Introduction

Welcome to privacy-book!

Threat Modeling

Threat modeling is about figuring out who might want to attack you, what information or systems they could target, and how they might try to get in. From there, you come up with ways to block or minimize those risks. The outcome of this process is called a threat model. Since every person or organization faces different risks, each one will have its own unique threat model and its own approach to building it.

Hardening Android

Open-Source App Stores

RethinkDNS Users Guide

✔️ Click to Expand Table of Contents

RethinkDNS

I'm not affiliated with RethinkDNS in any way, I'm just a technologist with privacy concerns.

🔑 Key Terms

✔️ Click to Expand Key Terms

HTTP (HyperText Transfer Protocol): The standard protocol used by web browsers and servers to transfer web pages and related resources over the internet.
IP (Internet Protocol): The address system of the internet that routes data packets from source to destination devices. IP operates at the network layer and does not guarantee delivery order or error checking, which is handled by TCP.
IP Address (Internet Protocol Address): A unique numeric label assigned to each device on a network, used to identify and locate the device for communication.
Subnet (Subnet Range): represents a block of IP addresses grouped together under a single rule. Instead of allowing or blocking individual IP addresses one by one, you define a subnet to include a wide range of IPs within that block.(Useful for apps that you Isolate).
Host: Any device connected to a network with an IP address, capable of sending and receiving data, including computers, phones, or servers.
Client: A device or software (often your computer or phone) that initiates requests to servers to access resources or services, forming the client-server model of communication.
Port: A port in networking is a virtual communication endpoint managed by a computer's operating system that helps direct network traffic to specific apps or services. While an IP address identifies a device on a network, ports allow the system to know exactly which app or service should handle the incoming or outgoing data. Web traffic commonly uses port 80 (HTTP) or 443 (HTTPS), so when data arrives for those ports, it's routed to the web server application on the device. When we block port 80, we block insecure HTTP connections.
TCP (Transmission Control Protocol) is responsible for maintaining a connection through a handshake and putting the packets in the correct order. TCP will also ask for missing pieces and is known as a reliable but slow protocol.
UDP (User Datagram Protocol) (UDP/IP): is a fast protocol used across the internet for time-sensitive transmissions such as DNS lookups or VoIP. UDP allows a computer to send data straight to another without requiring a handshake.
DNS (Domain Name System): stores domain information in a distributed database and translates domain names into IP addresses and vice versa. This enables us to only have to remember simple domain names rather than complex IP addresses.

Domain Name
ssd.eff.org
 |   |   |
 |   |  top-level domain
 |   |
 |   second-level domain
 |
subdomain
☝️ The hierarchy is read from right to left, the TLD is the highest-level domain (.org here), the second-level domain (eff) is directly to the left of the TLD, and anything further left (like ssd) is a subdomain under that second-level domain.

DNS Server: When you search for a domain name (rethinkdns.com) it triggers a DNS lookup. Several different types of DNS servers typically work together to complete a single DNS lookup.CloudFlare DNS Server Types
DNS Resolver: is a server or software component that translates domain names into IP addresses that devices use to communicate.
Recursive resolver (DNS recursor): is typically the first stop in the series of the above servers when a DNS query is made. It acts like a middleman between a client and a DNS nameserver. After the recursive resolver communicates with all of the servers involved, it is also responsible for returning the result to the client.
Iterative resolver: In an iterative DNS query, each DNS server responds directly to the client with a referral to another server, and the client continues querying successive servers until it receives the IP address for the requested domain.
Proxy: A proxy, in relation to Orbot with Rethink, is an intermediary service that routes internet traffic from your device through the Tor network to provide privacy and anonymity.
HTTP(S) Proxy: An HTTP proxy is an intermediary server that forwards HTTP/HTTPS web traffic from a client (e.g., a browser or app) to destination servers, allowing for privacy, filtering, or routing control while masking the user's IP. HTTP proxies only work with web traffic (HTTP/HTTPS).
SSL (Secure Sockets Layer): is a protocol for encrypting, securing, and authenticating communications throughout the internet. It's main use case is securing communications between a client and a server. SSL was replaced by an updated protocol a while ago, TLS (Transport Layer Security).
TLS: is a newer protocol that also encrypts communications, such as the communication between a web browser and a web server. TLS evolved from SSL and is now the standard for securing internet communications.
HTTPS: is an implementation of TLS encryption on top of the HTTP protocol. You can think of it as Secure HTTP.
SOCKS5 (Socket Secure 5): Is an internet proxy protocol that transfers info from one server to another while redirecting the user's IP address. It supports both UDP and TCP and can actually improve speed in some cases.
pi-hole: a DNS sinkhole that protects your devices content without installing any client-side software.
OpenSnitch: is a GNU/Linux application firewall.
proxifier: a proxifier acts as a proxy client, routing specific application traffic through proxy servers without encrypting data or providing global IP masking.
VPN (Virtual Private Network): a VPN creates an encrypted tunnel that routes all network traffic from your device through a remote server, masking your IP address and securing your entire connection.
WireGuard: a modern VPN encryption protocol, its fast and has gained widespread adoption among VPN providers.
OpenVPN: an older, more mature VPN protocol that uses SSL/TLS for encryption. It's known for being very reliable and highly configurable but tends to be slower and more complex than WireGuard. Good VPNs often give you the choice between protocols.
Bypass DNS and Firewall: Bypass universal DNS and Firewall Rules.
Bypass Universal: Bypasses the Universal Firewall rules.
Exclude: This app is excluded from DNS and Firewall.
Isolate: When an app is isolate; only trusted IPs are allowed.
🛜(Unmetered Wi-Fi): Wi-Fi settings, either blocked or allowed.
📶 (Metered mobile): Mobile data settings, either blocked or allowed.

