11# HostShield
22
3- ![ Version] ( https://img.shields.io/badge/version-5.0 .0-blue )
3+ ![ Version] ( https://img.shields.io/badge/version-6.2 .0-blue )
44![ License] ( https://img.shields.io/badge/license-GPL--3.0-green )
55![ Platform] ( https://img.shields.io/badge/platform-Android%208+-3DDC84?logo=android&logoColor=white )
66![ Kotlin] ( https://img.shields.io/badge/Kotlin-2.0-7F52FF?logo=kotlin&logoColor=white )
7474| Feature | Description |
7575| ---------| -------------|
7676| ** DNS-over-HTTPS (DoH)** | RFC 8484 POST+GET. Cloudflare, Google, Quad9, NextDNS, AdGuard, Mullvad, CleanBrowsing |
77+ | ** DNS-over-TLS (DoT)** | RFC 7858, TLSv1.3, SNI + hostname verification. Cloudflare, Google, Quad9, AdGuard |
78+ | ** DNS-over-QUIC (DoQ)** | RFC 9250, QUIC Initial framing. AdGuard, NextDNS, Mullvad. Falls back to DoT |
79+ | ** DNS-over-WireGuard** | Noise_IKpsk2 handshake, AES-256-GCM transport encryption. DNS-only WireGuard tunnel |
7780| ** Certificate Pinning** | SHA-256 pin validation per provider, unpinned fallback as last resort |
7881| ** Smart Latency Failover** | EMA-based latency tracking per provider, auto-selects fastest, falls back through all on failure |
7982| ** DNS Trap** | Routes hardcoded DNS IPs (8.8.8.8, 1.1.1.1, etc.) through VPN tunnel to prevent bypass |
154157| ---------| -------------|
155158| ** AMOLED Dark Theme** | Material 3 dark UI optimized for OLED displays |
156159| ** 6 Accent Colors** | Teal, Blue, Purple, Green, Pink, Peach |
157- | ** 24 + Screens** | Home, Sources, Rules, Stats, Settings, Logs, Apps, AppPrivacy, AppLogs, Firewall, ConnectionLog, DnsTools, NetworkStats, OverlapAnalysis, DnsLeakTest, RuleTest, HostsEditor, HostsDiff, AppExclusions, Onboarding, BlocklistGallery, AutomationAudit |
160+ | ** 31 + Screens** | Home, Sources, Rules, Stats, Settings, Logs, Apps, AppPrivacy, AppLogs, Firewall, ConnectionLog, DnsTools, NetworkStats, OverlapAnalysis, DnsLeakTest, RuleTest, HostsEditor, HostsDiff, AppExclusions, Onboarding, BlocklistGallery, AutomationAudit, ContentFilter, ParentalControls, DnsBenchmark, WebDavSync, CrashReports, QrConfig, TlsFingerprints |
158161| ** Home Dashboard** | Shield status, live query rate, cache hit rate, latency sparkline, top queried apps, category toggles, search history chips |
159162| ** Widgets** | Toggle widget + stats widget (blocked count, queries, block rate) |
160163| ** Quick Settings Tile** | VPN toggle from Quick Settings panel |
161164| ** App Shortcuts** | Long-press launcher: Toggle, Refresh Lists, Open Logs |
162165| ** Deep Links** | ` hostshield://logs ` , ` hostshield://stats ` , etc. |
163166| ** Onboarding Wizard** | Private DNS conflict detection, VPN permission, battery optimization |
164167
168+ ### Content Filtering & Parental Controls
169+
170+ | Feature | Description |
171+ | ---------| -------------|
172+ | ** 15 Content Categories** | Gaming, Streaming, Social Media, News, Shopping, Dating, Gambling, Adult, VPN/Proxy, Malware, and more — toggleable per category |
173+ | ** Parental Controls** | 3 age profiles (Child, Teen, Adult) with automatic category blocking per profile |
174+ | ** PIN Lock** | SHA-256 hashed PIN protects parental control settings from bypass |
175+ | ** Local DNS Server** | "Portable Pi-hole" mode on port 5353 — other LAN devices can use phone as DNS filter |
