ignoramous
commented
1 month ago Thanks.
Allowing arbitrary upstream DNS per domain will end up confusing the user (due to the number of possible configurations). Is this use-case better covered by #1153?
Open h0t5p0t18 opened 1 month ago
ignoramous
commented
1 month ago Thanks.
Allowing arbitrary upstream DNS per domain will end up confusing the user (due to the number of possible configurations). Is this use-case better covered by #1153?
ghost
commented
1 month ago Didn't know user-space VPN apps can control Android WiFi calling domain resolution, which is normally performed using WiFi-set DNS server addresses. It also bypasses Android VPN tunnels and Android DoT settings. Once SIM card is activated, Android OS starts performing WiFi calling domain resolution until factory reset is performed. Therefore even removal of SIM card does not stop resolution of WiFi calling domains.
Disabling WiFi calling on phones themselves does not disable WiFi calling domain resolution either. Its a major privacy and security issue Android ignores...
It would be nice if RethinkDNS could disable it completely. I hope custom rules to blackhole all domains with "epdg" can do the trick.
ignoramous
commented
1 month ago hope custom rules to blackhole all domains with "epdg" can do the trick
By convention (or standard), do wifi-calling domains have epdg in its subdomain?
btw, Rethink doesn't support blocking prefixes, only suffixes (that is, for a domain a.b.c.d, you can add a rule to block a.b.c.d, b.c.d, c.d, or .d but never a, a.b, or a.b.c.
h0t5p0t18
commented
1 month ago Thank you for your reply!
Thanks.
Allowing arbitrary upstream DNS per domain will end up confusing the user (due to the number of possible configurations). Is this use-case better covered by #1153?
I will try to stick to the WiFi calling issue.
I don't understand yet how the .lan and .local are getting processed, but I think it would do the job for the wifi calling aswell, as you mentioned blacklist, I assume whitelisting will work in a similar way.
For the special issue with geo location filters on nameserver, allowing requests only from a certain set of DNS servers, the setup would be like this then (?):
epdg resolving domainprivate DNSsystem DNS server to a third party with the desired locationThis solution seems straight forward, but less flexible, because for example
two different DNS resolvers for two different mobile carriers.third party DNS aswelldo wifi-calling domains have epdg in its subdomain
If epdg.epc.mnc002.mcc262.pub.3gppnetwork.org
is a.b.c.d.e.f.g, while f.g = 3gppnetwork.org
a would be always epdg,
While c and d = mnc### and mcc### are depending on the country and carrier.
See here: https://www.mcc-mnc.com/
I'm not sure if IPhones use the same resolver 3gppnetwork.org.
Disabling WiFi calling on phones themselves does not disable WiFi calling domain resolution either.
Yes, it does (in my case).
I would prefer a "split tunnel' (the native Android VPN service split tunnel i.e. disabled application will not work here, because the epdg request is done by root shell) in the following way for example:
A kind of settings file like the additionalhosts.txt of personalDNSfilter:
blacklist.justasample.com
!whitelistsample.justasample.com
>forwardexample.router 192.168.2.1
Plus:
@dnsforward.example 1.1.1.1
Which is getting parsed and included into the Rethink blocklist like:
String entry = null; while ((entry = addHostIn.readLine()) != null) { entry = entry.trim().toLowerCase(); if (!entry.equals("") && !entry.startsWith("#")) { if (entry.startsWith(">")) applyCustomIpMapping(entry.substring(1).trim()); if (entry.startsWith("!")) hostFilter.addOverrule(entry.substring(1).trim(), false); if (entry.startsWith("@")) applyCustomDNSforward(entry.substring(1).trim()); else hostFilter.addOverrule(entry, true); } } addHostIn.close();
I that way, we could flexible override the blacklist and add DNS forwards aswell as domain forwards.
Questions 1. Is it possible to set domain wise redirects, and if yes, how?
2. Would it be possible to use specific DNS servers for selected domains names?
Issue Vodafone Germany is only resolving their hostnames from (some) german DNS servers. That means, WiFi calling with Vodafone Germany is not working with foreign DNS servers like cloudflare-dns.com, google.com, RethinkDNS etc.
The resolver for Vodafone Germany is
epdg.epc.mnc002.mcc262.pub.3gppnetwork.orgIt returnsdrz1.vodafone-ip.deAs a CNAME record, which doesn't resolve further when request comes from outside of Germany. The query looks like this: `QUESTION SECTION: ;epdg.epc.mnc002.mcc262.pub.3gppnetwork.org. IN A;; Query time: 4007 msec ;; SERVER: 8.8.4.4#53(8.8.4.4) ;; WHEN: Sun May 26 12:12:02 EEST 2024 ;; MSG SIZE rcvd: 60`
The name servers of vodafone-ip.de are Nserver:
ns1.arcor-ip.de145.253.2.19Nserver:ns2.arcor-ip.de145.253.2.80Nserver:ns3.arcor-ip.de145.253.3.171Workaround I suggest a Workaround, which I found here:
https://stcl.blog/posts/vodafone_wifi-calling/ https://forum.netgate.com/topic/131935/dns-resolver-strange-lookup-vodafone-wificalling-not-working/5
This might be valid for other ISP's with the same geo fencing strategy as well.
Howto Vodafone Germany WiFi calling
Example configuration for Vodafone Germany WiFi calling
80.147.145.111p5093916f.dip0.t-ipconnect.de(Deactivate automatic DNS server recognition)>vodafone-ip.de 145.253.2.80 145.253.3.171 145.253.2.19127.0.0.1Port:5300Enable "loop back proxy forwarder apps" if desiredAttention: like this, all DNS queries are being processed by Deutsche Telekom.
Now the query looks like this:
ANSWER SECTION: epdg.epc.mnc002.mcc262.pub.3gppnetwork.org. 27 IN CNAME epdg.epc.drz1.vodafone-ip.de. epdg.epc.drz1.vodafone-ip.de. 27 IN A 139.7.117.169 epdg.epc.drz1.vodafone-ip.de. 27 IN A 139.7.117.168For T-mobile Germany WiFi calling with RethinkDNS and any other DNS is possible for me, with disabled setting "enhanced DNS filtering". My suggested solution here:
1438