RethinkDNS Overview

Most operating systems, including Android, use a built-in stub resolver that handles DNS queries locally and forwards them to an external recursive resolver, typically configured by the network or user. These stub resolvers offer limited customization and often use plain-text DNS or DNS-over-HTTPS via Android's Private DNS.

RethinkDNS combines the roles of a stub and recursive resolver into a single client. Instead of forwarding queries to another resolver, Rethink resolves DNS answers itself by directly querying authoritative DNS servers. This enables more advanced features like DNS-over-HTTPS, DNS-over-TLS, DNSCrypt, or Oblivious DNS-over-HTTPS. These protocols encrypt DNS traffic, enhancing user privacy and protecting against interception or manipulation.

In addition to its DNS capabilities, RethinkDNS also functions as a firewall, allowing users to control app network access by blocking UDP and TCP connections. Almost every app communicates over TCP or UDP, so blocking these protocols effectively restricts most network traffic from and to apps, preventing them from connecting without permission.

I will share how I use RethinkDNS, obviously feel free to make changes based on your threat model and needs.

Getting Started

DNS

❗ NOTE: When you switch to an encrypted DNS resolver, you are shifting your trust from your ISP's DNS servers to the third-party DNS provider you choose. Encryption protects your DNS queries from being seen or intercepted by outsiders, like your ISP or network eavesdroppers, which improves privacy. However, the DNS resolver itself still sees all your queries and could potentially log, analyze, or misuse that data.

That said, it's quite common for ISPs to engage in practices that compromise user privacy. Do some research, whats their business model, privacy policy, etc. Unfortunately, with a VPN you are also just shifting the trust. Don't blindly choose a VPN either, I haven't found a free VPN that I would trust...

Configure -> DNS -> Other DNS:

Choose the type of resolver you want, I use DNSCrypt. Once you click you can choose the specific resolver you want such as Quad9. You may notice that it says Failed: using fallback DNS. This is only because we haven't turned it on yet, we will recheck this once we turn it on.
If you want a relay in a specific country, you can click the Relays tab. For DNSCrypt you are given the choice between the Netherlands, France, Sweden, Los Angeles, and Singapore. You might do this if you were trying to circumvent censorship.

Rules set the following:

Advanced DNS filtering (experimental): Assign unique IP per DNS request.
Prompt on blocklist updates: This is for if you use Rethink's custom blocklists.

Leave all the Advanced defaults unless you plan on setting up a SOCKS5 proxy, in which case you will want to enable Configure -> DNS -> Never proxy DNS.

Network

Configure -> Network:

Set Use all available networks to ON. This enables Wifi and mobile data to be used at the same time by Rethink. (Optional, may use more battery)
Set your IP version: The default is IPv4, you can choose between IPv6 (experimental) and Auto (experimental).
Using the Loopback sounds like a good idea but it makes many of the resolvers fail. You may have better luck, just remember that this could be what's causing your connectivity issues if you're having any.
Choose fallback DNS: When your user-preferred DNS is not reachable, fallback DNS will be used. I typically choose RethinkDNS as the fallback.
You may want to experiment with shutting off Enable network visibility, just keep in mind that some apps may break. "Shutting this off prevents apps from accessing all available networks, stopping them from bypassing Rethinks tunnel". This caused issues with the browser when turned off.

Firewall

Configure -> Firewall -> Universal firewall rules and set the following to ON:

Block all apps when device is locked
Block when DNS is bypassed
Block port 80 (insecure HTTP) traffic

You can get more restrictive from here, but it will take some manual intervention to get everything working correctly.

Turn ON DNS and Firewall

Home 🏠:

Click the big Start button on the bottom of the screen and leave it set to the default DNS and Firewall (default)

Below the Start button should show Protected. If not, check Configure -> DNS -> Other DNS and ensure your resolver started successfully.

