orbot
orbot copied to clipboard
guardianproject
DoT (DNS over TLS, including auto mode) of Android 9 blocks the use of v2/v3 onion services
VPN's DNS that you set up (which BTW sometimes does not turn off when you turn off Tor, funny) does not work if you use Tor apps for VPN (apps for VPN and VPN for all device does not matter though). I suppose that is because you somehow do not set DNS at least for .onion (see RFC 7686). Since dnsleak shows only Google DoT DNS servers.
THIS IS a regression. Just 1 month ago it was working, also I am using 16.4.1-RC-2-tor.0.4.4.6 (beta program on Google Play). Should I check out master? Or test older versions? Thanks.
If you set the Private VPN feature to "Auto" or "Off" even, it is still possible. You might also instead use something like RethinkDNS, which secures your DNS, adds an app firewall option, AND integrates nicely with Orbot. https://rethinkdns.com/
Which apps are you trying to use over the VPN with onion services? Chrome and Brave Browser do work still with onion address. Firefox browsers do not.
Maybe you can try our latest ALPHA release?
https://github.com/guardianproject/orbot/releases/tag/16.5.0-ALPHA-2-tor.0.4.5.7
It isn't 100% stable, but I am using it daily now.
If you set the Private VPN feature to "Auto"
No, it is not. Only off. Also firefox works with off. About:config has a special flag but about:config only works in Firefox nighly. Sigh.
Maybe you can try our latest ALPHA release?
https://github.com/guardianproject/orbot/releases/tag/16.5.0-ALPHA-2-tor.0.4.5.7
It isn't 100% stable, but I am using it daily now.
Also does not work. Only with off.
Any updates? I tested some older versions, could not find a working version. 16.4.0-RC2-2a is bad. Are there any idea to implement actual DoT compliant stuff? Also I do not understand why DoT even works with VPN?? Should not VPN force its own DNS for quite obvious reasons? THIS IS WHAT IS called DNS leak and means VPN is broken.
Android has a perspective that the user should be able to override and force their DNS setting, so if they want to use DoT / Google DNS / Cloudflare etc, and have confisued a private DNS, then that is what it should be. I would not consider that a leak.
There are so many moving parts here, it is hard to even tell what is going on, and if this is actually a regression or bug of ours.
- Each Android release is a bit different in how private DNS works, and how it interacts with VPN services
- Popular community ROMs often introduce breakages and instability in the network stack through small tweaks
- Each browser and apps is slightly different in how it handles DNS resolution
- Our support for DNS resolution in the VPN environment in Orbot does need a major upgrade (which is happening - see tun2tor), and can behave different on different OS/hardware combinations
- The Tor network is volunteer driven and always shifting in terms of reachability and stability
Ultimately, if you need to access an Onion service, use Tor Browser for Android, or an app that specifically supports Orbot integration.
In addition, I am using a Google Pixel device with the latest standard security-updated ROM, and DNS resolution of Onion services is working just fine with Orbot.
DNS resolution of Onion services is working just fine with Orbot.
With turned on private DNS?
3. browser and apps is slightly different in how it handles DNS resolution
Yeah, browser (Firefox and Chrome) have their own resolvers sure but that is for ESNI/ECH, since it needs IN TXT (or IN ESNI) DNS RR, which is hard to do with system resolver.
4. DNS resolution in the VPN environment in Orbot
So it is theoretically possible to fix?
Ultimately, if you need to access an Onion service, use Tor Browser for Android, or an app that specifically supports Orbot integration.
Just to give some motivation for this issue: I use a lot of onion services for things that are ostensibly supposed to be hosted on public servers, but are, for my purposes, light weight enough to host on my home network (and I don't want to set up DNS for them). E.g., calendars, IRC bouncer, RSS aggregation, etc.. Convincing each of the relevant app developers they need to spend some of their dev time for better orbot integration just isn't going to happen, at least not in the near future. (Heck, some of them it's hard enough to convince them to apply basic security patches.)
In addition, I am using a Google Pixel device with the latest standard security-updated ROM, and DNS resolution of Onion services is working just fine with Orbot.
I'm using LineageOS 18.1 (Android 11), and it only works with DoH completely turned off.
Any updates? I tested some older versions, could not find a working version. 16.4.0-RC2-2a is bad. Are there any idea to implement actual DoT compliant stuff? Also I do not understand why DoT even works with VPN?? Should not VPN force its own DNS for quite obvious reasons? THIS IS WHAT IS called DNS leak and means VPN is broken.
Read through celzero/rethink-app#25 if you can follow code. tldr is android does not forward DNS requests to VPN-set DNS endpoint (and it also does not forward hotspot traffic or http-proxy [set by os/network] traffic).
But: VPN dropping packets incoming on port 853 would stop the "leak".
I still do not understand why VPN cannot force the DNS servers. I suppose that is just a bug in android.
Have you tried the latest releases? We have completely refactored the DNS handling code, and it works more reliably.
https://github.com/guardianproject/orbot/releases/tag/16.6.0-RC-2-tor.0.4.6.9
We aren't yet dropping packets on 853, but we now have the capability to do so.
Have you tried the latest releases?
I am trying to stay on google play stable for now. Cannot you check yourself? BTW, I can install it if your Tor binary has this commit applied. Does it have it? https://gitlab.torproject.org/search?scope=merge_requests&search=supported_groups
Anyway, Moscow has fully banned Tor yesterday after months of "work", in biggest MGTS AS. So no use to me really, Snowflake is too slow.
Until you will remove Onionoo it will still leak in wikipedia and cloudflare.
BTW, I can install it if your Tor binary has this commit applied. Does it have it? https://gitlab.torproject.org/search?scope=merge_requests&search=supported_groups
That commit is to snowflakes binary, not Tor but yes the latest orbot includes it it's built against the latest snowflake release.
Onionoo has been fully removed from orbot
But it is still activated globally.
Running the 16.6.0-RC-2-tor.0.4.6.9 build from the Guardian Project F-Droid repo, I saw the following behavior:
- prior to upgrade, onion addresses resolve with DoH disabled
- upgrade, onion addresses fail to resolve at all
- reboot device, onion addresses resolve again
- enable DoH, onion addresses continue to resolve
- reboot device, onion addresses fail to resolve
- disable DoH, onion addresses fail to resolve
- reboot device, onion addresses fail to resolve
- reboot device, onion addresses resolve
- enable DoH, reboot, orbot hangs before tor starts bootstrapping (at
Orbot is starting...) - deactivate and reactivate orbot, still hangs before bootstrapping begins, retry again, succeeds, onion services resolve \o/
So the good news is, I think you got the DNS issue... resolved (:wink:), but there's at least one other issue, maybe some sort of race condition. To be clear, Orbot did successfully bootstrap in all the cases other than the two I note it failed, regardless of the onion address behavior. I did notice that the logs were sometimes spammy, lots of messages about port 443, but I didn't stop to look into them, and it's looking fine now -- no idea if that correlated with the onion service issues, sorry. Let me know if you need logs, or a new issue.
Thanks, we have seen some of this as well, and looking into the race possibility. It only happens if you start on boot.