search

celzero / rethink-app

DNS over HTTPS / DNS over Tor / DNSCrypt client, WireGuard proxifier, firewall, and connection tracker for Android.
https://rethinkfirewall.com/
Apache License 2.0
2.84k stars 145 forks source link

Crash using DNS client in Termux #1210

Closed Terrance closed 7 months ago

Terrance commented 7 months ago

Toying with q installed in Termux, I've stumbled upon a crash in Rethink when I try to run it pointing at an external DNS server:

$ q @9.9.9.9
02-02 20:47:44.390  1942  1942 E OPLUS_KEVENT_RECORD: oplus_kevent Receive message from kernel, event_type=3
02-02 20:47:44.391  1942  1942 E OPLUS_KEVENT_RECORD: OPLUS_KEVENT payload:10291,path@@/data/data/com.termux/files/usr/opt/q
02-02 20:47:44.391  1942  1942 I OPLUS_KEVENT_RECORD: oplus_put_exec_kevent_to_list
02-02 20:47:44.423 24821  1070 D VpnLifecycle: process-firewall-request: ConnTrackerMetaData(uid=10291, sourceIP=10.111.222.1, sourcePort=48392, destIP=9.9.9.9, destPort=53, timestamp=1706906864423, isBlocked=false, blockedByRule=, blocklists=, protocol=17, query=, connId=0ae99e369f4f23d7), true, false
02-02 20:47:44.441 24821     0 E Go      : panic: interface conversion: interface {} is nil, not string
02-02 20:47:44.441 24821     0 E Go      :
02-02 20:47:44.441 24821     0 E Go      : goroutine 530805 [running]:
02-02 20:47:44.443 24821     0 E Go      : github.com/celzero/firestack/intra/dnsx.(*radix).get(0x40008829c0, {0x78c57027e8?, 0xffffffffffffffff?})
02-02 20:47:44.443 24821     0 E Go      :      /home/jitpack/build/intra/dnsx/radixtree.go:129 +0x260
02-02 20:47:44.444 24821     0 E Go      : github.com/celzero/firestack/intra/dnsx.(*radix).HasAny(0x78c57027e8?, {0x78c57027e8?, 0x78c57027e8?})
02-02 20:47:44.444 24821     0 E Go      :      /home/jitpack/build/intra/dnsx/radixtree.go:101 +0x20
02-02 20:47:44.445 24821     0 E Go      : github.com/celzero/firestack/intra/dnsx.(*resolver).requiresSystemOrLocal(0x40007ac7e0, {0x78c57027e8, 0x1})
02-02 20:47:44.445 24821     0 E Go      :      /home/jitpack/build/intra/dnsx/undelegated.go:173 +0x9c
02-02 20:47:44.445 24821     0 E Go      : github.com/celzero/firestack/intra/dnsx.(*resolver).Forward(0x40007ac7e0, {0x4000702800, 0x11, 0x800})
02-02 20:47:44.445 24821     0 E Go      :      /home/jitpack/build/intra/dnsx/transport.go:415 +0x2b4
02-02 20:47:44.446 24821     0 E Go      : github.com/celzero/firestack/intra.(*udpHandler).dnsOverride(0x4000a3b680, {0x78c583a5e8, 0x4000739100}, 0x78c51fe390?, {0x4000702800, 0x11, 0x800})
02-02 20:47:44.446 24821     0 E Go      :      /home/jitpack/build/intra/udp.go:264 +0xa8
02-02 20:47:44.446 24821     0 E Go      : github.com/celzero/firestack/intra.(*udpHandler).ReceiveTo(0x4000a3b680, {0x78c583a5e8, 0x4000739100}, {0x4000702800, 0x11, 0x800}, 0x40000b4270)
02-02 20:47:44.446 24821     0 E Go      :      /home/jitpack/build/intra/udp.go:418 +0x84
02-02 20:47:44.447 24821     0 E Go      : github.com/celzero/firestack/intra.(*udpHandler).HandleData(0x4000739288?, 0x40000bed00?, {0x4000702800?, 0x40000b42a0?, 0x4001880f08?}, 0x78c54f1b04?)
02-02 20:47:44.447 24821     0 E Go      :      /home/jitpack/build/intra/udp.go:409 +0x3c
02-02 20:47:44.447 24821     0 E Go      : github.com/celzero/firestack/intra/netstack.loop({0x79d0e76998, 0x4000a3b680}, 0x4000739100, 0x40005bbe90, 0x40005bbef0)
02-02 20:47:44.447 24821     0 E Go      :      /home/jitpack/build/intra/netstack/udp.go:133 +0x448
02-02 20:47:44.447 24821     0 E Go      : created by github.com/celzero/firestack/intra/netstack.setupUdpHandler.NewUDPForwarder.func1 in goroutine 530812
02-02 20:47:44.447 24821     0 E Go      :      /home/jitpack/build/intra/netstack/udp.go:97 +0x16c
02-02 20:47:44.451 24821  1070 F libc    : Fatal signal 6 (SIGABRT), code -6 (SI_TKILL) in tid 1070 (Thread-89), pid 24821 (elzero.bravedns)

