System-wide DNS-based ad/tracker/malware blocker for Android with per-app firewall, CNAME cloaking detection, DNS response caching, DoH with certificate pinning, and a professional dark-themed UI.
- Download the latest APK from Releases
- Install and launch — the onboarding wizard guides you through setup
- Choose VPN mode (no root) or Root mode (better battery life)
- Enable blocking — ads and trackers are filtered immediately
| Feature | Description |
|---|---|
| DNS Blocking | Trie-based O(m) domain lookup with 200K+ domains from curated blocklists |
| CNAME Cloaking Detection | Inspects CNAME chains in DNS responses — catches first-party tracking that bypasses other blockers |
| DNS Response Cache | 2000-entry LRU cache with TTL-aware expiration — 60-70% cache hit rate reduces latency |
| VPN Mode | Local DNS filtering via Android VPN API — no root required, per-app stats |
| Root Mode | Direct /etc/hosts modification + iptables firewall — zero battery overhead |
| Per-App Firewall | Block Wi-Fi, mobile data, or VPN per-app with iptables (root) |
| DoH (DNS-over-HTTPS) | Cloudflare, Google, Quad9, NextDNS, AdGuard — with SHA-256 certificate pinning |
| DoH Bypass Prevention | Blocks 53+ known DoH provider domains + wildcard patterns to prevent apps bypassing DNS filtering |
| DNS Trap | Routes hardcoded DNS IPs (8.8.8.8, 1.1.1.1, etc.) through the VPN tunnel |
| TCP DNS Handling | Full TCP DNS support for responses >512 bytes |
| IPv6 Support | Full IPv6 DNS processing + UID attribution via /proc/net/tcp6 |
| Block Response Types | NXDOMAIN (with SOA), Null IP (0.0.0.0/::), or REFUSED — configurable |
| Blocking Profiles | Switch between profile sets on schedule |
| Live Query Stream | Real-time DNS log feed with zero-latency SharedFlow |
| 7-Day Trend Charts | Blocked vs. total queries line chart, hourly bar chart, daily history |
| Per-Query Detail View | Query type, response time, upstream server, CNAME chain, resolved IPs |
| Diagnostic Export | One-tap shareable report with device info, config, logs, network state |
| AdAway Import | Import hosts files, sources, and rules from AdAway backups |
| Remote DoH Updates | Supplementary DoH bypass domains fetched from GitHub without app updates |
| Multiple Upstream DNS | Comma-separated DNS servers with automatic fallback ordering |
| Allowlist Sources | Curated allowlists (Anudeep, HaGeZi) prevent common false positives |
| Blocklist Overlap Analysis | Identify redundant domains across enabled sources to optimize lists |
| Stats CSV Export | Export daily stats, top blocked domains, and top apps as shareable CSV |
| Auto Update Check | Silent check on settings open, with changelog and direct APK download |
| App Shortcuts | Long-press launcher icon: Toggle, Refresh Lists, Open Logs |
| Bulk Log Actions | Multi-select domains from DNS logs to block/allow in batch |
| DNS Latency Chart | Per-hour average and peak response time visualization |
| Network-aware Profiles | Auto-switch blocking profiles by WiFi SSID |
| Regex Rules | Block/allow domains by regex pattern with live validation |
| Domain Reputation | One-tap VirusTotal, URLhaus, and Whois lookup from log detail |
| Source Changelog | Track new/removed domains between blocklist updates |
| DNS Leak Test | Built-in test to verify DNS queries route through HostShield |
| Import from Clipboard | Quick-paste domains to bulk-add as block rules |
| Accent Color Picker | Choose from 6 accent colors (Teal, Blue, Purple, Green, Pink, Peach) |
| Auto Backup | Scheduled backup to app storage with 5-backup rotation |
| IP Blocking | Block connections to specific IP addresses |
| Domain Pinning | Pin/star domains in logs for monitoring |
| Privacy Score | 0-100 protection rating based on current configuration |
| Scheduled Blocking | Auto-enable/disable by time (bedtime mode / work hours) |
| Query Type Filter | Filter DNS logs by record type (A, AAAA, CNAME, MX, TXT) |