176+ | ** DNS Proxy Mode** | No-VPN, no-root DNS blocking via local proxy (tri-mode: VPN / Root / Proxy) |
177+ | ** Safe Search Enforcement** | DNS-level rewriting for Google, Bing, DuckDuckGo, YouTube |
178+
165179### Import, Export & Backup
166180
167181| Feature | Description |
@@ -247,7 +261,7 @@ All actions are rate-limited (5s cooldown per action per caller) and logged to t
247261| Language | Kotlin 2.0 |
248262| UI | Jetpack Compose + Material 3 |
249263| DI | Hilt (Dagger) |
250- | Database | Room (10 tables, 9 migrations) |
264+ | Database | Room (11 tables, 12 migrations) |
251265| Preferences | DataStore |
252266| Async | Coroutines + Flow, ViewModels + StateFlow |
253267| Networking | OkHttp 4 (source downloads, DoH resolver) |
@@ -262,8 +276,8 @@ All actions are rate-limited (5s cooldown per action per caller) and logged to t
262276```
263277app/src/main/java/com/hostshield/
264278├── data/
265- │ ├── database/ # Room DB, DAOs, converters, migrations (v1-v9 )
266- │ ├── model/ # Entities (10 tables), enums
279+ │ ├── database/ # Room DB, DAOs, converters, migrations (v1-v12 )
280+ │ ├── model/ # Entities (11 tables), enums
267281│ ├── preferences/ # DataStore preferences (AppPreferences)
268282│ ├── repository/ # HostShieldRepository
269283│ └── source/ # SourceDownloader
@@ -273,32 +287,51 @@ app/src/main/java/com/hostshield/
273287│ └── parser/
274288│ └── HostsParser.kt # Hosts file parser with wildcard support
275289├── service/
276- │ ├── DnsVpnService.kt # VPN packet loop (~2000 lines)
290+ │ ├── DnsVpnService.kt # VPN packet loop (~2700 lines)
277291│ ├── DnsCache.kt # LRU + serve-stale + prefetch + negative/failure cache
278292│ ├── DnsPacketBuilder.kt # DNS wire format builder/parser
279293│ ├── DohResolver.kt # DoH with smart latency failover
294+ │ ├── DotResolver.kt # DoT (RFC 7858, TLSv1.3, 4 providers)
295+ │ ├── DoqResolver.kt # DoQ (RFC 9250, QUIC Initial, 3 providers)
296+ │ ├── WireGuardProxy.kt # DNS-over-WireGuard (Noise_IKpsk2, AES-256-GCM)
280297│ ├── CnameCloakDetector.kt # CNAME + SVCB/HTTPS cloak detection
281298│ ├── CnameCloakUpdater.kt # Remote CNAME cloak DB fetcher (AdGuard + NextDNS)
282299│ ├── DohBypassUpdater.kt # Remote DoH bypass list fetcher
283300│ ├── RootDnsService.kt # Root-mode DNS proxy
284301│ ├── RootDnsLogger.kt # Root-mode DNS logging with UID attribution
285302│ ├── IptablesManager.kt # Per-app firewall rule management
286- │ ├── DnsCache.kt # DNS response cache with RFC 8767/2308/9520
303+ │ ├── LocalDnsServer.kt # LAN DNS server on port 5353
304+ │ ├── DnsProxyService.kt # No-VPN proxy mode DNS blocking
305+ │ ├── ContentFilterManager.kt # 15 content filter categories
306+ │ ├── ParentalControlManager.kt # Age-profile parental controls + PIN
307+ │ ├── AppDnsRuleEngine.kt # Per-app domain DNS rules
308+ │ ├── ConnectionTracker.kt # Real-time per-app connection tracking
309+ │ ├── ThreatIntelManager.kt # Threat intel feeds + radix trie IP lookup
310+ │ ├── SafeSearchEnforcer.kt # DNS-level safe search rewriting
287311│ ├── NetworkStatsTracker.kt
288312│ ├── AutomationReceiver.kt # Broadcast intent API
289313│ ├── ScreenStateReceiver.kt # Context-aware firewall state
290314│ └── *Worker.kt # HostsUpdate, AutoBackup, LogCleanup, etc.
