Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ipns:// should respect DNS resolver settings #22409

Closed
lidel opened this issue Apr 19, 2022 · 9 comments · Fixed by brave/brave-core#14068
Closed

ipns:// should respect DNS resolver settings #22409

lidel opened this issue Apr 19, 2022 · 9 comments · Fixed by brave/brave-core#14068
Assignees
@cypt4
Labels
feature/web3/ipfs OS/Desktop priority/P3 The next thing for us to work on. It'll ride the trains. privacy QA Pass-macOS QA/Yes release-notes/exclude security
Projects
IPFS
Milestone
1.43.x - Release

Comments

@lidel
Copy link

lidel commented Apr 19, 2022
edited

Problem

If Brave user decides to use custom DNS over HTTPS resolver via UI below, go-ipfs does not respect that choice, and uses cleartext resolver provided by the OS.

2022-04-20_00-10

Proposed change

Every time custom DNS over HTTPS resolver is set via the UI in "Privacy and security" settings, Brave should add/update . (top-level resolver) in DNS.Resolvers map in the $IPFS_PATH/config file.
Making changes to this map requires node reboot for changes to be applied
@lidel lidel mentioned this issue Apr 19, 2022
Closed
@lidel
Copy link
Author

lidel commented Apr 19, 2022

I believe this should also be applied to .eth and .crypto TLDS when user resolves them via DoH:

2022-04-20_00-34

Brave should set explicit DoH URLs in DNS.Resolvers for them.

@lidel
Copy link
Author

lidel commented Apr 19, 2022

cc @spylogsster thoughts on wiring this up?

@spylogsster spylogsster self-assigned this Apr 20, 2022
@spylogsster spylogsster added this to Untriaged in IPFS via automation Apr 20, 2022
@diracdeltas
Copy link
Member

someone should double check that IPFS / IPNS / unstoppable domains / ENS are all still disabled in Tor windows, otherwise there is potentially a Tor DNS leak here.

@ShivanKaul ShivanKaul added the priority/P3 The next thing for us to work on. It'll ride the trains. label May 24, 2022
@yrliou yrliou moved this from Untriaged to Icebox in IPFS Jun 27, 2022
@yrliou yrliou moved this from Icebox to Backlog in IPFS Jun 27, 2022
@cypt4 cypt4 mentioned this issue Jun 29, 2022
Closed
cypt4 added a commit to brave/brave-core that referenced this issue Jul 6, 2022
@cypt4
Respect DOH Dns config in IPFS
738fbd0 
Resolves brave/brave-browser#22409
cypt4 added a commit to brave/brave-core that referenced this issue Jul 6, 2022
@cypt4
Respect DOH Dns config in IPFS
2a064d3 
Resolves brave/brave-browser#22409
cypt4 added a commit to brave/brave-core that referenced this issue Jul 7, 2022
@cypt4
Respect DOH Dns config in IPFS
0ff5730 
Resolves brave/brave-browser#22409
@cypt4 cypt4 mentioned this issue Jul 7, 2022
Merged
25 tasks
cypt4 added a commit to brave/brave-core that referenced this issue Jul 7, 2022
@cypt4
Respect DOH Dns config in IPFS
44bdd09 
Resolves brave/brave-browser#22409
cypt4 added a commit to brave/brave-core that referenced this issue Jul 7, 2022
@cypt4
Respect DOH Dns config in IPFS
e97cbea 
Resolves brave/brave-browser#22409
cypt4 added a commit to brave/brave-core that referenced this issue Jul 7, 2022
@cypt4
Respect DOH Dns config in IPFS
75399b6 
Resolves brave/brave-browser#22409
@cypt4 cypt4 added the QA/Yes label Jul 12, 2022
cypt4 added a commit to brave/brave-core that referenced this issue Jul 13, 2022
@cypt4
Respect DOH Dns config in IPFS
9a21cdd 
Resolves brave/brave-browser#22409
cypt4 added a commit to brave/brave-core that referenced this issue Jul 13, 2022
@cypt4
Respect DOH Dns config in IPFS
f290b75 
Resolves brave/brave-browser#22409
cypt4 added a commit to brave/brave-core that referenced this issue Jul 13, 2022
@cypt4
Respect DOH Dns config in IPFS
4f3e5a9 
Resolves brave/brave-browser#22409
cypt4 added a commit to brave/brave-core that referenced this issue Jul 14, 2022
@cypt4
Respect DOH Dns config in IPFS
e818199 
Resolves brave/brave-browser#22409
IPFS automation moved this from Backlog to Done Jul 19, 2022
@cypt4 cypt4 added this to the 1.43.x - Nightly milestone Jul 19, 2022
AlexNguyen1612 pushed a commit to AlexNguyen1612/brave-core that referenced this issue Jul 31, 2022
@cypt4 @AlexNguyen1612
Respect DOH Dns config in IPFS
97f00d6 
Resolves brave/brave-browser#22409
@stephendonner stephendonner added the QA/In-Progress Indicates that QA is currently in progress for that particular issue label Aug 15, 2022
@stephendonner
Copy link