Now, all apps on your device by default allow both Wi-Fi and mobile data access through the RethinkDNS encrypted tunnel. Try some of your most used Apps to see if they function correctly.

RethinkDNS’s firewall blocks or restricts any network traffic that isn’t explicitly allowed. Although by default all apps are allowed network access, some apps require special permissions or bypasses due to their network behavior. Many apps rely on multiple external services, backend APIs, etc. that may be blocked by the firewall.

Apps that Don't work

I will use Reddit as an example, the process is the same for any app. Reddit’s app and website rely on multiple third-party services and external domains beyond just reddit.com itself.

For apps that don't work it's important to ensure that your Android systems Private DNS is set to Automatic.

Home -> Apps:

Search for Reddit, click on it and the rules for Reddit will pop up. Since it is already allowed Unmetered and Metered connections and still doesn't work, we can first examine the Reddit Logs:

Search for and select Reddit, at the bottom of the screen click Domain Logs. There, you will see the domains associated with Reddit where you can set trust rules, etc.
While Reddit is still open, in Rethink go to Configure -> Logs -> DNS. Click the filter logo, and choose Blocked. Look through which domains are actively blocked and allow the ones related to Reddit that you trust, a quick search can usually tell you what you need to know.
Bypass Universal, Bypass only the Firewall. Still no luck, you can try:
Bypass DNS & Firewall, Bypass both the DNS and Firewall, still?:
Exclude the app. This excludes the App from the DNS and Firewall, Rethink will no longer be aware of or create logs for said app.
You can also Isolate an App, you then have to set up trust | allow rules for domains or IPs over a period of time which can take a while. You can go to Apps and search for the app in question, click on it and at the bottom of the screen you'll see IP Logs, and Domain Logs to help with this.
If you do Isolate an app, I recommend setting trust rules for domains as there are often many less domains than there are IPs. If that still doesn't work you can try allowing subnet ranges, explained next.

Other Methods

Rather than watching the logs and setting trust rules over time, you could use tools like nslookup and dig to resolve said domain and reveal IP ranges used.

nslookup reddit.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   reddit.com
Address: 151.101.129.140
Name:   reddit.com
Address: 151.101.193.140
Name:   reddit.com
Address: 151.101.1.140
Name:   reddit.com
Address: 151.101.65.140
Name:   reddit.com
Address: 2a04:4e42::396
Name:   reddit.com
Address: 2a04:4e42:600::396
Name:   reddit.com
Address: 2a04:4e42:200::396
Name:   reddit.com
Address: 2a04:4e42:400::396

Resolving a domain (like reddit.com) using tools like nslookup or dig reveals multiple IPs because large services use multiple servers across CDNs and networks for redundancy and performance.

You can then run whois on one of those IPs (e.g., whois 151.101.129.140) to identify the subnet ranges owned by Reddit's CDN provider (Fastly in this case), which helps when setting up subnet range allow rules in Rethink.

✔️ Click to Expand `whois` Example Output

whois 151.101.129.140

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2025, American Registry for Internet Numbers, Ltd.
#


NetRange:       151.101.0.0 - 151.101.255.255
CIDR:           151.101.0.0/16
NetName:        SKYCA-3
NetHandle:      NET-151-101-0-0-1
Parent:         RIPE-ERX-151 (NET-151-0-0-0-0)
NetType:        Direct Allocation
OriginAS:
Organization:   Fastly, Inc. (SKYCA-3)
RegDate:        2016-02-01
Updated:        2021-12-14
Ref:            https://rdap.arin.net/registry/ip/151.101.0.0


OrgName:        Fastly, Inc.
OrgId:          SKYCA-3
Address:        PO Box 78266
City:           San Francisco
StateProv:      CA
PostalCode:     94107
Country:        US
RegDate:        2011-09-16
Updated:        2025-03-25
Ref:            https://rdap.arin.net/registry/entity/SKYCA-3


OrgNOCHandle: FNO19-ARIN
OrgNOCName:   Fastly Network Operations
OrgNOCPhone:  +1-415-404-9374
OrgNOCEmail:  noc@fastly.com
OrgNOCRef:    https://rdap.arin.net/registry/entity/FNO19-ARIN

OrgTechHandle: FRA19-ARIN
OrgTechName:   Fastly RIR Administrator
OrgTechPhone:  +1-415-518-9103
OrgTechEmail:  rir-admin@fastly.com
OrgTechRef:    https://rdap.arin.net/registry/entity/FRA19-ARIN

OrgAbuseHandle: ABUSE4771-ARIN
OrgAbuseName:   Abuse Account
OrgAbusePhone:  +1-415-496-9353
OrgAbuseEmail:  abuse@fastly.com
OrgAbuseRef:    https://rdap.arin.net/registry/entity/ABUSE4771-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2025, American Registry for Internet Numbers, Ltd.

