EthACKdotOrg/orWall

DNS always goes through Tor

Closed this issue · 3 comments

mikecardwell commented

Even though I've set some apps to bypass Tor altogether, their DNS lookups still seem to get forced through the local DNS resolver supplied by Tor on port 5400...

cjeanneret commented

Hello,

Unfortunately, due to an Android change since 4.3, all DNS queries are done as "root" user. The change is making the system use the in-kernel resolver, which provide some internal caching, but masquerade the real user…
Thus, orwall cannot filter properly application using default system resolution — some apps are using an internal system, like Firefox (at least it was), thus those one can be sorted out.

Orwall cannot undo the change in android, as it's a flag set at compilation time. There's an old thread on xda about that (just found it in my mails).

Just for information: orwall still adds per-application rules, thus if you have some old (or custom) ROM, it will do the necessary thing. I might add an option in order to either activate or not the "root resolution", but it's an advanced setting and most user won't understand that, and come back here saying "doesn't work" :(.

And yes, proxying all "as root" is really bad, but on my side, I can't do anything…

I'm thus forced to flag this as "invalid" and close the issue.
Pushing all DNS resolution through Tor creates some issues, especially on captive wifi connections, as they use fake DNS resolver in order to redirect to the login page. That said, I have to correct orwall for this particular point, I think there are still issue… But that's another story.

Cheers,

C.

mikecardwell commented

Ouch. I guess that means an app which is prevented from accessing the Internet by Orwall, can still get out simply by "tunnelling" over DNS?

I realise that this is not something which Orwall can prevent due to the changes in Android, but perhaps there could be some sort of detection of the problem and warning displayed?

cjeanneret commented

Indeed, locked-out app might do some DNS queries. Knowing that, some malicious app might send messages, though it would be hard I think.

We might add a "warning" if android is older than 4.2 (or if we have some way to detect the DNS way), but… does people really read warning messages? :/ Shitty situation.

We have thought about that with Mike Perry from Torproject, but to no solution. It's really a bad move from Android devs, though we might understand it (better perfs, DNS cache sharing among apps and so on).