stephendonner commented Aug 15, 2022
edited

Verification PASSED using

Brave 1.43.70 Chromium: 104.0.5112.81 (Official Build) beta (x86_64)
Revision 5b7b76419d50f583022568b6764b630f6ddc9208-refs/branch-heads/5112@{#1309}
OS macOS Version 11.6.8 (Build 20G730)

Confirmed DNS queries used the specified DNS-over-HTTP provider, which in my case was Cloudflare.

Case 1: IPFS/IPNS URLs - PASSED

  1. installed 1.43.70
  2. launched Brave
  3. loaded each of the following IPFS/IPNS URLs:

IPFS URLs:

  • ipfs://bafybeiemxf5abjwjbikoz4mc3a3dla6ual3jsgpdr4cjr3oz3evfyavhwq/wiki/Vincent_van_Gogh.html#Life
  • ipfs://bafybeigdyrzt5sfp7udm7hu76uh7y26nf3efuylqabf3oclgtqy55fbzdi/
  • ipfs://QmXoypizjW3WknFiJnKLwHCnL72vedxjQkDDP1mXWo6uco/wiki/Tokyo_National_Museum.html
  • ipfs:QmYwAPJzv5CZsnA625s3Xf2nemtYgPpHdWEz79ojWnPbdG/readme

IPNS URLs:

  • ipns://en.wikipedia-on-ipfs.org/wiki/Tokyo#Islands
  • ipns://docs.ipfs.io
  • ipns://brantly.eth (Ethereum Name Service/ENS)
  • ipns://brad.crypto (Unstoppable Domains)

IPFS

1 2 3 4
Screen Shot 2022-08-15 at 10 50 23 AM Screen Shot 2022-08-15 at 10 51 04 AM Screen Shot 2022-08-15 at 10 51 46 AM Screen Shot 2022-08-15 at 10 52 46 AM

IPNS

1 2 3 4
Screen Shot 2022-08-15 at 10 54 40 AM Screen Shot 2022-08-15 at 11 01 51 AM Screen Shot 2022-08-15 at 11 02 39 AM Screen Shot 2022-08-15 at 11 03 06 AM

Case 2: Secure DNS - PASSED

  1. installed 1.43.70
  2. launched Brave
  3. loaded brave://settings/security
  4. flipped Use secure DNS to Enabled
  5. selected With Cloudflare (1.1.1.1)
  6. loaded each of the following IPFS/IPNS URLs:

IPFS URLs:

