-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set the source IP address of DNS reply same as destionation IP of original request #1490
Comments
I doubt they do it by themselves, because it's the OS who sets the source IP address for the outcoming UDP packet. Anyway, there's nothing we can do at the moment with this issue. |
I did take a further look and you were right with your assumption. dnscrypt-proxy does bind to just the loopback interface. I had to rebuild the vm so the loopback IP changed to 172.25.100.235 as the algo ansible playbook generates one on the fly. Everything else is the same
TCP Dump
I have also been testing out nextdns which does have similar issue with their current release build but it looks like someone already opened a bug report (nextdns/nextdns#101) few days ago and it has been addressed. Their client is also written in go and this is how they fixed it
Below is the nextdns build with code in master branch which includes the fix
tcpdump for nextdns
|
Interesting, their solution makes sense: nextdns/nextdns@51c5ea3 |
If you are using DNS server like UNBOUND, go to /etc/unbound/unbound.conf. find line like: # interface: x.x.x.x interface: 172.20.251.11 |
Issue Details
On a machine with multiple interfaces, each on different subnet, Adguard sets the DNS reply packets with the IP address of the interface traffic goes out via rather than setting the original request destination IP as source address for reply. This causes some programs to discard the response as it isn't from the source IP address they expected. dig throws
reply from unexpected source
error messages.Information regarding the setup
The VM was set up using Algo (https://github.com/trailofbits/algo) which sets up Wireguard & IPsec VPN on Ubuntu 18.04 or 19.10. By default, it comes with dnsmasq for adblocking, but I am replacing it with Adguard Home.
The way algo sets up things is
lo
interface.172.20.251.11
in this server10.19.49.0/24
10.19.48.0/24
So now when you do a DNS query while connected to VPN, dns query will be sent to 172.20.251.11 and the dns reply packets will have their source ip set to either from 10.19.49.1 or 10.19.48.1 depending on the vpn you are on.
By default, algo sets up dnsmasq forwarding to dnscrypt-proxy for adblocking setup or just dnscrypt-proxy for setup without adblocking. Neither of them have this issue as they seem to set 172.20.251.11 as source IP when queried from wireguard or ipsec connection.
Expected Behavior
Adguard sets the source IP of dns reply with the destination IP address of original request so there is no longer a mismatch of source IP. This behaviour could be an option in config file.
Actual Behavior
Screenshots
No screenshots but interface & route details.
Interfaces
For some reason, strongswan virtual interface doesn't show up in interface details.Routing table
Additional Information
The text was updated successfully, but these errors were encountered: