Open h0t5p0t18 opened 1 month ago
Thanks.
Allowing arbitrary upstream DNS per domain will end up confusing the user (due to the number of possible configurations). Is this use-case better covered by #1153?
Didn't know user-space VPN apps can control Android WiFi calling domain resolution, which is normally performed using WiFi-set DNS server addresses. It also bypasses Android VPN tunnels and Android DoT settings. Once SIM card is activated, Android OS starts performing WiFi calling domain resolution until factory reset is performed. Therefore even removal of SIM card does not stop resolution of WiFi calling domains.
Disabling WiFi calling on phones themselves does not disable WiFi calling domain resolution either. Its a major privacy and security issue Android ignores...
It would be nice if RethinkDNS could disable it completely. I hope custom rules to blackhole all domains with "epdg" can do the trick.
hope custom rules to blackhole all domains with "epdg" can do the trick
By convention (or standard), do wifi-calling domains have epdg
in its subdomain?
btw, Rethink doesn't support blocking prefixes, only suffixes (that is, for a domain a.b.c.d
, you can add a rule to block a.b.c.d
, b.c.d
, c.d
, or .d
but never a
, a.b
, or a.b.c
.
Thank you for your reply!
Thanks.
Allowing arbitrary upstream DNS per domain will end up confusing the user (due to the number of possible configurations). Is this use-case better covered by #1153?
I will try to stick to the WiFi calling issue.
I don't understand yet how the .lan and .local are getting processed, but I think it would do the job for the wifi calling aswell, as you mentioned blacklist, I assume whitelisting will work in a similar way.
For the special issue
with geo location filters
on nameserver, allowing requests only from a certain set of DNS servers, the setup would be like this then (?):
epdg
resolving domainprivate DNS
system DNS
server to a third party
with the desired locationThis solution seems straight forward, but less flexible, because for example
two different DNS resolvers
for two different mobile carriers.third party DNS
aswelldo wifi-calling domains have epdg in its subdomain
If epdg.epc.mnc002.mcc262.pub.3gppnetwork.org
is a.b.c.d.e.f.g
, while f.g
= 3gppnetwork.org
a
would be always epdg
,
While c
and d
= mnc###
and mcc###
are depending on the country and carrier.
See here: https://www.mcc-mnc.com/
I'm not sure if IPhones use the same resolver 3gppnetwork.org
.
Disabling WiFi calling on phones themselves does not disable WiFi calling domain resolution either.
Yes, it does (in my case).
I would prefer a "split tunnel'
(the native Android VPN service split tunnel i.e. disabled application
will not work here, because the epdg request is done by root shell) in the following way for example:
A kind of settings file like the additionalhosts.txt
of personalDNSfilter:
blacklist.justasample.com
!whitelistsample.justasample.com
>forwardexample.router 192.168.2.1
Plus:
@dnsforward.example 1.1.1.1
Which is getting parsed and included into the Rethink blocklist like:
String entry = null; while ((entry = addHostIn.readLine()) != null) { entry = entry.trim().toLowerCase(); if (!entry.equals("") && !entry.startsWith("#")) { if (entry.startsWith(">")) applyCustomIpMapping(entry.substring(1).trim()); if (entry.startsWith("!")) hostFilter.addOverrule(entry.substring(1).trim(), false); if (entry.startsWith("@")) applyCustomDNSforward(entry.substring(1).trim()); else hostFilter.addOverrule(entry, true); } } addHostIn.close();
I that way, we could flexible override the blacklist and add DNS forwards aswell as domain forwards.
Questions 1. Is it possible to set domain wise redirects, and if yes, how?
2. Would it be possible to use specific DNS servers for selected domains names?
Issue Vodafone Germany is only resolving their hostnames from (some) german DNS servers. That means, WiFi calling with Vodafone Germany is not working with foreign DNS servers like cloudflare-dns.com, google.com, RethinkDNS etc.
The resolver for Vodafone Germany is
epdg.epc.mnc002.mcc262.pub.3gppnetwork.org
It returnsdrz1.vodafone-ip.de
As a CNAME record, which doesn't resolve further when request comes from outside of Germany. The query looks like this: `QUESTION SECTION: ;epdg.epc.mnc002.mcc262.pub.3gppnetwork.org. IN A;; Query time: 4007 msec ;; SERVER: 8.8.4.4#53(8.8.4.4) ;; WHEN: Sun May 26 12:12:02 EEST 2024 ;; MSG SIZE rcvd: 60`
The name servers of vodafone-ip.de are Nserver:
ns1.arcor-ip.de
145.253.2.19
Nserver:ns2.arcor-ip.de
145.253.2.80
Nserver:ns3.arcor-ip.de
145.253.3.171
Workaround I suggest a Workaround, which I found here:
https://stcl.blog/posts/vodafone_wifi-calling/ https://forum.netgate.com/topic/131935/dns-resolver-strange-lookup-vodafone-wificalling-not-working/5
This might be valid for other ISP's with the same geo fencing strategy as well.
Howto Vodafone Germany WiFi calling
Example configuration for Vodafone Germany WiFi calling
80.147.145.111
p5093916f.dip0.t-ipconnect.de
(Deactivate automatic DNS server recognition)>vodafone-ip.de 145.253.2.80 145.253.3.171 145.253.2.19
127.0.0.1
Port:5300
Enable "loop back proxy forwarder apps" if desiredAttention: like this, all DNS queries are being processed by Deutsche Telekom.
Now the query looks like this:
ANSWER SECTION: epdg.epc.mnc002.mcc262.pub.3gppnetwork.org. 27 IN CNAME epdg.epc.drz1.vodafone-ip.de. epdg.epc.drz1.vodafone-ip.de. 27 IN A 139.7.117.169 epdg.epc.drz1.vodafone-ip.de. 27 IN A 139.7.117.168
For T-mobile Germany WiFi calling with RethinkDNS and any other DNS is possible for me, with disabled setting "enhanced DNS filtering". My suggested solution here:
1438