Configure k9 to stop bypassing DNS

I’m using rethinkdns and it blocks apps, if they try to bypass the DNS. So if k9 connects via dns to it is allowed, but unfortunately it also tries to connect to and directly a lot, which is then blocked and causes the cpu to wake up. Is there a way to prevent k9 from connecting directly to the ip addresses?

I don’t know exactly what rethinkdns is doing, because I don’t use it myself.

However, what K-9 does is this:

  • It uses DNS to do get the “A” values for “”.
  • One of the IP addresses K-9 gets from DNS is used when connecting to the IMAP server using the IMAP protocol.

The IP addresses you mentioned are those returned by DNS when doing such a query. See for yourself. Network Tools: DNS,IP,Email

This is not “bypassing the DNS”. This is normal behavior for a MUA (such as K-9) wanting to connect to an IMAP server.

Speculation mode ON:
Is a purpose of rethinkdns to do some kind of intercept? If yes, it does not do that for the IMAP protocol. This is a problem with rethinkdns, not K-9.

Thanks for your explanation. I created a rule in the firewall of rethinkdns to allow k9 the access to those “a” values ips.

rdns dev here

This might happen when apps

  • Cache DNS answers for longer than “time to live”.
  • Use custom DoH / DoT mechanisms (like those available in OkHttp3).
  • Use custom plain old DNS (and Prevent DNS leaks is turned OFF in Rethink ConfigureDNS).
  • Use Android’s Private DNS feature.
  • Re-using DNS answers from before Rethink was running.

Or… there’s a bug in Rethink (if so, this is a first such report)

Rethink does no such thing.

i’m not certain where rethink inserts itself, but android has a stub dns resolver that i assume k9 uses. that resolver should cache responses for the TTL on the returned results.

the TTL on is 2 days, so if K9 is getting cached results from the android resolver (or caching them itself) there is a lot of time that will elapse between calls to an external resolver – and so a lot of time for potential connections without new (external) queries.

netd (dnsmasq?) flushes DNS cache on network changes, but I haven’t tested for this behaviour on latest AOSP.

Rethink uses the VPN API. It gets DNS queries from netd (dnsmasq?) and other network traffic is routed to its TUN device (what gets routed depends on various configurations).

Interesting (I am unsure, but I’d surprised if caches in AOSP hold on to DNS answers for that long) and could be the reason why Rethink thinks DNS is bypassed (as Rethink may not have memory about some DNS resolution made 2 days ago, if it had been stopped or had crashed in the interim).

K-9 Mail calls InetAddress.getAllByName() to get all (supported) addresses for a host name. The app then tries to connect to each address until a connection has been successfully established (or all connection attempts have failed). See thunderbird-android/mail/protocols/imap/src/main/java/com/fsck/k9/mail/store/imap/RealImapConnection.kt at dc5b130bda37343f26b731292640e09cdd460698 · thunderbird/thunderbird-android · GitHub

The IMAP code attempts to bypass the DNS cache. See thunderbird-android/mail/protocols/imap/src/main/java/com/fsck/k9/mail/store/imap/RealImapConnection.kt at dc5b130bda37343f26b731292640e09cdd460698 · thunderbird/thunderbird-android · GitHub
I don’t know if this has any effect on modern Android versions.

1 Like