Closed firefoxlover closed 1 year ago
Hi @firefoxlover ,
Thank you very much for supporting this project :heart: :)
We shouldn't interact with the connections, we should just intercept outbound connections passively:
When a process:
If the pop-up only shows IP adresses it's because we haven't been able to intercept the domain.
What connections are displaying only IPs? and from what applications? What DNS resolver are you using? systemd-resolved? dnsmasq?
Hi,
my system uses systemd-resolved.
I am on Fedora kinoite with the package layered, the connections were made in Firefox Flatpak. They are just some sites and things Addons tried to connect to, some have names I am pretty sure.
All system services have internet allowed, no DNS I remember having blocked.
This issue seems to be related to Flatpaks. I can reproduce it on Debian with Librewolf, Firefox or Edge.
~Could you test it with non-flatpaks applications?~
Try adding this line to /etc/systemd/resolved.conf
: DNS=1.1.1.1
and restart systemd-resolved: $ sudo service systemd-resolved restart
Also many applications use Unix sockets to resolve domains, for example librewolf:
[pid 1925621] connect(88, {sa_family=AF_UNIX, sun_path="/run/systemd/resolve/io.systemd.Resolve"}, 42 <unfinished ...>
(https://www.freedesktop.org/software/systemd/man/org.freedesktop.resolve1.html)
We currently don't intercept this traaffic, that's why opensnitch only displays IPs.
Thanks! I added Mullvads DNS servers to the file and restarted systemd-resolved and now I see domain names!
I think this should be added somewhere as a manual.
What I did in one command:
while true; do
read -p "Your local DNS server will be set to 'MullvadDNS without Content Block', do you want to change that?" yn
case $yn in
[YyjJ]* ) read -p "DNS: " DNS
read -p "FallbackDNS: " FDNS
sudo sed -i 's/#DNS=/DNS=$DNS/g' /etc/systemd/resolved.conf
sudo sed -i 's/#FallbackDNS=/FallbackDNS=$FDNS/g' /etc/systemd/resolved.conf&& break;;
[Nn]* ) sudo sed -i 's/#DNS=/DNS=194.242.2.2/g' /etc/systemd/resolved.conf
sudo sed -i 's/#FallbackDNS=/FallbackDNS=193.19.108.2/g' /etc/systemd/resolved.conf && break;;
* ) echo "Please answer yes or no.";;
esac
done
sudo sed -i 's/#DNSSEC=no/DNSSEC=yes/g' /etc/systemd/resolved.conf
sudo sed -i 's/#DNSOverTLS=no/DNSOverTLS=opportunistic/g' /etc/systemd/resolved.conf
sudo sed -i 's/#Cache=yes/Cache=yes/g' /etc/systemd/resolved.conf
systemctl restart systemd-resolved.service
So this includes interactive choosing of the DNS server, otherwise mullvads is chosen. It is fast and more private than Cloudflare. Also some essential configs are added, should fit your idea of use case for the app.
wow @firefoxlover !! thank you for this, I'll add it to the wiki.
I'm investigating how to intercept systemd-resolved queries via varlink/ebpf/dbus.
I might have a solution for this scenario. It also improves the use case when systemd-resolved is configured to work with DNSSEC=yes and DoT.
Would you be willing to test a opensnitchd binary? or I can post the module for you to compile it on your machine.
As far as I can tell, this issue has been fixed here: https://github.com/evilsocket/opensnitch/commit/b560ad6967b6148c5a2f204bb3fd2239e4c8bdac
I've tested it with flatpaks (edge, librewolf) and systemd-resolved options DNSSEC=yes
and DNSSecOverTLS=yes
I haven't tested it with VPNs, so if you could undo your changes to your resolved.conf
and test it with latest changes would super helpful
Note: this systemd-resolved option is only available since systemd-resolved 252. On Debian >= 12 the option is enabled by default (at least the socket path exists /run/systemd/resolved/io.systemd.Resolve.Monitor)
Summary:
Currently when blocking IPs you just see a bunch of numbers. It would be very beneficial to integrate DNS, to be able to know what you block.
Use cases:
Great Tool! Donated to both of you, thanks for your work!