We can see that:

The subnet range for that IP: 151.101.0.0 - 151.101.255.255 (CIDR notation: 151.101.0.0/16)

So as a starting point to get Reddit working we could trust the following subnet range:

IPv4: 151.101.0.0/16
Upon further testing, while Reddit was isolated and only the above subrange being trusted seems to give full functionality of Reddit. I tried switching back to just allowing unmetered and metered connections and it continued working with the same trust rule.
This subnet covers the full range from 151.101.0.0 to 151.101.255.255, which includes all related IPs Reddit uses via Fastly’s CDN.

❗ NOTE: There is risk in trusting a large subnet like 151.101.0.0/16, you are trusting all services hosted on Fastly's CNS, not just Reddit. Start with specific IPs from nslookup (e.g. 151.101.129.140, 151.101.193.140) or use domain-based trusts (e.g., reddit.com, *.reddit.com).

The owning organization: Fastly, Inc. & More...

Firefox Encrypted DNS through Rethink

First, make sure you can visit a few sites in Firefox. If you can, then your browser traffic should be routed through the Rethink tunnel, we will check here. If you can't, go to Home -> Apps and search for Firefox, is networking enabled?

RethinkDNS Settings

For the best experience routing your browser traffic through your custom endpoint (e.g., DNSCrypt) on both Wi-Fi and mobile data ensure the following are set:

Do not turn on Block any app not in use in the Universal firewall. After some Log digging, I found that this causes the browser to fail more often than not.
Configure -> Network -> Enable network visibility set to ON. I had experimented with turning this off and certain websites wouldn't load when on Wi-Fi and none would load on mobile data. Turning it back on seemed to fix both with no leaks detected.

Double check that in Rethink's Configure -> DNS -> Prevent DNS leaks is ON, as well as the Universal Firewalls Block when DNS is bypassed ON.

Firefox Settings

In Firefox, plug about:config into the URL bar and scroll down to network.ttr.mode and change its value to 3 to prevent leaking DNS queries to the System resolver. Also in about:config scroll down to media.peerconnection.enabled, double-click to set it to false to prevent WebRTC leaks.

The trade-off is that disabling WebRTC also disables any websites or apps using WebRTC for real-time communication (like video calls or chat functions) from working correctly. Wikipedia WebRTC

In Firefox Settings -> Privacy & Security, set DNS over HTTPS to Default Protection, this enables Firefox to use RethinkDNS's DNSCrypt resolver or whatever you chose.

Checking for DNS Leaks

Go to:

https://dnsleaktest.com

Also crosscheck with:

https://ipleak.net

For DNSCrypt with Quad9 Security, dnsleaktest found 5 servers all with the ISP WoodyNet indicating success through Quad9. Quad9 relies on Packet Clearing House, that's where the WoodyNet name comes from.

A different solution could be to experiment with more strict RethinkDNS settings, Exclude your browser and use the browsers built-in DNS over HTTPS on max protection. Having more strict defaults for Rethink with all of your apps and configuring your browser separate may be a better option, the choice is yours.

When hunting down a solution you can go to Configure -> Logs, then try to visit the site that wouldn't work while watching the logs. You should see Firefox pop up, click it, in the top right of the pop up should be the reason it was blocked.

DuckDuckGo

I also tested DuckDuckGo with its stock configuration and dnsleaktest.com showed that DDGs traffic was successfully tunneled through Rethink to Quad9s servers.

dnsleaktest.com showed all WoodyNet ISPs indicating success.

Chromium Based Browsers (Brave)

Brave would not work when routed through Rethink and Chrome completely ignored it. Brave is definitely better if you must use a Chrome derivative.

I tried disabling the Brave Shield Use Secure DNS to see if that helped, it didn't. There may be more you could do here to get it working...
I do have Chrome and google apps disabled on my main device and only active in the Secure Folder which is like a sandboxed environment. This could very well be the reason it ignored Rethink, I don't care to test further...
EU Hits Google with 3.5 Billion Antitrust

More Fine Grained Control & Enhanced Privacy

❗ NOTE: If you are happy with the functionality as is it is unnecessary to follow these steps. If you already only install the minimal apps needed on your phone (i.e. Only install what you use and trust) you can probably just go to individual Apps and block their networking that you are worried about such as Facebook and Google. Routing all of your Apps through RethinkDNS + Firewall already gives you great privacy and security benefits.

If you read the following GrapheneOS discussion forum written by an RDNS dev:

GrapheneOS Discussion Forum on Rethink

The post suggests that you block network access to all apps by default and only enable a limited number of apps permanent network access:

Going to Home -> Apps and right under Showing all apps click on the grayed out 🛜📶 to set a rule. This will block both 🛜 Wi-Fi and 📶 mobile data connections to all apps by default.

❗ Not every app on your phone needs network access, be thoughtful about which apps you grant access!

