search

DNSCrypt / dnscrypt-proxy

dnscrypt-proxy 2 - A flexible DNS proxy, with support for encrypted DNS protocols.
https://dnscrypt.info
ISC License
11.45k stars 1.01k forks source link

Also proxy DNS query for cloaking domains #1620

Closed ghost closed 3 years ago

ghost commented 3 years ago

Is your feature request related to a problem?

clocking-rules.txt

www.google.com forcesafesearch.google.com

For the above conf, dnscrypt-proxy will not send forcesafesearch.google.com to remote DNSCrypt servers in an encrypted protocol, Instead, querying for local DNS in unencrypted UDP protocol

Describe the solution you'd like

As said in the issue title

Additional context

In the rare case if 1. State's censorship is affecting the domain `cn.nytimes.com` 2. To access the site, use domain fronting tool [Accesser](https://github.com/URenko/Accesser/blob/master/README.en.md) which is relying on dnscrypt-proxy to get correct DNS response 3. `cn.nytimes.com` itself sometimes return non-domain-frontable IPs, and we want it always use domain-frontable `x.cloudfront.net` IPs 4. so below written in cloaking-rules.txt ``` cn.nytimes.com d1emgxxou2di91.cloudfront.net ``` 5. and its CNAME `d1emgxxou2di91.cloudfront.net` is also affected (return malformed response) 6. dnscrypt-proxy use local poisoned DNS (and of course, unencrypted) for `d1emgxxou2di91.cloudfront.net` dnscrypt-proxy and the domain fronting tool never got the correct IP
jedisct1 commented 3 years ago

If a name is used instead of an IP address, the name is resolved with a query to the local resolver, which has already been configured to use dnscrypt-proxy. So, no unencrypted queries leaves the host.

ghost commented 3 years ago

the name is resolved with a query to the local resolver, which has already been configured to use dnscrypt-proxy.

It requires that the system-wide dns resolver to be set to like 127.0.0.1:x(x is the port dnscrypt-proxy is listening on)

I wish that dnscrypt-proxy use itself instead of use system-wide dns resolver, for the cloaking domains.

jedisct1 commented 3 years ago

But if the system hasn't been configured to use the proxy, how are you using it?

ghost commented 3 years ago

A censorship-circumvention tool use a built-in dnscrypt-proxy for dns lookups, as a child process of itself

I thought it'll be better if making a pull request myself...

https://github.com/DNSCrypt/dnscrypt-proxy/blob/1b4045a098749c0efaaf0580f1757c70ca29acc1/dnscrypt-proxy/plugin_cloak.go#L126

dnscrypt-proxy should instead find itself then use net.Resolver...

lifenjoiner commented 3 years ago

built-in dnscrypt-proxy

New case ...

Normally, the configured different name will go back to SDNS finally, I agree. And by my tests on Windows, there are a little differences for cloaking:

  1. cache = false It can't control the OS cache strategy. The cloaked host result depends on the OS cache.
  2. TTL For the cloaked host, OS cache may take the configured different name's TTL. It may greater or less than cloak_ttl. dnscrypt-proxy always counts the cloak_ttl, even cache = false. For the configured different name, TTL depends on the remote. SDNS-TTL

I don't use this feature much ;p