celzero / rethink-app

DNS over HTTPS / DNS over Tor / DNSCrypt client, WireGuard proxifier, firewall, and connection tracker for Android.
https://rethinkfirewall.com/
Apache License 2.0
2.97k stars 149 forks source link

Forward DNS to Orbot over SOCKS5 #284

Open ignoramous opened 3 years ago

ignoramous commented 3 years ago

Today, users need to manually set DNS Proxy in the app to forward DNS packets to Orbot's DNS endpoint. Cumbersome.

Instead, Orbot can handle DNS over SOCKS5, and so, use that. Of course let users choose if they'd want to use split DNS and not forward it to Orbot.

Ref #131

4-FLOSS-Free-Libre-Open-Source-Software commented 3 years ago

Yes please, but only the following types of DNS Records are supported by TorDNS currently, everything else must be forwarded to set DNS or dropped with SERVFAIL:

  1. AAAA (IPv6)
  2. A (IPv4)
  3. PTR(Reverse DNS Record)
ignoramous commented 3 years ago

Note that you can set a DNS Proxy (from the DNS Configure page) to forward traffic to local Orbot DNS port.

We should also proxy DoH over Orbot's SOCKS5 port (DoHoT), ref: https://github.com/alecmuffett/dohot/blob/master/INSTALL.md

4-FLOSS-Free-Libre-Open-Source-Software commented 3 years ago

local Orbot DNS port.

127.0.0.1:5400

ignoramous commented 2 years ago

Yes please, but only the following types of DNS Records are supported by TorDNS currently, everything else must be forwarded to set DNS or dropped with SERVFAIL

Is it okay to let Tor's DNS reply with servfail for records it doesn't support?

127.0.0.1:5400

The more I think about it, the more it makes sense for Orbot to pass DNS endpoint to RethinkDNS via its API. The complication really is in getting in a UDP request from the system and then converting it to TCP request to be sent to Orbot's SOCKS5 endpoint. Without connection pooling, this would be pretty inefficient way to deal with something that can otherwise be avoided. Also, it isn't clear how to read DNS responses over SOCKS5 from Orbot, does it implement DNS over TCP protocol...? If it doesn't then that's another added special case to be implemented in code just for Orbot. A complication avoided if Orbot would just communicate to us its local DNS endpoint.

ignoramous commented 2 years ago

Send a relative straight forward pull-request to Orbot (hopefully, got the change right): https://github.com/guardianproject/orbot/pull/705

Let's see what they've got to say about it. In the meanwhile, we can default to forwarding traffic over localhost:5400 when Orbot is active, I guess?