algo icon indicating copy to clipboard operation
algo copied to clipboard

Published 20 hours ago verified publisher icon trailofbits

DNS ad blocking breaks upon system sleep on Ubuntu 18.04

Open mbmccoy opened this issue 4 years ago • 3 comments

Describe the bug (Likely client issue, Ubuntu 18.04.4)

I set up Algo to use DNS-based adblocking. It worked at first, but rather quickly started showing the ads I expected it to block. After debugging a bit, the DNS resovler goes back to the system default (determined via DHCP) upon closing my laptop lid. The rest of the VPN continues to work.

It seems to me that this is a privacy issue---one of the main reasons I like using my own resolver is DNS privacy; I don't like providing all of my browsing information to advertisers.

One workaround is to run sudo systemctl restart wg-quick@wg0, but of course, I have to run that (and put in my password!) every time I open up my laptop lid.

Is there something that I'm missing?

To Reproduce

Steps to reproduce the behavior:

  1. Set up server with Adblocking and enable client following directions.
  • Notes: I added the client configuration on an Ubuntu 18.04.4 laptop
  1. Run sudo systemctl enable wg-quick@wg0 then sudo systemctl start wg-quick@wg0.
  • At this point, Adblocking should work (e.g., dig track.adform.net should yield "This query has been locally blocked" in the HINFO.)
  1. Let system go to sleep (e.g., lock, close lid) or cycle wifi power. Now dig will resolve, indicating the use of the original (system) DNS.

Expected behavior

DNS settings persist the entire time that the VPN is up.

Additional information

This may be a bug in wg-quick and not algo. If that's the case, I'd appreciate any pointers as to where to report the problem.

Here's a redacted, but otherwise complete, version of my wg0.conf:

[Interface]
PrivateKey = <X>
Address = <X>
DNS =  172.X.X.X 
MTU = 1380

[Peer]
PublicKey = <X>
PresharedKey = <X>
AllowedIPs = 0.0.0.0/0,::/0
Endpoint = <X>

mbmccoy avatar Aug 31 '20 20:08 mbmccoy

This is definitely a client issue rather than an Algo issue, but it would be good to document the solution if we can figure it out.

davidemyers avatar Sep 01 '20 13:09 davidemyers

I don't have a way to test this, but it might work:

#!/bin/sh
#
# Install this script as: /lib/systemd/system-sleep/wireguard
# Make it executable: chmod 755 /lib/systemd/system-sleep/wireguard
#
case "$1" in
    post)
        if systemctl --quiet is-enabled wg-quick@wg0; then
            systemctl --quiet restart wg-quick@wg0
        fi
    ;;
esac

davidemyers avatar Sep 01 '20 17:09 davidemyers

Thanks, and apologies for the slow response. This works when my laptop goes to sleep, which covers 95% of the my use case. (WiFi power cycling still triggers the issue, no surprise.)

It seems that whatever ubuntu is doing with DNS (it points to a resolver at 127.0.0.53). This seems to be a quirk of systemd-resolve.

It's odd, because this didn't start happening to me until fairly recently; I've been using algo for a couple years now, and it was only upon setting up a new VPN recently where it started. My guess is that it happened when I upgraded wireguard to the latest version (1.0.20200513-1~18.04.2) right before I set up my new VPN, but it also may have been some other update that happened along the way.

mbmccoy avatar Sep 26 '20 19:09 mbmccoy