291315├── ui/
292316│ ├── navigation/ # Compose navigation graph
293- │ ├── screens/ # 24+ screens (Home, Logs, Stats, Settings, Firewall, ...)
317+ │ ├── screens/ # 31+ screens (Home, Logs, Stats, Settings, Firewall, ...)
318+ │ ├── components/ # Vico charts, Lottie animations, animated log feed
319+ │ ├── widget/ # Glance widgets (toggle + stats)
294320│ └── theme/ # Material 3 theme + accent colors
295321└── util/
296322 ├── OfflineGeoIp.kt # MaxMind GeoLite2 offline lookups
297323 ├── GeoIpLookup.kt # ip-api.com online lookups (legacy)
298324 ├── TrackerSignatureDb.kt # Exodus-style APK tracker scanner
325+ ├── TlsFingerprinter.kt # JA3/JA4 TLS ClientHello fingerprinting
299326 ├── AppPrivacyScorer.kt # Per-app A-F privacy grades
300327 ├── ImportExportUtil.kt # Multi-format import/export
328+ ├── EncryptedBackup.kt # AES-256-GCM encrypted backups
301329 ├── BackupRestoreUtil.kt # Backup/restore to app storage
330+ ├── WebDavSync.kt # WebDAV cloud sync
331+ ├── QrConfigSharing.kt # QR code config sharing (GZIP+Base64)
332+ ├── CrashReporter.kt # Custom crash reporting
333+ ├── DnsBenchmark.kt # DNS resolver latency benchmark
334+ ├── DnsStampParser.kt # sdns:// DNS stamp parser
302335 ├── DiagnosticExporter.kt # One-tap diagnostic report
303336 ├── PcapExporter.kt # PCAP packet capture export
304337 └── RootUtil.kt # Root detection + binary management
@@ -335,6 +368,9 @@ VPN mode: ~1-3% battery/day (all traffic routed through local TUN interface). Ro
335368
336369| Version | Highlights |
337370| ---------| -----------|
371+ | ** 6.2.0** | DoQ resolver (RFC 9250), WireGuard DNS proxy, 7 new UI screens, ConnectionTracker + TlsFingerprinter wired in. ** Release hardening audit** : fixed ~ 60 operator precedence bugs in DNS wire format parsing across 6 files, WireGuard encryption failure no longer leaks plaintext, OkHttp response leaks fixed in 8 files, shell command injection prevention in root mode, CoroutineScope lifecycle fix in LocalDnsServer, private IP range validation fix, Compose crash safety, ProGuard rules for all new classes. ** 52/52 roadmap items complete** |
372+ | ** 6.1.0** | Per-app DNS rules, content filtering (15 categories), proxy mode, QR config sharing, parental controls, crash reporter, WebDAV sync, connection tracker, Vico charts, Lottie animations, Glance widgets |
373+ | ** 6.0.0** | Threat intel integration, NetworkTrackerDb, Safe Search enforcement, DNS benchmark, local DNS server, DoT resolver, encrypted backups, DNS stamps, schedule presets |
338374| ** 5.0.0** | Serve-stale DNS (RFC 8767), SERVFAIL caching (RFC 9520), cache prefetching, hash set fast path (~ 2x), filter decision LRU cache, CNAME cloak databases (AdGuard+NextDNS), SVCB/HTTPS record parsing, offline GeoIP (MaxMind GeoLite2), configurable TTL caps |
339375| 4.6.0 | DNS latency sparkline, source summary stats, search history persistence |
340376| 4.5.0 | Query type distribution chart, per-app DNS log drill-down, permanent block/allow in log detail |
0 commit comments