I assume this is something to do with Rethink's routing of all DNS traffic to its configured DNS server.

Rethink v055a running on Android 13 (OnePlus Nord CE).

ignoramous commented 7 months ago

Yikes, that's because qname is empty. Fixed: https://github.com/celzero/firestack/commit/c29695783ab1e7a8dcb02da6d317f64d9da12905

To analyse debug logs from the network engine, you can enable Configure -> Settings -> Log Level -> Verbose

Terrance commented 7 months ago

For what it's worth, this is what we get with verbose logging enabled:

02-02 22:14:48.311  1942  1942 E OPLUS_KEVENT_RECORD: oplus_kevent Receive message from kernel, event_type=3
02-02 22:14:48.311  1942  1942 E OPLUS_KEVENT_RECORD: OPLUS_KEVENT payload:10291,path@@/data/data/com.termux/files/usr/opt/q
02-02 22:14:48.311  1942  1942 I OPLUS_KEVENT_RECORD: oplus_put_exec_kevent_to_list
02-02 22:14:48.383 29788 13840 I GoLog   : V ns.dispatchers.dispatch: got(45 bytes), err(<nil>)
02-02 22:14:48.388 29788 13893 I GoLog   : V ns.dispatchers.dispatch (from-tun) proto(2048) for pkt-id(0)
02-02 22:14:48.388 29788 13893 I GoLog   : V ns.dispatchers.dispatch: resume
02-02 22:14:48.389 29788 20849 I GoLog   : V ns.e.inject-inbound(from-tun) 2048 pkt(0)
02-02 22:14:48.390 29788 20849 I GoLog   : V dns64: handle: No local nat64 to for ip(9.9.9.9)
02-02 22:14:48.390 29788 20849 I GoLog   : V udp: onFlow: no realips() or domains(), for src=10.111.222.1:37171 dst=9.9.9.9:53
02-02 22:14:48.412 29788 20849 D VpnLifecycle: process-firewall-request: ConnTrackerMetaData(uid=10291, sourceIP=10.111.222.1, sourcePort=37171, destIP=9.9.9.9, destPort=53, timestamp=1706912088412, isBlocked=false, blockedByRule=, blocklists=, protocol=17, query=, connId=44232610fbfb1135), true, false
02-02 22:14:48.418 29788 20849 I GoLog   : V ns.udp.forwarder: NEW src(10.111.222.1:37171) => dst(9.9.9.9:53)
02-02 22:14:48.418 29788 20849 I GoLog   : V ns.udp.forwarder: DATA src(10.111.222.1:37171) => dst(l:10.111.222.1:37171 / r:9.9.9.9:53)
02-02 22:14:48.418 29788 20849 I GoLog   : V udp: closing conn [10.111.222.1:37171 -> 9.9.9.9:53]
02-02 22:14:48.432 29788     0 E Go      : panic: interface conversion: interface {} is nil, not string
...

Admittedly I'm not sure what I'm looking for in there, though having tried it against my local DNS server (with "Do not route Private IPs" enabled, so it bypasses Rethink) I can see the default query is for the root nameservers, which is presumably the empty QNAME you've identified:

$ q @172.16.1.1
. 2h55m48s NS a.root-servers.net.
. 2h55m48s NS b.root-servers.net.
. 2h55m48s NS c.root-servers.net.
. 2h55m48s NS d.root-servers.net.
. 2h55m48s NS e.root-servers.net.
. 2h55m48s NS f.root-servers.net.
. 2h55m48s NS g.root-servers.net.
. 2h55m48s NS h.root-servers.net.
. 2h55m48s NS i.root-servers.net.
. 2h55m48s NS j.root-servers.net.
. 2h55m48s NS k.root-servers.net.
. 2h55m48s NS l.root-servers.net.
. 2h55m48s NS m.root-servers.net.