DNS Leak

Question

DNS Leak

pundoo opened this issue 4 years ago · 4 comments

For some reason main DNS is leaking! Also, do we even need dns query for socks? If I'm not wrong, socks can work directly with host names?!

Config:

{
	"server": {
		"protocol": "socks",
		"url": "socks://127.0.0.1:1080"
	},
	"name_server": "https://8.8.8.8:443/dns-query",
	"tun_name": "Tunnel",
	"tun_addr": ["192.168.8.101/24"],
	"ip_cidr_rules": {
        "proxy": [
        	"198.18.0.0/16",
        	"8.8.8.8/32"
        ]
    },
    "domain_rules": {
        "proxy": ["**.*"],
        "direct": [],
        "blocked": []
    }
}

Answer 1 · 2021-03-10T02:49:24.000Z

What do you mean DNS leaking?

As you are using Wintun, windows will send DNS queries to your default DNS server, which is 192.168.8.1. These DNS queries will be hijacked. If you have set up another DNS server, DNS queries will not be hijacked.

Some programs, like Firefox, can use other DNS servers, for example, 1.1.1.1. These DNS queries will not be hijacked.

The reason why you need to set up a DNS server is that for domain names in domain_rules.direct, DNS queries will be sent to the DNS server directly.

Hijacking all DNS queries is to use fake IP mode for selective proxying.

If you want to use shadow as a global proxy, you need to set up the Windows route table by yourself. Diverting all data to shadow except data to the proxy server.

route delete 0.0.0.0 mask 0.0.0.0 $(depends on your network)
route add $(proxy IP) mask 255.255.255.255 $(depends on your network)
route add 0.0.0.0 mask 0.0.0.0 192.168.8.1

The commands will be similar to the ones showed above. I did not test these commands.

https://www.howtogeek.com/howto/windows/adding-a-tcpip-route-to-the-windows-routing-table/

{
	"server": {
		"protocol": "socks",
		"url": "socks://127.0.0.1:1080"
	},
	"name_server": "https://8.8.8.8:443/dns-query",
	"tun_name": "Tunnel",
	"tun_addr": ["192.168.8.101/24"],
	"ip_cidr_rules": {
        	"proxy": [
        	]
	},
	"domain_rules": {
		"proxy": [],
		"direct": ["**.*"],
		"blocked": []
	}
}

Answer 2 · 2021-03-10T11:13:38.000Z

Nothing's different after modifying the routing table! It's still leaking/showing my ISP's DNS when I do dns-leak-test.

Not sure if its suppose to work like this, despise all query's being "hijacked" and routed to 'name_server'. Only time it doesn't leak is when I set a different dns on my main network interface (as oppose to setting 192.168.8.1 or not setting at all)

Answer 3 · 2021-03-10T11:34:53.000Z

I'm not sure about how the dns-leak-test works. If you need to protect your privacy by diverting all DNS queries to other DNS servers which are not the ISPs, the shadow does do it. However, you can not detect it. As shadow hijack all DNS queries and get responses from the customized DNS server and send answers back using the original destination address. For example, if your ISP DNS server is 1.2.3.4 and all queries are sent to this server, shadow will hijack all queries and send responses with address 1.2.3.4. The system will think these responses are from 1.2.3.4. Actually, all responses are generated by shadow.

Answer 4 · 2021-03-10T14:57:04.000Z

Ok looks like it was a routing issue. Had to delete default DNS route for main NIC. Shadow indeed works as expected after that.

Thanks for your effort and this wonderful tool :)