Apps like messenger cannot access the internet unless exluded? #465
Replies: 14 comments
-
Well, there's a lot of nuance to unpack here, but it is an assumption that those apps may not happy with socksifiers like the RethinkDNS app.
I thought, this information is too much for any one user to be included in the app. May be we should FAQ this, or put it up in our docs page (which are already linked from the app from the About page).
Facebook Messenger? Ah, don't use it so never knew it breaks this spectacularly. What do you see in (firewall) Network Logs when Messenger doesn't work? Do you see the firewall blocking any connections from other apps or endpoints?
Yep, we need to handle LAN and discovery (IoT) better (rather than require users enable bypass / exclude apps that break). That's pending (#26), but likely we take that up only after we implement other important features / issues that don't even have a workaround today (for ex: #52).
You sure that LAN traffic isn't forwarded to the VPN by Android?
AfWall+ is always going to be more leak proof than RethinkDNS (given it uses
Sure, do you know how to code? ;) Otherwise, let's see when we get to tackle these problems. The Messenger one is a "troubling" bug to say the least. |
Beta Was this translation helpful? Give feedback.
-
I just noticed that that messenger had said blocked "dns bypassed", Block connections that bypass dns is turned on, at the time. Though because messenger was added to whitelist, when testing it said it would bypass firewall rules, so I thought it would bypass that option, as its under firewall configuration settings. So it appears messenger will work if dns is allowed to be bypassed, though to prevent other apps bypassing it, maybe adding an exclusion list for specific apps to be allowed to bypass?
It is, as rethinkdns seems to have that ability integrated, but android it's self seems to block lan when in lockdown mode. For e.g my vpn i occasionaly use (ProtonVPN) has an option in settings of it to " Allow lan connections" if enabled, i can connect to things like chromecast, computers ftp server on lan or printer while still connected to vpn, but as soon as I enabled "Block connections without vpn in system settings, lan connections refuse to work. It seems like it scans for devices ok, but during connection to it, like screen casting (mirroring android display) to chromecast, will initialize it on chromecast, as if it at least knows how to communicate, but then drops connection erroring, without displaying anything as if no data can be sent to it.
Rethinkdns is better at being leak proof during boot, which is excellent. for e.g) AfWall + will take roughly 15 seconds after device boot (or should i say after first device unlock, after decryption) so within those 15 seconds apps can connect as if no firewall is active. Rethinkdns appears and connects successfully within 1 second, literally. I know about the other leaks regarding ICMP that's not yet implemented, but im not at all familiar with it as Im only use to UDP and TCP A basic firewall should be a already built-in and configurable feature of android since marshmallow when introducing users required to give permission access manually, rather than require root or work arounds like vpn based solutions, but at least were able to get it to work for the most part. |
Beta Was this translation helpful? Give feedback.
-
Yes, Messenger should have been allowed past 'Block connections when DNS is bypassed' firewall rule if whitelisted. I am not able to reproduce this scenario with other apps. For ex, WhatsApp, Instagram, Telegram bypass DNS routinely, and when whitelisted, they have no connections firewalled because of it.
Whitelisting Messenger should have worked... I don't know why it didn't in your case. Can you recheck if this still happens?
Could be the way ProtonVPN implemented this feature breaks LAN connections in VPN lockdown mode (that is, 'Block connections without VPN' mode). I am going take a stab at it one of these months to make mDNS/Bonjour/LAN work. Let's see how that goes. Yet to find a phone with Messenger installed and signed-in to debug this. I'll come back to this thread when I've had a chance. |
Beta Was this translation helpful? Give feedback.
-
While debugging this more, since my last reply it appears as if sometimes messenger connects without dns bypass option enabled and other times only if its excluded. When messenger is whitelisted but not excluded, the network logs will mention it was allowed stating its whitelisted, if taken out of whitelist, some connections are blocked saying rule is DNS bypassed. Just appears buggy when it comes to messenger, Im hoping to get rid of messenger soon anyway over privacy concerns.
All my vpn based apps such as ProtonVPN and ivpn have this option in app, Invizble Pro which isn't actually a vpn, but uses its functionality similar to rethinkdns has option as well. I know from experience that lockdown mode rejects any lan communication unless app forwards it through the vpn, as per the option in app I was referring to. |
Beta Was this translation helpful? Give feedback.
-
|
Many thanks for reporting back.
So I found someone with Messenger installed on their Android to test. Messenger worked fine on their device regardless of Firewall rules I set. If I were to guess, in your case, some DNS blocklist is nerfing Messenger. You can search for which blocklists block facebook related domains on The Android I tested Messenger on, had these 20 blocklists: Can you please test if it is DNS blocking that's causing Messenger this connectivity pain?
There might be a way to split-tunnel without compromising on 'Block connections without VPN' setup. I see some clues for it in the tailscale codebase. Let's see if it works when we do get to implementing it. |
Beta Was this translation helpful? Give feedback.
-
You do appear to be correct. What I did during my testing was remove messenger from exclude list, disabled on-device blocklist (and adaway, as I use until i figure if rethinkdns is a suitable replacement) and I connect no problem. I then enabled on-device blocklist and it when loading some message threads thats when messenger threw the failed connection error, under dns logs graph.facebook.com was blocked by 2 blocklist. web.facebook.com was blocked during a sending of a message which i found strange as using the same list in adaway (energizer xtreme extension) it wasn't blocked. With rethinkdns blocklist disabled and adaway enabled with same blocklist, certain message threads failed to load as graph.facebook.com was blocked, but sending messages succeeded through web.facebook.com url. Allowing an exception to graph.facebook.com in allow list, messenger then worked entirely. One thing seems to confuse me, web.facebook.com seems to be blocked by energizer xtreme extension in rethinkdns, but not by adaway using same list. |
Beta Was this translation helpful? Give feedback.