I would recommend removing network access from your password manager until you need it or better yet use something completely offline like KeePassDX.

I have never used Link to Windows and I Disable & Force Stop it and Link to Windows is still my most blocked App of all time by Rethink...

If you go for the default deny as suggested above, you will have to search for and grant network access to the apps that need it.

Tor

If you want to learn how Tor works, I suggest reading the following in this order:

Tor is at risk, and needs our help. Despite its strength and history, Tor isn't safe from the same attacks oppressive regimes and misinformed legislators direct at encryption and many other privacy-enhancing technologies.--How to Support Tor

✔️ Click to Expand Tor Section

The following is a summary of some of the Tor Overview, all credit goes to them. It is important to spread the word when you can!

If you are fortunate to live outside of oppressive regimes with extreme censorship, using Tor for every day, mundane activities is likely safe and won’t put you on any harmful “list.” Even if it did, you'd be in good company, these lists mostly contain great people working tirelessly to defend human rights and online privacy worldwide.

By using Tor regularly for ordinary browsing, you help strengthen the network, making it more robust and anonymous for everyone. This collective support makes staying private easier for activists, journalists, and anyone facing online surveillance or censorship. The writer of the PrivacyGuides article mentions using Tor when he needs to access Google Maps to protect his privacy

So, consider embracing Tor not only for sensitive browsing but also for daily routine tasks. Every user adds valuable noise to the network, helping protect privacy and freedom for all.

Rethinks Automatic Orbot Method for a TCP Proxy

Orbot Logo

In this example, I create a TCP-only proxy with Rethinks auto method. The process is the same for HTTP proxies as well, just different use cases.

TCP-Only Proxies forward all TCP-level connections from selected apps to Orbot.

❗ NOTE: When using the Automatic Orbot method it is not required to turn on Never proxy DNS, that is only required for a SOCKS5 proxy that routes all of your traffic through Tor rather than only the explicitly added apps.

TCP-Only Proxies work best for Apps that use multiple TCP protocols beyond just basic web browsing (HTTP/HTTPS), search apps (DDG), etc. Because it proxies all TCP traffic, it can cause some apps to slow down or break if they expect direct DNS or UDP. They work with apps like Signal also but are limited in their functionality, a SOCKS5 proxy may be a better choice if you require Signals voice or video calls.

First install Orbot, Open Orbot -> More -> Orbot Settings and turn on Power User Mode. This is important, if you forget this Rethinks auto Orbot will not let you choose between TCP-only and HTTP proxies.

You should also check Allow Background Starts ON.

In Configure -> Proxy -> Setup Orbot:

Click Add / Remove 0 apps, search for an app that you want to run through Orbot. For simple testing I chose DuckDuckGo with a TCP-only Proxy.
In Home -> Apps search for Orbot and set Orbot -> Bypass Universal ON
On the first time starting Orbot through Rethink, you'll have to click the Configure -> Proxy -> Setup Orbot -> Orbot> to Connect as well as grant initial permissions. After you start Orbot successfully, check out Rethinks Home and below the STOP button should say Protected With Tor.

Open DuckDuckGo and go to:

https://dnsleaktest.com
# CrossCheck
https://ipcheck.net

❗ You may see that ipleaktest initially shows a Tor exit relay location such as the Netherlands, once you complete a Standard Test, it still shows WoodyNet ISPs. Since I configured Rethink to use DNSCrypt with Quad9 this is completely expected. This confirms that my DNS traffic is not leaking to my ISP and is properly anonymized through Tor and Quad9. As long as you don't see your actual ISP's servers in the results, your setup is working as intended.

Now you can add more apps that would benefit from anonymity such as FairEmail, RSS feeds, and crypto wallets.

Look into an RSS Feed, they give you complete control of the content you consume, no algorithm involved!

This can also be useful on public Wi-Fi or other insecure networks.

You can also open Orbot and Choose How to Connect, if you want to hide Tor use.
When you're done, you can switch Setup Orbot back to None (default). If you're completely done with it you can click Add / Remove (1 app), search for the Apps you've added and de-select them.
Go to Home and now below Stop it should just say Protected.
If you live in an area where Tor use isn't discriminated against, consider Activating your Orbot Kindness tab so others that are in oppressive regimes can use your device as a bridge. This is a great way to give back!
A good use for this could to switch it on and off as needed such as when you check your online banking, want to send a private email, or browse sensitive topics. It has been proven that people that feel like they are being watched are less creative and curious.
When it really matters consider using Tor Browser through Tails OS or Whonix.

Setting up a SOCKS5 Proxy

If you have Orbot set up through auto mode, you'll have to disable it.

Open Orbot -> More: Near the bottom of the screen you'll see HTTP: 8118, and SOCKS: 9050, these are the Port numbers. We will compare these to Rethinks defaults. (They match).

Back in Rethink, Configure -> Proxy -> Setup SOCKS5 Proxy.