  • ipfs://bafybeiemxf5abjwjbikoz4mc3a3dla6ual3jsgpdr4cjr3oz3evfyavhwq/wiki/Vincent_van_Gogh.html#Life
  • ipfs://bafybeigdyrzt5sfp7udm7hu76uh7y26nf3efuylqabf3oclgtqy55fbzdi/
  • ipfs://QmXoypizjW3WknFiJnKLwHCnL72vedxjQkDDP1mXWo6uco/wiki/Tokyo_National_Museum.html
  • ipfs:QmYwAPJzv5CZsnA625s3Xf2nemtYgPpHdWEz79ojWnPbdG/readme

IPNS URLs:

  • ipns://en.wikipedia-on-ipfs.org/wiki/Tokyo#Islands
  • ipns://docs.ipfs.io
  • ipns://brantly.eth (Ethereum Name Service/ENS)
  • ipns://brad.crypto (Unstoppable Domains)

IPFS

1 2 3 4
Screen Shot 2022-08-15 at 2 47 47 PM Screen Shot 2022-08-15 at 2 55 43 PM Screen Shot 2022-08-15 at 2 50 21 PM Screen Shot 2022-08-15 at 2 52 13 PM

IPNS

1 2 3 4
Screen Shot 2022-08-15 at 2 24 54 PM Screen Shot 2022-08-15 at 2 38 48 PM Screen Shot 2022-08-15 at 2 42 16 PM Screen Shot 2022-08-15 at 2 44 14 PM

Case 3: Custom DNS resolver - N/A

@stephendonner
Copy link

someone should double check that IPFS / IPNS / unstoppable domains / ENS are all still disabled in Tor windows, otherwise there is potentially a Tor DNS leak here.

Done in #23831 👍

@stephendonner stephendonner added QA Pass-macOS and removed QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Aug 15, 2022
@stephendonner
Copy link

stephendonner commented Aug 17, 2022
edited

Also did the following:

  1. installed 1.43.73
  2. launched Brave
  3. loaded brave://ipfs
  4. clicked Install and restart
  5. shut Brave down
  6. removed the following from the config file in the brave_ipfs folder:
"/dnsaddr/bootstrap.libp2p.io/p2p/QmQCU2EcMqAqQPR2i9bChDtGNJchTbq5TbXJJ16u19uLTa","/dnsaddr/bootstrap.libp2p.io/p2p/QmbLHAnMoJPWSCR5Zhtx6BHJX9KiKNN6tpvbUcqanj75Nb","/dnsaddr/bootstrap.libp2p.io/p2p/QmcZf59bWwK5XFi76CZX8cbJ4BhTzzA3gU1ZjYZcYW3dwt",
  1. set With NextDNS in brave://settings/security
  2. launched Wireshark
  3. filtered for dns
  4. loaded ipns://brad.crypto

Confirmed DNS lookups went to my selected DoH provider, NextDNS.

brave://settings/security Wireshark, dns
Screen Shot 2022-08-17 at 12 08 35 PM Screen Shot 2022-08-17 at 12 09 37 PM

@stephendonner
Copy link

stephendonner commented Aug 22, 2022
edited

Verification PASSED using

Brave 1.43.78 Chromium: 104.0.5112.102 (Official Build) beta (x86_64)
Revision 8e5396254975ef939f2ef7d0bd334e48a052b536-refs/branch-heads/5112@{#1478}
OS macOS Version 11.6.8 (Build 20G730)

Case 1: no DoH override: loading IPFS and IPNS URLs works and there are DNS requests with *_dnslink.<ipns part>

  1. installed 1.43.x
  2. launched Brave
  3. loaded brave://ipfs
  4. clicked Install and restart
  5. shut Brave down
  6. launched Wireshark
  7. filtered for dns
  8. loaded ipns://brantly.eth (ENS)
  9. loaded ipns://brad.crypto (Unstoppable Domains)
  10. loaded ipns://en.wikipedia-on-ipfs.org/wiki/Asia/#Economy
  11. loaded ipfs://QmXoypizjW3WknFiJnKLwHCnL72vedxjQkDDP1mXWo6uco/wiki/Tokyo_National_Museum.html
step 8 step 9 step 10 step 11
Screen Shot 2022-08-22 at 3 57 49 PM Screen Shot 2022-08-22 at 3 50 09 PM Screen Shot 2022-08-22 at 3 52 24 PM Screen Shot 2022-08-22 at 4 04 04 PM

