Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to avoid DNS leaks? #590

Open
beelze opened this issue Jan 2, 2025 · 3 comments
Open

How to avoid DNS leaks? #590

beelze opened this issue Jan 2, 2025 · 3 comments

Comments

@beelze
Copy link

beelze commented Jan 2, 2025

DNS not leaked:

# proxychains wget -q ipinfo.io/ip -O -
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib64/libproxychains.so.4.17
[proxychains] DLL init: proxychains-ng 4.17
Prepended http:// to 'ipinfo.io/ip'
[proxychains] Strict chain  ...  xx.xx.xx.xx:yy  ...  ipinfo.io:80  ...  OK
94.131.98.223

All is ok, DNS query went through system resolver on proxy server side (checked via tcpdump)
but:

# proxychains curl ipinfo.io/ip
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib64/libproxychains.so.4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  xx.xx.xx.xx:yy  ...  34.117.59.81:80  ...  OK
94.131.98.223

Leaked, DNS query went through localhost system resolver (checked via tcpdump).

proxychains.conf:

strict_chain
proxy_dns_daemon 127.0.0.1:1053
remote_dns_subnet 224      
tcp_read_time_out 15000    
tcp_connect_time_out 8000  
[ProxyList]                                         
socks5 xx.xx.xx.xx yy usr pwd

I encountered this issue trying to find a solution for more generic problem: complete elimination "DNS leak" issue.
Of course, it can't be done at localhost, so I'm tunneling all traffic via "router" running tun2socks, but resolving is still a problem – tunneling DNS queries via proxy is a «leak» too. The one and only solution is a delegating resolve to a socks proxy and I'm trying to understang if it can be done with proxychains.
@rofl0r
Copy link
Owner

rofl0r commented Jan 2, 2025

odd. can you figure out how curl does its DNS lookups ? if your analysis is correct, it would appear it doesn't use libc facilities but rather its own UDP code or another library that circumvents the libc APIs.

@beelze
Copy link
Author

beelze commented Jan 3, 2025

I did strace of curl ipinfo.io/ip.
curl.log

seems c-ares (AsynchDNS) is to blame:

# curl -V
curl 8.10.1 (x86_64-pc-linux-gnu) libcurl/8.10.1 OpenSSL/3.3.2 zlib/1.3.1 brotli/1.1.0 zstd/1.5.6 c-ares/1.34.3 libpsl/0.21.5 nghttp2/1.62.1 nghttp3/1.7.0
Release-Date: 2024-09-18
Protocols: dict file ftp ftps http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp smtp smtps tftp ws wss
Features: alt-svc AsynchDNS brotli HSTS HTTP2 HTTP3 HTTPS-proxy IPv6 Largefile libz NTLM PSL SSL threadsafe TLS-SRP UnixSockets zstd

@rofl0r
Copy link
Owner

rofl0r commented Jan 4, 2025

nice research.
while it's theoretically possible (with considerable effort) to capture the udp traffic and return a fake ip address (just like proxy_dns does currently), i don't think it's gonna be implemented in the near future. your best option is to recompile curl from source and disable the use of c-ares (assuming that's still possible).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rofl0r @beelze