Name: Sinkhole
Author: LorisLabs

See Sinkhole in Action

Sinkhole Dashboard with real-time DNS query chart and live traffic feed

Real-time dashboard with live query chart

Sinkhole blocklist management showing community and custom blocklists

Manage blocklists from trusted sources

Sinkhole custom rules with exact, wildcard, and regex matching

Create custom allow, block, and redirect rules

Three Modes, One App

Adapts to your infrastructure

Sinkhole isn't a one-trick VPN wrapper. It offers three distinct operating modes designed for home-lab and self-hosting users who want full control over their DNS.

VPN Mode — Full on-device DNS interception via local tunnel
LAN Server — Your iPhone becomes a DoH server for your network
Off — Disable instantly when you need unfiltered access

Sinkhole dashboard showing VPN status, query stats, and operating mode selector

Full Visibility

Watch your DNS in real time

The dashboard shows total queries, blocked requests, block rate, top blocked domains, and upstream latency — all updated live. A sparkline chart gives you a minute-by-minute view of your network activity.

Live stats with per-minute sparkline chart
Searchable, filterable query log
Per-app traffic attribution
Session timeline grouping

Sinkhole blocklists showing AdGuard DNS and StevenBlack Unified lists

Pi-hole on iOS

Blocklists that scale

Import blocklists from any source — hosts files, plain domain lists, AdGuard filter format, even Pi-hole gravity.db exports. Sinkhole loads hundreds of thousands of domains into an in-memory set for instant O(1) lookups on every DNS query.

Pre-loaded: StevenBlack Unified + AdGuard DNS
Import Pi-hole gravity.db directly
DNS rebinding protection
CNAME cloaking detection

Sinkhole custom rules for allowing or blocking specific domains

And More

Built for the Apple ecosystem

Sinkhole integrates deeply with iOS, watchOS, and your home-lab infrastructure.

Custom Rules

Exact match, wildcard (*.domain.com), regex, redirect, and per-Wi-Fi-network rules. Allow rules override blocks.

LAN Server

Run a DNS server on your iPhone (UDP :5053 + TCP :8443). Generate .mobileconfig profiles and share via AirDrop.

Widgets & Live Activity

Home screen, lock screen, Dynamic Island, and Control Center toggle. See your block count at a glance.

Apple Watch

Check protection status and toggle filtering from your wrist. Stats sync automatically via WatchConnectivity.

iCloud Sync

Sync custom rules and blocklist sources across devices via iCloud KVStore. Query logs stay local.

FAQ

Common questions

Is Sinkhole a VPN?

Technically, Sinkhole uses iOS's VPN permission to intercept DNS queries. But it is not a traditional VPN — it does not tunnel your traffic to an external server, provide anonymity, or change your IP address. The VPN tunnel is local-only (127.0.0.1) and exists solely because Apple's platform requires it for system-wide DNS interception.

Will Sinkhole slow down my internet?

No. DNS lookups are resolved from an in-memory set with O(1) performance. Blocked domains are answered instantly with an NXDOMAIN response (no network round-trip). Allowed domains are forwarded to your configured upstream DNS provider as they normally would be.

Can I use Sinkhole as a DNS server for other devices?

Yes! In LAN Server mode, Sinkhole runs a DNS server on UDP port 5053 and a DoH server on TCP port 8443. You can generate a .mobileconfig profile and share it via AirDrop to configure your Mac, iPad, or other Apple devices to use your iPhone as their DNS server.

Is Sinkhole free?

Sinkhole is free to download with no subscriptions and no ads. Core DNS filtering with default blocklists is fully free. Sinkhole Pro ($4.99, one-time purchase) unlocks unlimited custom rules and additional blocklist sources.

Sinkhole