Case 2: DoH override: loading IPFS and IPNS URLs works and there are no DNS requests with *_dnslink.<ipns part>

  1. installed 1.43.x
  2. launched Brave
  3. loaded brave://ipfs
  4. clicked Install and restart
  5. shut Brave down
  6. removed the following from the config file in the brave_ipfs folder:
  7. "/ip4/104.131.131.82/tcp/4001/p2p/QmaCpDMGvV2BGHeYERUEnRQAwe3N8SzbUtfsmvsqQLuvuJ","/ip4/104.131.131.82/udp/4001/quic/p2p/QmaCpDMGvV2BGHeYERUEnRQAwe3N8SzbUtfsmvsqQLuvuJ"
  8. set With NextDNS in brave://settings/security
  9. launched Wireshark
  10. filtered for dns
  11. loaded ipns://brantly.eth (ENS)
  12. loaded ipns://brad.crypto (Unstoppable Domains)
  13. loaded ipns://en.wikipedia-on-ipfs.org/wiki/Asia/#Economy
  14. loaded ipfs://QmXoypizjW3WknFiJnKLwHCnL72vedxjQkDDP1mXWo6uco/wiki/Tokyo_National_Museum.html
step 11 step 12 step 13 step 14
Screen Shot 2022-08-22 at 4 10 41 PM Screen Shot 2022-08-22 at 4 35 09 PM Screen Shot 2022-08-22 at 4 30 26 PM Screen Shot 2022-08-22 at 4 18 56 PM

Confirmed DNS lookups went to my selected DoH provider, NextDNS.

Confirmed I didn’t see any DNS requests to *dnslink.

Case 3: Invalid DoH override: IPNS URLs don't load

  1. installed 1.43.x
  2. launched Brave
  3. loaded brave://ipfs
  4. clicked Install and restart
  5. set With Custom in brave://settings/security to https://a.b.c.d
  6. loaded ipns://brantly.eth (ENS)
  7. loaded ipns://brad.crypto (Unstoppable Domains)
  8. loaded ipns://en.wikipedia-on-ipfs.org/wiki/Asia/#Economy
  9. loaded ipfs://QmXoypizjW3WknFiJnKLwHCnL72vedxjQkDDP1mXWo6uco/wiki/Tokyo_National_Museum.html
step 6 step 7 step 8 step 9
Screen Shot 2022-08-22 at 4 49 39 PM Screen Shot 2022-08-22 at 4 41 15 PM Screen Shot 2022-08-22 at 4 53 30 PM Screen Shot 2022-08-22 at 5 00 35 PM

Confirmed when DoH server is clearly wrong, IPNS resolution doesn't work

@stephendonner stephendonner added QA/In-Progress Indicates that QA is currently in progress for that particular issue and removed QA Pass-macOS QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Aug 22, 2022
@cypt4
Copy link

cypt4 commented Aug 23, 2022

Some related issues found in Kubo:
ipfs/kubo#9199
ipfs/kubo#9204

@autonome
Copy link

Should this be reopened?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cypt4 cypt4

Labels
feature/web3/ipfs OS/Desktop priority/P3 The next thing for us to work on. It'll ride the trains. privacy QA Pass-macOS QA/Yes release-notes/exclude security
Projects
IPFS
  
Done
Milestone
1.43.x - Release
Development

Successfully merging a pull request may close this issue.

Respect DOH Dns config in IPFS brave/brave-core
8 participants
@autonome @lidel @stephendonner @diracdeltas @spylogsster @yrliou @ShivanKaul @cypt4