search

getdnsapi / stubby

Stubby is the name given to a mode of using getdns which enables it to act as a local DNS Privacy stub resolver (using DNS-over-TLS).
https://dnsprivacy.org/dns_privacy_daemon_-_stubby/
BSD 3-Clause "New" or "Revised" License
1.2k stars 99 forks source link

[enhancement] SOCKS Proxy support #131

Open phantomcraft opened 6 years ago

phantomcraft commented 6 years ago

Used with Tor would make even more private.

fphammerle commented 3 years ago

I failed to wrap stubby (v1.5.1-1 debian package) with torsocks (v2.3.0-2):

$ TORSOCKS_ALLOW_INBOUND=1 TORSOCKS_LOG_LEVEL=5 /usr/bin/torsocks /usr/bin/stubby -C /etc/stubby/test.yml
[...]
[15:36:13.895632] STUBBY: Read config from file /etc/stubby/test.yml
1621870573 DEBUG torsocks[29757]: [fclose] Close caught for fd 3 (in tsocks_fclose() at fclose.c:45)
1621870573 DEBUG torsocks[29757]: [getaddrinfo] Requesting 127.0.0.1 hostname (in tsocks_getaddrinfo() at getaddrinfo.c:44)
1621870573 DEBUG torsocks[29757]: [getaddrinfo] Node 127.0.0.1 will be passed to the libc call (in tsocks_getaddrinfo() at getaddrinfo.c:110)
1621870573 DEBUG torsocks[29757]: [getaddrinfo] Requesting 127.0.0.1 hostname (in tsocks_getaddrinfo() at getaddrinfo.c:44)
1621870573 DEBUG torsocks[29757]: [getaddrinfo] Node 127.0.0.1 will be passed to the libc call (in tsocks_getaddrinfo() at getaddrinfo.c:110)
1621870573 DEBUG torsocks[29757]: [socket] Creating socket with domain 2, type 2 and protocol 0 (in tsocks_socket() at socket.c:33)
1621870573 DEBUG torsocks[29757]: IPv4/v6 non TCP socket denied. Tor network can't handle it. (in tsocks_socket() at socket.c:69)
error: Could not bind on given addresses: Operation not permitted
1621870573 DEBUG torsocks[29757]: [onion] Destroying onion pool containing 0 entry (in onion_pool_destroy() at onion.c:148)

I wonder what triggered "Could not bind on given addresses" though. strace does not indicate any bind syscalls:

$ strace -f -e trace=socket,bind,listen,connect env LD_PRELOAD=/usr/lib/arm-linux-gnueabihf/torsocks/libtorsocks.so /usr/bin/stubby -C /etc/stubby/test.yml 
[15:45:29.672440] STUBBY: Read config from file /etc/stubby/test.yml
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
error: Could not bind on given addresses: Operation not permitted
+++ exited with 1 +++
$ /usr/bin/stubby -C /etc/stubby/test.yml -i | grep -A 7 listen_addresses
[15:47:02.512070] STUBBY: Read config from file /etc/stubby/test.yml
Result: Config file syntax is valid.
  "listen_addresses":
  [
    {
      "address_data": <bindata for 127.0.0.1>,
      "address_type": <bindata of "IPv4">,
      "port": 5300
    }
  ],

workaround: route stubby's tls dns requests through tor's transparent proxy

phantomcraft commented 3 years ago

I tested with proxychains-ng: https://github.com/rofl0r/proxychains-ng

It works.

fphammerle commented 2 years ago

Thanks for recommending proxychains-ng, @phantomcraft! Worked great so far.

# /etc/proxychains4.conf
strict_chain
[ProxyList]
socks4 127.0.0.1 9050
phantomcraft commented 2 years ago

I have been using Stubby with proxychains-ng in a script and works great.