-
I see that I spoke incorrectly about how this lockdown seems to function, but when in lockdown there appears no way for even an app to allow lan or anything to do with it unless disabled. As an e.g. Regardless of which app I have set as always on and Block connections without vpn, the system feature Screen Cast will detect lan device such as chromecast, but when selecting it takes a minute to load an will say that connection failed. As soon as I disable "Block connections without a vpn", the connection will succeed. Again, this screen cast I'm referring to is a system feaure, not a 3rd party app. The " Allow lan" option of the app Im talking about, can either allow or not allow lan connections when vpn is connected, but in either case can't be in lockdown mode. Do you know of any way I could maybe gather system level logs of this, to more like have physical proof android itself is rejecting lan connections? |
Beta Was this translation helpful? Give feedback.
-
Are you sure it was Energized? rethinkdns.com/search right now points to CPBL. The logs on RethinkDNS app would show the blocklists that block Also, can you share the on-device and/or RethinkDNS+ blocklists stamp (the URL) so we may debug if there's a bug in the code that's doing the blocking? You should see a
I'm not on my pc to test this, but output from Should capture what's going on when you start the VPN with |
Beta Was this translation helpful? Give feedback.
-
Not sure, but when web.facebook.com was displayed as blocked under dns logs of rethinkdns, i slected it and saw a tab on right side showing privacy, when clicking it, it displayed a msg saying that the Energized Extreme Extension was the blocklist blocking its url, don't remember it word by word though. As of now, I reduced the # of blocklist used to the same ones used by AdAway I had set (AdAway official host, Energized Unified, Energized Xtreme Extension, GoodbyeAds & Peter Lowe) so far everything seems fine with messenger other than occasional older msg threads that fail to connect but I do know that is caused because graph.facebook.com is blocked by the GoodbyeAds host, which I refuse to unblock for privacy reasons. That url though isn't needed for most things in messenger.
https://basic.rethinkdns.com/1:0AIABAAhQAAQAA==
adb logcat | grep -iE "(netd|connect)" Should capture what's going on when you start the VPN with Block connections without VPN. I will try and test this when I can get on my computer sometime this week. I can send them to you as well if you believe they may help. |
Beta Was this translation helpful? Give feedback.
-
Sure, if you're comfortable sharing those over email You mentioned ProtonVPN, so I expect to test it myself, too. |
Beta Was this translation helpful? Give feedback.
-
By this do you mean that you have protonvpn that you will be testing yourself, or expecting me to test it with protonvpn, over the other vpn apps? |
Beta Was this translation helpful? Give feedback.
-
|
Sorry, I should have been clearer. I'll do |
Beta Was this translation helpful? Give feedback.
-
|
I had just sent you the e-mail, containg the logs. Comes from a temporary e-mail address of mine (which forwards to my real one): [email protected] |
Beta Was this translation helpful? Give feedback.
-
|
I looked at the logs you sent, but unfortunately, there not many clues in there to explain what you're seeing. RethinkDNS is due a major network-engine overhaul in the next few months. Let's see if the current variant of the issue you're seeing persists post that release. For now though, closing this issue as the original reported bug has been resolved, and moving this thread to a discussion instead. |
Beta Was this translation helpful? Give feedback.
-
Hello,
I've seen the note under the option for Allow bypass, which seems to mention apps like whatsapp will need it to function properly, but what it fails to explain is why?
Messenger will connect fine if under dns battery save mode only, will fail in firewall or dns+firewall mode. It will still fail if whitelisted under firewall mode. It will only connect if excluded. Sometimes it connects when allow bypass is on, sometimes it doesn't.
So it seems to be some part of the firewall thats blocking messenger. Even if all options under universal are disabled, and messenger is disabled in firewalls app list, it will still fail to connect which is confusing.
As I am using afwall+ donate version at the moment still, afwall will only block apps that i select, which is what rethinkdns should do, not blocking apps that I dont want blocked, currently seems to only be an issue with messenger.
There are 2 other apps I need excluded as well, but its because of its LAN functionality, which is syncthing and vlc. Syncthing I have configured to route only on lan, never to the internet and vlc only used for devices like chromecast, but when excluding them it bypasses not just firewall but also dns, and in the case of syncthing, if I did decide to re-configure syncthing to sync with devices over the internet, dns qureries wouldn't be encrypted then. Those lan based apps, I am fine having it bypass just firewall though, as its needed. Whitelisting them doesn't work.
Also, I prefer to have always on vpn and Block connections without vpn enabled to prevent data leaks, and as app will mention, exclude apps and Allow bypass dont work in lock down mode.
I know that to communicate with lan, lockdown mode needs to be off anyway though, android limitation, but thats my concerns as to adding to the exclude list.
So far, I can replace AdAway and private dns function with rethinkdns, working on replace afwall with it, for a vpn based method to avoid iptables.
Anyway to address this?
Thank you :)
Beta Was this translation helpful? Give feedback.
All reactions