Looking for some clarifications about how Rethink works. What settings must be enabled for Rethink to hide network traffic?

[Opening-Button-8988]

I recently made an issue #2567, but I realized I hadn't selected any apps to route in my wireguard proxy settings, under Proxy > <connection> > Add/Remove. I must have missed this cause there's another setting (Apps) where you can add or remove apps, but I suppose that is proxy-independent.

I'm wondering what conditions must be met for Rethink to hide (encrypt) network traffic, including domains? Though I wasn't routing any apps through wireguard, I did set my DNS to DoH, and ODoH. Shouldn't DoH encrypt my DNS traffic regardless of whether Wireguard is on or routing any apps?

Is it preferable to use System DNS when using Wireguard? Are there reasons to use DoH or something else instead?

Is it possible to encrypt traffic without a proxy (wireguard or Tor)?

Is this correct: When I have RethinkDNS selected under DNS (whether it's RDNS Default, Privacy, etc) serves 2 purposes, it resolves DNS (this is done locally on my device?) has a predefined block list independent of on-device block lists, which work simultaneously.

Also, auto-start on power up does not work. Rethink starts but is disabled by default on boot. How do I make sure Rethink starts and automatically enables on boot? I'm using GrapheneOS.

Thank you.

[Onxr]

Are you using Simple or Advance method for Wireguard Proxy ?

Shouldn't DoH encrypt my DNS traffic regardless of whether Wireguard is on or routing any apps?

AFAIK DoH & DoT already does that.

Is it possible to encrypt traffic without a proxy (wireguard or Tor)?

If I'm not wrong HTTPs already encrypts. You can toggle on Block port 80 from Universal Firewall Rules. But I'm not sure about other protocols. Maybe you can use the secure version I guess. For example I use FTP to access my phone storage but there's sFTP.

Also, auto-start on power up does not work.

I can relate. Only a few times I've seen it working but most of the time after a reboot it doesn't start. I mean only the app starts but not proxy and other stuffs. Right now I just toggle from the notification panel.
I do get a notification that Rethink isn't active or something.

[Opening-Button-8988]

Are you using Simple or Advance method for Wireguard Proxy ?

Advanced

AFAIK DoH & DoT already does that.
If I'm not wrong HTTPs already encrypts.

My rudimentary understanding is that you can encrypt the contents of the traffic (such that would prevent analysis using a tool like Wireshark) but without encrypting what domains you're connecting to. That's what I'm discussing here. On my router I'm able to identify what domains I'm communicating with easily. Not exact URL but the domains. That doesn't happen when I'm using any commercial VPN.

[Onxr]

Advance

Then you should be able to specify your DNS server in Rethink

I did set my DNS to DoH, and ODoH.

I'm not sure if it's possible to have both DoH and oDoH at the same time.

Shouldn't DoH encrypt my DNS traffic regardless of whether Wireguard is on or routing any apps?

Only the queries.

On my router I'm able to identify what domains I'm communicating with easily. Not exact URL but the domains. That doesn't happen when I'm using any commercial VPN.

Anyone, correct me if I'm wrong.
DoH and DoT encrypts your queries where you ask for the IPs for a domain. You might also be able to see the traffic type when using packet analysis tool such as Wireshark but not the content. If I'm not wrong DoH and DoT are similar but DoH has an advantage as it uses HTTPS so the traffic is harder to block (cause will break other HTTPS traffic also when HTTPS is blocked).

When you query you get the IP then your application/service connects to that IP. But the connection still goes through your router > ISP > destination server. So anyone can see the destination server.

My analogy would be this, suppose you want to send a letter to a friend but don't know his address but you know someone who does. So you create a sealed envelope and a letter to that person asking for your friend's location. The person also replies back with a sealed envelope and the address written in the letter.
Now as you have the address, you wrote a letter and send it using a sealed envelope to your friend's address.
What happens in this case ? Everyone who carries the envelopes knows from where to where it's going right ?
But you don't want any carriers to know the destination but still want to do the same. What can you do ?
You will create a special communication to a person who will do it for you. You will send all your letters in a special sealed envelope to that person. Then the person will dp the communication and when the destination replies back, the person will send those back to you.

So from my understanding you will need a proxy to hide everything. Here the sealed envelope asking for address is DoH/DoT. Then when sending the letter to your friend that sealed envelope is HTTPS traffic. The person that works for you is VPN/proxy server. Carriers are Router, ISP then anything else between ISP to destination server.

That doesn't happen when I'm using any commercial VPN.

You won't need a commercial VPN either. You can selfhost Netbird or use their free tier. When you add nodes to your Netbird network you can use those as exit nodes and have your traffic exits through those (essentially how commercial VPN works). You can also get a VPS or have a host anywhere you want and setup Wireguard Easy to have your own VPN. IDK which router/firewall you use. Some FOSS solutions are OpenWRT, opnSense which can create it's own Wireguard server and you can connect to that server. So when you are outside your traffic will go through your home LAN.

BTW in case someone thinks I'm an AI for the analogy, I'm not. If you give me a captcha I might be able to solve it or not ? ;)

[Opening-Button-8988]

Sorry, but this analogy wasn't very helpful. I do understand how DNS works, roughly speaking. But I am specifically asking this: when you have DoT or DoH enabled, is it normal that the names of the domains I am connecting to are visible to (for example) the router I'm connected to, and my ISP (assuming I am not using a VPN)?

I'm not sure if it's possible to have both DoH and oDoH at the same time.

I meant separately.

I'm already using pfsense and different commercial VPNs. I have no use for a self hosted VPN.

[Onxr]

is it normal that the names of the domains I am connecting to are visible to (for example) the router I'm connected to, and my ISP (assuming I am not using a VPN)?

AFAIK yes. The domain will be visible to your router and ISP. DoT and DoH just resolves the IP.

I'm already using pfsense and different commercial VPNs.

If you're using the VPN as client for your commercial VPN in your pfSense router then if I'm not wrong only router should be able to see your domains and if configured in your device (eg. Rethink WG proxy) then neither router nor ISP should be able to know which domains you're trying to connect. In both scenario only VPN server's IP will be visible.