the app that sent it.

If you're technical enough to run adb logcat | grep "GoLog" | grep "dns:" to can see if the DNS request to the Trusted IP is proxied as expected by seeing if it reaches the "dns" subsystem of Rethink's network engine. Make sure to turn ON Verbose or Very Verbose logging from Configure -> Settings -> Log level to get detailed logs.

[boernsen-development]

Many thanks for your reply!

What Rethink version are you using? Check the footer of the About page.

I am on v0.5.5n since it is available on F-Droid. For some reason I still only get 0 bytes log files.

Looking forward to v0.5.5o. I might also try the logcat approach when I find the time.