
DNS Sinkhole for iOS
Sinkhole
DNS Firewall for iOS
See Sinkhole in Action

Real-time dashboard with live query chart

Manage blocklists from trusted sources

Create custom allow, block, and redirect rules
Adapts to your infrastructure
Sinkhole isn't a one-trick VPN wrapper. It offers three distinct operating modes designed for home-lab and self-hosting users who want full control over their DNS.
- VPN Mode — Full on-device DNS interception via local tunnel
- LAN Server — Your iPhone becomes a DoH server for your network
- Off — Disable instantly when you need unfiltered access

Watch your DNS in real time
The dashboard shows total queries, blocked requests, block rate, top blocked domains, and upstream latency — all updated live. A sparkline chart gives you a minute-by-minute view of your network activity.
- Live stats with per-minute sparkline chart
- Searchable, filterable query log
- Per-app traffic attribution
- Session timeline grouping

Blocklists that scale
Import blocklists from any source — hosts files, plain domain lists, AdGuard filter format, even Pi-hole gravity.db exports. Sinkhole loads hundreds of thousands of domains into an in-memory set for instant O(1) lookups on every DNS query.
- Pre-loaded: StevenBlack Unified + AdGuard DNS
- Import Pi-hole gravity.db directly
- DNS rebinding protection
- CNAME cloaking detection

Built for the Apple ecosystem
Sinkhole integrates deeply with iOS, watchOS, and your home-lab infrastructure.
Custom Rules
Exact match, wildcard (*.domain.com), regex, redirect, and per-Wi-Fi-network rules. Allow rules override blocks.
LAN Server
Run a DNS server on your iPhone (UDP :5053 + TCP :8443). Generate .mobileconfig profiles and share via AirDrop.
Widgets & Live Activity
Home screen, lock screen, Dynamic Island, and Control Center toggle. See your block count at a glance.
Apple Watch
Check protection status and toggle filtering from your wrist. Stats sync automatically via WatchConnectivity.
iCloud Sync
Sync custom rules and blocklist sources across devices via iCloud KVStore. Query logs stay local.
Common questions
Technically, Sinkhole uses iOS's VPN permission to intercept DNS queries. But it is not a traditional VPN — it does not tunnel your traffic to an external server, provide anonymity, or change your IP address. The VPN tunnel is local-only (127.0.0.1) and exists solely because Apple's platform requires it for system-wide DNS interception.
No. DNS lookups are resolved from an in-memory set with O(1) performance. Blocked domains are answered instantly with an NXDOMAIN response (no network round-trip). Allowed domains are forwarded to your configured upstream DNS provider as they normally would be.
Yes! In LAN Server mode, Sinkhole runs a DNS server on UDP port 5053 and a DoH server on TCP port 8443. You can generate a .mobileconfig profile and share it via AirDrop to configure your Mac, iPad, or other Apple devices to use your iPhone as their DNS server.
Sinkhole is free to download with no subscriptions and no ads. Core DNS filtering with default blocklists is fully free. Sinkhole Pro ($4.99, one-time purchase) unlocks unlimited custom rules and additional blocklist sources.