| Suspicious TLD Detection | Flag queries to high-abuse TLDs (.tk, .xyz, .onion, etc.) |
| Batch Source Health | One-tap reachability test for all enabled sources |
| Rule Tester | Test if domains match your exact, wildcard, or regex rules |
| Temporary Allow | Allow a blocked domain for 5/15/30/60 minutes |
| Domain Age Check | Flag newly registered domains via RDAP lookup |
| Stats Widget | Second widget with blocked count, queries, and block rate |
| Privacy Score Card | 0-100 score with pass/fail breakdown on Home dashboard |
| Search History | Recent searches remembered in DNS logs |
| Live Query Rate | Real-time queries/min and blocks/min on dashboard |
| Category Toggles | One-tap enable/disable source categories from Home screen |
| Hosts File Editor | Direct /etc/hosts editor for root mode |
| Pi-hole Import | Import Pi-hole teleporter backup (domainlist CSV, gravity) |
| Deep Links | Open screens via hostshield://logs, hostshield://stats, etc. |
| Notification Actions | Firewall App + View Logs buttons in block alert notifications |
| App Privacy Report | A-F grade for each app based on DNS tracking behavior |
| Rule Sync via URL | Subscribe to remote rule lists that auto-sync during updates |
| Blocked Domain Trends | Compare recent vs previous blocked domains for trending analysis |
| Automation API | Signature-protected broadcast intents for Tasker/MacroDroid |
┌─────────────┐ ┌──────────────────┐ ┌─────────────────┐
│ App DNS │────>│ HostShield VPN │────>│ DNS Response │
│ Query │ │ Packet Engine │ │ Cache (LRU) │
└─────────────┘ └────────┬─────────┘ └─────────┬───────┘
│ │
┌────────▼─────────┐ Cache │ Miss
│ BlocklistHolder │ Hit ◄────┘
│ (Trie Lookup) │ │
└────────┬─────────┘ ┌────────▼────────┐
│ │ Upstream DNS │
Blocked? │ │ (UDP/DoH) │
┌───────────┼───────────┐ └────────┬────────┘
│ │ │ │
┌─────▼────┐ ┌──▼───┐ ┌────▼────┐ ┌────▼─────────┐
│ NXDOMAIN │ │0.0.0.0 │ REFUSED │ │ CNAME Cloak │
│ + SOA │ │ │ │ │ │ Detection │
└──────────┘ └──────┘ └─────────┘ └──────────────┘
# Prerequisites: JDK 17, Android SDK 34
./gradlew assembleFullDebug # Full flavor (root features)
./gradlew assemblePlayDebug # Play Store flavor
./gradlew testFullDebugUnitTest # Run unit testsShips with curated defaults (Steven Black, OISD, HaGeZi, 1Hosts). Add custom URL sources via Settings → Sources in standard hosts file format.
Broadcast intents for Tasker/MacroDroid (requires signature permission or ADB grant):
adb shell am broadcast -a com.hostshield.action.ENABLE -n com.hostshield/.service.AutomationReceiver
adb shell am broadcast -a com.hostshield.action.DISABLE -n com.hostshield/.service.AutomationReceiver
adb shell am broadcast -a com.hostshield.action.STATUS -n com.hostshield/.service.AutomationReceiver
adb shell am broadcast -a com.hostshield.action.REFRESH_BLOCKLIST -n com.hostshield/.service.AutomationReceiverVPN mode vs Root mode? Root mode: zero battery overhead, requires rooted device. VPN mode: works on any device, ~1-3% battery, persistent notification.
Why does it use a VPN? Entirely local — no traffic goes to a remote server. Standard technique used by NetGuard, RethinkDNS, Blokada.
How is this different from AdAway? CNAME cloaking detection, DNS response caching, DoH with cert pinning, per-app firewall, live query streaming, 7-day trend charts, and modern Material 3 dark UI.
app/src/main/java/com/hostshield/
├── data/ # Room DB, DAOs, entities, preferences, repository
├── di/ # Hilt dependency injection modules
├── domain/ # BlocklistHolder (trie), HostsParser
├── service/ # VPN, root logger, iptables, DoH, DNS cache,
│ # CNAME detector, packet builder, workers
├── ui/screens/ # Home, Logs, Stats, Settings, Firewall,
│ # Onboarding, DNS Tools, Rules
└── util/ # Root utils, backup, import/export, diagnostics
Issues and PRs welcome. Run ./gradlew testFullDebugUnitTest before submitting.
GPL-3.0