In the App dropdown choose Orbot.

Hostname: 127.0.0.1
Port Number: 9050
Leave the rest of the defaults and Hit Set
Go Home, below the STOP button you should see Protected With SOCKS Proxy. Now all of your devices traffic that doesn't bypass Rethink is routed through the SOCKS5 proxy.
In Configure -> DNS and turn Never proxy DNS ON
Open your browser and visit https://dnsleaktest.com, your public IP should no longer be your ISPs.
SOCKS5 alone doesn't encrypt the traffic; it only proxies or routes it. Orbot uses SOCKS5 to let apps route traffic into the Tor network. Once inside the Tor network, the traffic is encrypted in layers.
There is a misconception that Orbot is a "free VPN". It’s actually part of an anonymity network designed to hide your identity by sending your traffic through multiple servers. And the SOCKS5 proxy that Orbot uses isn’t a VPN either, it simply directs certain app traffic through a proxy server without creating a full encrypted tunnel from your device like a VPN does.
Combining a SOCKS5 proxy with ODoH provides strong privacy, hiding both DNS query data and destination IPs from your ISP and other observers. Your ISP sees only encrypted traffic to the proxy or Tor network but cannot see your DNS queries or the website you visit.

Logs

On-device logging is on by default. You can find it in Configure -> Settings. From there, you can set the log level and choose a notification action.

If anyone else uses your phone, it's probably a good idea to enable app lock.

Go to Configure -> Logs, and try to access the app that's not working. You should see said app at the top of the Network Logs, click it. In the top right of the tab, you'll see the reason why it's not working such as: App Blocked, or DNS Bypass.

This DNS Bypass means that the App in question is trying to bypass the Rethink Tunnel and being actively blocked. You can search for said app and try setting IP or Port Trust rules.

You can also go to Home -> Apps and search for the App you need, click on it and at the bottom of the screen you will see IP Logs, and Domain Logs.

Once you click on the log of the app in question, you'll be given 3 drop down options. If you set an app to Bypass DNS and Firewall settings, you will see that in the first dropdown box.

The next drop down is Block,trust this IP for this app where you can set a rule to Block or Trust.

Inspecting the Souce Code

I cloned the rethink-app repo to inspect some of it's source code.

In rethink-app/full/java/com/celzero/bravedns/scheduler/WorkScheduler.kt I can see that it purges connection and console logs every few hours to manage storage and privacy.

Resources

✔️ Click to Expand Resources

Oblivious DNS over HTTPS
DNSCrypt Protocol
PrivacyGuides In Praise of Tor
PrivacyGuides Tor Overview
Orbot app
Orbot is a free app from the Guardian Project that empowers other apps on your device to use the internet more securely. Orbot uses Tor to encrypt your internet traffic and hide it by bouncing through a seris of computers around the world. --TorProject Orbot
Guardian Project Orbot
WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. --Wireguard.com
EFF Surveillance Self Defense
EFF Cover Your Tracks
AmIUnique?
What is NoScript?
PrivacyGuides DNS Recommendations
What is a DNS Server?
What is UDP?
Networking-Guides TCP/IP Basics
Cloudflare What is recursive DNS?
OpenSnitch
pi-hole
AOSP DNS Resolver

Encrypted Arch Linux Installation w/ Encrypted Swap

The ultimate installation resource is always going to be the:

Arch Wiki Installation Guide
Verify PGP Signatures, the ISO directory is just the same directory where your Arch Linux ISO file is stored.

✔️ Verifying Arch Linux ISO on Other Distributions

❗ NOTE: If you only want to verify the ISO once, you can temporarily import the public key, verify the signature, and then you don’t need to keep the key permanently in your keyring or sign it locally. This example is from the last release, but the process is the same.

For example, if you have a folder named archISO where you keep the ISO file archlinux-2025-09.01-x86_64.iso, you should also download the PGP signature file archlinux-2025.09.01-x86_64.iso.sig to the same folder.

With sequoia(a separate app), you can get the Arch release signing key with:

sq network wkd search pierre@archlinux.org --output release-key.pgp

Export the chosen key to a .pgp file:

sq cert export --keyring=release-key.pgp --cert=3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C > pierre-archlinux.pgp

Import into your keychain:

 gpg --import pierre-archlinux.pgp
gpg: key 0x76A5EF9054449A5C: 9 signatures not checked due to missing keys
gpg: key 0x76A5EF9054449A5C: public key "Pierre Schmitz <pierre@archlinux.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   3  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: next trustdb check due at 2026-08-23

Now, you should see <pierre@archlinux.org> and his keys when you run gpg --list-keys

Finally, verify the signature:

sq verify --signer-file release-key.pgp --signature-file archlinux-2025.08.01-x86_64.iso.sig archlinux-2025.08.01-x86_64.iso
Authenticated signature made by 3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C (Pierre Schmitz <pierre@archlinux.org>)

1 authenticated signature.

