blocked hosts available

[jamesdunham]

Related to #250, I'd also like to use the hosts file for blocking, and for the same reason (mobile).

The hosts file seems to be in use because the hostnames I've added resolve to 127.0.0.1 when I ping them from the instance. But on the client, I can access the blocked hostnames, even though my public IP appears to be the host's.

Should I wonder about DNS leaks? I'm not sure how to look into it. I'm using OpenConnect on Ubuntu. Thanks for any suggestions.

[jlund]

The OpenConnect configuration file specifies the DNS servers that clients should use. Resolution does not happen via /etc/hosts. You can see the relevant lines starting here.

You can override the default Google upstream DNS servers in streisand/playbooks/group_vars/all and that will apply to all future servers that are set up be Streisand. Or you can modify the dns= lines in the /etc/ocserv/config file on an existing server and then run service ocserv restart for the change to take effect.

You can test for DNS leaks here.

I will see if I can figure out a way to get DNS resolution for OpenConnect clients to flow through dnsmasq as well. They are tunnelled by default though and you should see different results during the leak test depending on whether or not you are connected.

[subyraman]

@jlund does the same behavior occur for L2TP/IPsec? I'm seeing the same behavior, pinging a blocked host specified in /etc/hosts resolve correctly when pinged from the server:

but on my Android the ping resolves to the blocked host.

I guess a followup question would be: right now, is there any connection method we could use to block a host via a streisand setup? It'd be nice to have with all the work you've done getting this set up :)

[SethSanchez]

I'd be interested in this as well. +1