proxychains-ng icon indicating copy to clipboard operation
proxychains-ng copied to clipboard
verified publisher icon rofl0r

How to avoid DNS leaks?

Open beelze opened this issue 11 months ago • 3 comments

DNS not leaked:

# proxychains wget -q ipinfo.io/ip -O -
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib64/libproxychains.so.4.17
[proxychains] DLL init: proxychains-ng 4.17
Prepended http:// to 'ipinfo.io/ip'
[proxychains] Strict chain  ...  xx.xx.xx.xx:yy  ...  ipinfo.io:80  ...  OK
94.131.98.223

All is ok, DNS query went through system resolver on proxy server side (checked via tcpdump) but:

# proxychains curl ipinfo.io/ip
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib64/libproxychains.so.4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  xx.xx.xx.xx:yy  ...  34.117.59.81:80  ...  OK
94.131.98.223

Leaked, DNS query went through localhost system resolver (checked via tcpdump).

proxychains.conf:

strict_chain
proxy_dns_daemon 127.0.0.1:1053
remote_dns_subnet 224      
tcp_read_time_out 15000    
tcp_connect_time_out 8000  
[ProxyList]                                         
socks5 xx.xx.xx.xx yy usr pwd

I encountered this issue trying to find a solution for more generic problem: complete elimination "DNS leak" issue. Of course, it can't be done at localhost, so I'm tunneling all traffic via "router" running tun2socks, but resolving is still a problem – tunneling DNS queries via proxy is a «leak» too. The one and only solution is a delegating resolve to a socks proxy and I'm trying to understang if it can be done with proxychains.

beelze avatar Jan 02 '25 20:01 beelze

odd. can you figure out how curl does its DNS lookups ? if your analysis is correct, it would appear it doesn't use libc facilities but rather its own UDP code or another library that circumvents the libc APIs.

rofl0r avatar Jan 02 '25 21:01 rofl0r

I did strace of curl ipinfo.io/ip. curl.log

seems c-ares (AsynchDNS) is to blame:

# curl -V
curl 8.10.1 (x86_64-pc-linux-gnu) libcurl/8.10.1 OpenSSL/3.3.2 zlib/1.3.1 brotli/1.1.0 zstd/1.5.6 c-ares/1.34.3 libpsl/0.21.5 nghttp2/1.62.1 nghttp3/1.7.0
Release-Date: 2024-09-18
Protocols: dict file ftp ftps http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp smtp smtps tftp ws wss
Features: alt-svc AsynchDNS brotli HSTS HTTP2 HTTP3 HTTPS-proxy IPv6 Largefile libz NTLM PSL SSL threadsafe TLS-SRP UnixSockets zstd

beelze avatar Jan 03 '25 20:01 beelze

nice research. while it's theoretically possible (with considerable effort) to capture the udp traffic and return a fake ip address (just like proxy_dns does currently), i don't think it's gonna be implemented in the near future. your best option is to recompile curl from source and disable the use of c-ares (assuming that's still possible).

rofl0r avatar Jan 04 '25 01:01 rofl0r