DNS leak, built-in DNS resolve doesn't use the bound local address

[ghost]

trafficstars

version v1.8.23 ip 172.16.0.2 is on the wireguard interface. I run it with a config contain "local_address":"172.16.0.2" and tcpdump -nnl host 1.1.1.1 shows

20:24:14.970360 IP 192.168.1.71.47733 > 1.1.1.1.53: 18082+ A? ip-api.com. (28)
20:24:15.012890 IP 1.1.1.1.53 > 192.168.1.71.47733: 18082 1/0/0 A 208.95.112.1 (44)

shadowsocks-rust log

 DEBUG [3836:139719155930880] [shadowsocks::context] DNS resolved ip-api.com:80 elapsed: 0.043s, Ok([208.95.112.1:80])
DEBUG [3913:140456672679680] [shadowsocks::relay::tcprelay::server] connected remote ip-api.com:80 (resolved: 208.95.112.1:80) via 172.16.0.2:0

dig -b 172.16.0.2 ip-api.com @1.1.1.1 doesn't show dns request, without the -b parameter, tcpdump it is the same as above.

[zonyitoo]

Yes, that's a known issue. I cannot control trust-dns's outbound socket.

Maybe I should rewrite a DNS resolver all by myself. :(

[zonyitoo]

After looking around trust-dns's source, I still couldn't find a quick way to customize its outbound socket's bind() and other sockopts. If you are using Linux, you may try to use iptables to route all connections originated from shadowsocks' to your specific address. https://unix.stackexchange.com/questions/67351/is-it-possible-to-whitelist-a-specific-program-in-iptables

[ghost]

Thanks for that, add route for DNS IP is enough for me. So I use ip route add 1.1.1.1 via 172.16.0.2 dev wg0 proto static