❗ To ensure the key is authentic and not spoofed, verify that the key fingerprint matches the official Arch Linux signing key fingerprint, which can is linked below and on the Arch website.

This shows that the signature was made by the key with the ID 3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C (Pierre Schmitz).

You can check the keys fingerprint with:

gpg --fingerprint 3E80CA1A8B89F69CBA57D98A76A5EF9054449A5C

Verify it against the Arch Linux master-keys

With the sq verify command GPG authenticated that the signature is valid and that the key used to sign is trusted in our keyring.

1 authenticated signature confirms the files integrity and authenticity.

We have successfully verified that the file was signed by Pierr's official Arch Linux key and has not been tampered with.

The following is only if you currently already have keys on your gpg keyring.

☑️ Click to expand Key Signing and Publishing Example

List your keys to get the arch keyID:

gpg --list-keys
# ... snip ...
pub   ed25519/0x76A5EF9054449A5C 2022-10-31 [SC] [expires: 2037-10-27]
      Key fingerprint = 3E80 CA1A 8B89 F69C BA57  D98A 76A5 EF90 5444 9A5C
uid                   [  full  ] Pierre Schmitz <pierre@archlinux.org>
uid                   [  full  ] Pierre Schmitz <pierre@archlinux.de>
sub   ed25519/0xD6D13C45BFCFBAFD 2022-10-31 [A] [expires: 2037-10-27]
sub   cv25519/0x7F56ADE50CA3D899 2022-10-31 [E] [expires: 2037-10-27]

Sign the key:

gpg --sign-key 0x76A5EF9054449A5C

Now you can Export and publish the new public key and send it to a keyserver:

gpg --export --armor 0x76A5EF9054449A5C > archlinux-signed.asc
gpg --send-keys 0x76A5EF9054449A5C

The more people that verify, sign, and re-export and publish their keys the better for the web of trust that gpg uses making the network more secure for everyone.

Connect to Wi-Fi:

iwctl
[iwd]# device list
[iwd]# station wlan0 scan
[iwd]# station wlan0 connect NETGEAR80
# Enter your Password
# Check Connection
[iwd]# station wlan0 show
[iwd]# exit

ping -c 3 archlinux.org

Update package databases and mirrorlist:

pacman -Sy

Save a backup of your current mirrorlist so we can safely update it:

cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.bak

pacman -S reflector
reflector --list-countries
# Example if you live in the US
reflector -c US -p https --age 6 --fastest 5 --sort rate --save /etc/pacman.d/mirrorlist

Set system clock:

timedatectl set-ntp true

Partition your Disk:

Identify your target disk (eg. /dev/mmcblk0):

lsblk

❗ If you already have an EFI partition you do not have to create another one and doing so can cause issues. First check with fdisk -l, before creating a new one.

Check your partitions:

fdisk -l | less
Device            Size           Type
/dev/mmcblk0p1     1G            EFI System
/dev/mmcblk0p2     57.2G         Linux root (x86-64)

Since I already have an EFI partition, I can just mount it:

mkdir -p /mnt/boot
mount /dev/mmcblk0p1 /mnt/boot

If you don't already have an EFI partition, create one here:

Use fdisk, parted, or cfdisk to create partitions.

cfdisk /dev/mmcblk0

cfdisk(8) man page
1G boot partition, press b to set boot flag
The rest of the Memory Primary /dev/mmcblk0p2 btrfs, press p to set primary flag.

Format the EFI partition as FAT32:

mkfs.fat -F32 /dev/mmcblk0p1

Leave the root partition unformatted for the encryption step next.

Encrypt the Root Partition and Open it:

cryptsetup luksFormat /dev/mmcblk0p2
cryptsetup open /dev/mmcblk0p2 cryptroot

Create a Filesystem with Compression

mkfs.btrfs /dev/mapper/cryptroot
mount /dev/mapper/cryptroot /mnt

Later, we will enable compression by mounting with options like compress=zstd in fstab

Encrypted Swap

cfdisk /dev/mmcblk0

Select New -> Enter size (2x your RAM size) -> Set type to Linux swap
Select Write -> Type yes -> Select Quit

Verify the new partition (e.g., /dev/mmcblk0p3):

lsblk

Encrypt the swap partition with LUKS:

cryptsetup luksFormat /dev/mmcblk0p3
cryptsetup open /dev/mmcblk0p3 cryptswap

Format the decrypted swap partition:

mkswap /dev/mapper/cryptswap

Enable the swap:

swapon /dev/mapper/cryptswap

Add the swap to /mnt/etc/fstab (this will be updated later in the genfstab step, but you can manually ensure it):

echo '/dev/mapper/cryptswap none swap defaults 0 0' >> /mnt/etc/fstab

Add the swap partition to the LUKS configuration for automatic unlocking on boot:

echo 'cryptswap /dev/mmcblk0p3 none luks' >> /mnt/etc/crypttab

❗ Later, after arch-chroot, ensure the mkinitcpio.conf HOOKS include resume (after encrypt) if you plan on using hibernation. This will be covered in the initramfs step.

