search

evilsocket / opensnitch

OpenSnitch is a GNU/Linux interactive application firewall inspired by Little Snitch.
GNU General Public License v3.0
9.87k stars 488 forks source link

[Feature Request] Improve IP lookup with flatpak/systemd-resolved (and VPNs) #874

Closed firefoxlover closed 1 year ago

firefoxlover commented 1 year ago

Summary:

Currently when blocking IPs you just see a bunch of numbers. It would be very beneficial to integrate DNS, to be able to know what you block.

Use cases:

Great Tool! Donated to both of you, thanks for your work!

gustavo-iniguez-goya commented 1 year ago

Hi @firefoxlover ,

Thank you very much for supporting this project :heart: :)

We shouldn't interact with the connections, we should just intercept outbound connections passively:

When a process:

If the pop-up only shows IP adresses it's because we haven't been able to intercept the domain.

What connections are displaying only IPs? and from what applications? What DNS resolver are you using? systemd-resolved? dnsmasq?

firefoxlover commented 1 year ago

Hi,

my system uses systemd-resolved.

I am on Fedora kinoite with the package layered, the connections were made in Firefox Flatpak. They are just some sites and things Addons tried to connect to, some have names I am pretty sure.

All system services have internet allowed, no DNS I remember having blocked.

gustavo-iniguez-goya commented 1 year ago

This issue seems to be related to Flatpaks. I can reproduce it on Debian with Librewolf, Firefox or Edge.

~Could you test it with non-flatpaks applications?~

Try adding this line to /etc/systemd/resolved.conf: DNS=1.1.1.1

and restart systemd-resolved: $ sudo service systemd-resolved restart

gustavo-iniguez-goya commented 1 year ago

Also many applications use Unix sockets to resolve domains, for example librewolf:

[pid 1925621] connect(88, {sa_family=AF_UNIX, sun_path="/run/systemd/resolve/io.systemd.Resolve"}, 42 <unfinished ...>

(https://www.freedesktop.org/software/systemd/man/org.freedesktop.resolve1.html)

We currently don't intercept this traaffic, that's why opensnitch only displays IPs.

firefoxlover commented 1 year ago

Thanks! I added Mullvads DNS servers to the file and restarted systemd-resolved and now I see domain names!

I think this should be added somewhere as a manual.

What I did in one command:

while true; do
    read -p "Your local DNS server will be set to 'MullvadDNS without Content Block', do you want to change that?" yn
    case $yn in
        [YyjJ]* ) read -p "DNS: " DNS 
        read -p "FallbackDNS: " FDNS 
        sudo sed -i 's/#DNS=/DNS=$DNS/g' /etc/systemd/resolved.conf
        sudo sed -i 's/#FallbackDNS=/FallbackDNS=$FDNS/g' /etc/systemd/resolved.conf&& break;;
        [Nn]* ) sudo sed -i 's/#DNS=/DNS=194.242.2.2/g' /etc/systemd/resolved.conf
        sudo sed -i 's/#FallbackDNS=/FallbackDNS=193.19.108.2/g' /etc/systemd/resolved.conf && break;;
        * ) echo "Please answer yes or no.";;
    esac
done

sudo sed -i 's/#DNSSEC=no/DNSSEC=yes/g' /etc/systemd/resolved.conf
sudo sed -i 's/#DNSOverTLS=no/DNSOverTLS=opportunistic/g' /etc/systemd/resolved.conf
sudo sed -i 's/#Cache=yes/Cache=yes/g' /etc/systemd/resolved.conf

systemctl restart systemd-resolved.service

So this includes interactive choosing of the DNS server, otherwise mullvads is chosen. It is fast and more private than Cloudflare. Also some essential configs are added, should fit your idea of use case for the app.

gustavo-iniguez-goya commented 1 year ago

wow @firefoxlover !! thank you for this, I'll add it to the wiki.

I'm investigating how to intercept systemd-resolved queries via varlink/ebpf/dbus.

gustavo-iniguez-goya commented 1 year ago

I might have a solution for this scenario. It also improves the use case when systemd-resolved is configured to work with DNSSEC=yes and DoT.

Would you be willing to test a opensnitchd binary? or I can post the module for you to compile it on your machine.

gustavo-iniguez-goya commented 1 year ago

As far as I can tell, this issue has been fixed here: https://github.com/evilsocket/opensnitch/commit/b560ad6967b6148c5a2f204bb3fd2239e4c8bdac I've tested it with flatpaks (edge, librewolf) and systemd-resolved options DNSSEC=yes and DNSSecOverTLS=yes

I haven't tested it with VPNs, so if you could undo your changes to your resolved.conf and test it with latest changes would super helpful

Note: this systemd-resolved option is only available since systemd-resolved 252. On Debian >= 12 the option is enabled by default (at least the socket path exists /run/systemd/resolved/io.systemd.Resolve.Monitor)