Apologies, I saw a different issue https://github.com/celzero/rethink-app/issues/210#issuecomme... and did not realize those concerns had already been addressed. Unfortunately I can no longer edit my post, but it's good to learn that it is that much closer to F-Droid inclusion! :)
I think my comment must have appeared harsher than I intended, because I'm very excited to learn about this project. When I say "just an android app" that's a massive positive for me, but I understand why it might read otherwise! I had assumed at first blush this was yet another scammy SASS product with a corresponding app, but when I realized it was "just" an open source Android app (and finding the open issue re: working towards F-Droid inclusion) it made me very interested indeed!
I also didn't mean to imply that DNS 66 was anywhere near feature parity with this project, so apologies if that appeared to be the case. That said I have used DNS 66 in the past effectively, despite its limitations. Can you suggest where I can read more about its security deficiencies, or by "insecure" do you just mean to say it is an incomplete solution? (i.e. the lack of protocol support and the reliance on the Android VPN framework?)
> Apologies, I saw a different issue and did not realize those concerns had already been addressed.
My bad. I'm sorry, too. In fact, I may be solely at fault here for over-reacting to your comment. My reaction really stems from an unpleasant r/Android experience where folks just piled up on BraveDNS (as it was called then) with utter non-sense and blatant, misleading lies.
> I had assumed at first blush this was yet another scammy SaaS product with a corresponding app...
This isn't the first time I've heard from folks that the whole thing comes off as scammy / scareware. Is it the website design? The copy? The readme on GitHub? The name of the project?
> Can you suggest where I can read more about its security deficiencies, or by "insecure" do you just mean to say it is an incomplete solution?
DNS66 is insecure in the sense it doesn't do any form of encryption for DNS requests [0] and, like most other DNS clients, it leaks DNS connections over TCP (only handles UDP) [1].
I wouldn't call it incomplete, it is likely fully complete in the eyes of the original developers. A DNS client can definitely do more, and that's why RethinkDNS exists in the first place. I used to use Nebulo [2] which is super light weight, supports DNS over HTTPS/3 (QUIC), and has way more features than any other DNS client I've come across.
> This isn't the first time I've heard from folks that the whole thing comes off as scammy / scareware. Is it the website design? The copy? The readme on GitHub? The name of the project?
This is interesting, it's hard to put my finger on it. There's nothing in particular that I think is "wrong" but there were a few subtle things that might have caused me to bounce were I not already curious:
1) It made the front page of HN (so I'm already primed to expect a SAAS) and it was the landing page (rather than, say, the git repo)
2) The domain name mismatch with the project name - other comments have already mentioned this one - and especially the "Brave" in there (which has an immediate negative association for me)
3) The suggestion of cloud DNS servers and cost model in the main landing page, which made me wonder for a second about the business model and incentives
4) The github link wasn't terribly prominent and the phrase "open source" (while present) doesn't stand out visually (when I see something like this I know to ctrl+f for "github" and "source" so I found both of them without issue, it's that just they weren't immediately apparent).
I know I'm an outlier in many ways, though, so I don't know how far those observations would take you in general. In my case a prominent link to an F-Droid page (or a note by the Play Store badge that F-Droid support is being considered) would have sent a signal I would recognize instantly, for example! Something minor like hosting the APK as a github release and changing the non-Play-Store download link to "download from github" also would have clued me in immediately.
I think my comment must have appeared harsher than I intended, because I'm very excited to learn about this project. When I say "just an android app" that's a massive positive for me, but I understand why it might read otherwise! I had assumed at first blush this was yet another scammy SASS product with a corresponding app, but when I realized it was "just" an open source Android app (and finding the open issue re: working towards F-Droid inclusion) it made me very interested indeed!
I also didn't mean to imply that DNS 66 was anywhere near feature parity with this project, so apologies if that appeared to be the case. That said I have used DNS 66 in the past effectively, despite its limitations. Can you suggest where I can read more about its security deficiencies, or by "insecure" do you just mean to say it is an incomplete solution? (i.e. the lack of protocol support and the reliance on the Android VPN framework?)