WIP: Implement Dns record filtering #1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
FilterDNSRecords option determines whether to use DNS request/reply filtering in dnsproxy.c. By default the value is true and filtering is on to avoid DNS leaks when using IPv4 VPN over transport that also supports IPv6. In systems where multiple networks are simultaneously utilized this option should be explicitly set as false to disable the filtering.
[resolver] Support options in resolvfile and prepending entries. JB#48769 Add support for enabling options in resolvfile with a simple toggle function. This currently enables 'single-request' option, which is intended to be used when only either of IP families is in use. Reason is that with this option the requests are sequential instead of parallel and will eliminate the default delay. However, the queries take twice the time to complete when this option is set so it is not to be set when both IP families are supported. Many glibc applications do both A and AAAA queries in parallel. Added also support for prepending a nameserver entry to the top of the list. This allows to put IPv6 nameserver on top of IPv4.
[dnsproxy] Filter DNS records based on IP families enabled. JB#48769 If a VPN is connected over a transport that supports both IPv4 and IPv6 and the VPN is IPv4 only, also AAAA DNS queries are sent, thus responses may contain AAAA records if the DNS server supports them. In such case, connections can be made over transport's IPv6 network bypassing VPN connection. The issue may get even worse if the SingleConnectedTech is not used and there are multiple networks online at the same time. If network A and B are both online and A supports IPv4 and IPv6, whereas B being the default service supports only IPv4 and is used transport for a VPN, then traffic is routed to A's IPv6 network if there is a AAAA record for requested domain name. Therefore, it is imperative to filter out the DNS requests and replies that have no network available on the default service. This change makes this behavior configurable, as in some setups multiple network types and/or services are to be used in conjunction. When the request type is filtered out the reponse is sent as ns_r_noerror message containing the authoritative bit. No query is done in this case. If the DNS record is other than A or AAAA (e.g., CNAME), it will be processed. To be able to detect the type of the DNS request/reply cache_check() is changed to always set the type before returning in case the type is something else than A or AAAA. This allows to filter out the A/AAAA records when the necessary IP family is not connected on the default service, and also allows to return a reply when the type is not A/AAAA, e.g., CNAME. Default service and ipconfig notifications are utilized to set correct IP family types enabled on dnsproxy. When the IP family is disabled it is also removed from resolvfile, and when only either of the IPv4 and IPv6 is used the additional options are enabled as well to the resolvfile. This is to minimize the delays caused by applications sending both A and AAAA requests as the currently used 'single-request' forces the requests to be sequential. Also, replace all static 1/5/28 use for DNS record types with correct types from arpa/nameser.h.
|
Kind of forgot what is to be done with this one. It simply may be that in every situation this does not work and it heavily enforces the current default service's enabled ipconfig types on the filtering. But eventually, that is the effect of this feature.. Need to revisit this later on, and to have it as optional at least. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A work-in-progress version of DNS record filtering. ipconfig notifications are sometimes lacking either of IP families so this does need some work still.
This addresses the issue of leaking data to IPv6 network when IPv4 VPN is connected using transport that supports both IP networks. This can happen because the DNS can return IPv6 (AAAA) records as well, and AAAA records are also requested if IPv6 is enabled on an online service. Since IPv6 is preferred over IPv4 the AAAA record is used and connection is made over IPv6 network, bypassing the default service in such case. By filtering out the DNS records based on the networks that the default service has in connected state this issue is prevented from happening.
An option is added to configuration to toggle whether the feature implemented here is enabled or not. By default the option FilterDNSRecords is on (true). TODO: this could be the other way around now as there are other means to prevent using IPv6 with VPNs.
This is a moved PR from https://git.sailfishos.org/mer-core/connman/merge_requests/307