Continue with Arch Installation

Install the Base System and Essential Packages on /mnt with pacstrap

pacstrap -K /mnt base linux-zen linux-zen-headers linux-firmware networkmanager helix grub lightdm lightdm-gtk-greeter btrfs-progs cryptsetup sudo base-devel

Ensure /mnt/boot (EFI) is mounted as above. With mount | grep /mnt/boot
- To list all mounts under /mnt: findmnt /mnt
- I had to remount /mnt/boot in order for the fstab to pick it up with: mount /dev/mmcblk0p1 /mnt/boot.

Generate the Filesystem Table:

genfstab -U /mnt >> /mnt/etc/fstab
#
cat /mnt/etc/fstab
# Add compression
vim /mnt/etc/fstab

Important: It should list /dev/mapper/cryptroot mounted on / with Btrfs options, and /dev/mmcblk0p1 on /boot. If the fstab doesn't show both, you need to regenerate it after mounting the missing partition. Clear your old fstab if its necessary to run genfstab again.

Add compression, Only for the Encrypted Partition:

# fstab
/dev/mapper/cryptroot    /    btrfs    rw,relatime,compress=zstd,ssd, #...snip
#...snip...

Remount root with compression without rebooting:

mount -o remount,compress=zstd /mnt

Change Root into the New Installation

arch-chroot /mnt

Create a user:

useradd -m -G wheel -s /bin/bash yourusername
passwd yourusername

Enable sudo for wheel group:

EDITOR=vim visudo

If that doesn't work, use vim /etc/sudoers and edit the file accordingly.

Uncomment the line:

%wheel ALL=(ALL:All) ALL

Edit /etc/mkinitcpio.conf in your new system to add the encrypt hook before filesystems

Locate the HOOKS line
Insert encrypt before filesystems

vim /etc/mkinitcpio.conf

❗ NOTE how I also added the resume after encrypt, that's for if you want to set up hibernation.

# mkinitcpio.conf
# ... snip ...
HOOKS=(base udev autodetect microcode modconf kms keyboard keymap consolfont block encrypt resume filesystems fsck)
# ... snip ...

Regenerate initramfs with:

mkinitcpio -p linux-zen
# Should output
Initcpio image generation successful

Install Grub and EFI boot manager, (while still in chroot environment):

pacman -S grub efibootmgr

Install GRUB for UEFI Systems:

grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB
# Should output
Installation finished. No error reported.

Configure GRUB to unlock LUKS root partition

Edit /etc/default/grub and modify the line starting with GRUB_CMDLINE_LINUX to add:

# ...snip...
GRUB_CMDLINE_LINUX="cryptdevice=/dev/mmcblk0p2:cryptroot root=/dev/mapper/cryptroot"
# ...snip...

Generate GRUB configuration:

grub-mkconfig -o /boot/grub/grub.cfg
# Should output
Adding boot menu entry for UEFI Firmware Settings ...
done

Enable LightDM and NetworkManager

systemctl enable lightdm
systemctl enable NetworkManager

Configure LightDM greeter:

Edit /etc/lightdm/lightdm.conf to add:

# lightdm.conf
[Seat:*]
greeter-session=lightdm-gtk-greeter

Exit arch-chroot with exit.

Unmount your partitions and reboot:

umount /mnt/boot
umount /mnt
cryptsetup close cryptroot

Reboot

arch-chroot

✔️ Click to Expand `arch-chroot` Example

Say you forgot something, like forgetting to add a user and password. You reboot and go to TTY into your system and are hit with a AHHH I can't log in WTF!

It's as easy as repeating some of the steps above. Reboot into the Live environment (like we just did for the install), remount your partitions and arch-chroot back in:

Open the encrypted root partition:

cryptsetup open /dev/mmcblk0p2 cryptroot

Mount the decrypted root:

mount /dev/mapper/cryptroot /mnt

Mount the EFI partition:

mount /dev/mmcblk0p1 /mnt/boot

Chroot into your installed system:

arch-chroot /mnt

useradd -m -G wheel -s /bin/bash yourusername
passwd yourusername

The -s /bin/bash sets your default shell, you can use zsh if you have it installed.

Uncomment the line %wheel ALL=(ALL:All) ALL in /etc/sudoers

Exit chroot:

exit

Unmount and close LUKS:

umount /mnt/boot
umount /mnt
cryptsetup close cryptroot
reboot

Resources

Arch Wiki Installation Guide

Keyboard shortcuts

privacy-book