search

netblue30 / fdns

Firejail DNS-over-HTTPS Proxy Server
GNU General Public License v3.0
115 stars 29 forks source link

fdns and network sandbox - how to get them work together ? #69

Open GFNIAE opened 2 years ago

GFNIAE commented 2 years ago

Hello,

I use fdns on antiX Linux 21 with runit as a init process, and connman as a connection manager. Standard "sudo fdns --daemonize" then "firejail dns=127.1.1.1 palemoon" works well, and "fdns --monitor" let see the name resolution working.

However on MX Linux 21, I cannot get this working. I added "--nodnsproxy" for connmand options. "sudo fdns" shows this kind of output :

fdns starting
connecting to ffmuc2 server
listening on 127.1.1.1
470 filter entries added from /etc/fdns/trackers
8940 filter entries added from /etc/fdns/fp-trackers
10158 filter entries added from /etc/fdns/coinblocker
60945 filter entries added from /etc/fdns/adblocker
(0) Alert: SSL3 alert write:warning:close notify
(1) Alert: SSL3 alert write:warning:close notify
ip 5.1.66.255
09:38:49 (0) SSL connection opened to 5.1.66.255
ip 5.1.66.255
09:38:49 (1) SSL connection opened to 5.1.66.255
09:38:50 (0) h2 transport up
09:38:50 (1) h2 transport up
09:38:51 (0) keepalive 142
incoming data
(1) Alert: SSL3 alert write:warning:close notify
09:39:55 (1) SSL connection closed

"fdns -monitor" 

127.1.1.1 ffmuc2 ENCRYPTED (DoH 0.00 ms, 170 s)
requests 0, drop 0, cache 0, fwd 0, fallback 0

(1) SSL connection opened to 5.1.66.255
(1) h2 transport up
(0) SSL connection opened to 5.1.66.255
(0) h2 transport up
(1) SSL connection closed
(0) SSL connection closed
(1) SSL connection opened to 5.1.66.255
(1) h2 transport up
(0) SSL connection opened to 5.1.66.255
(0) h2 transport up

And palemoon or librewolf don't want to connect to anything. What should I check or change ?

GFNIAE commented 2 years ago

Hello again, I have found that fdns runs OK if I don't use --net=wlan0 as a firejail option (it was in my ~/firejail/globals.local options file).

So my issue should be changed : is there a way to use fdns as DNS proxy, and network isolation through "net" option in firejail ? Or should I choose one of them ? I believe that "net" option in firejail is great to isolate network and be sure that your sandboxed process can not see what's going on with other connected processes. I would like to have both, network sandwbox and DoH through fdns proxy...

GFNIAE commented 2 years ago

Hello, I found a way to achieve my goal (network isolation with firejail --net=... option, and DoH through fdns) :

But that's not very handy, since you have to use sudo to launch an "everyday" app. WIthout that, fdns listens on 127.1.1.1 (default adress), but cannot see what"s going on inside your filejail network-sandboxed process. You would need a kind of exception in order to let dns requesting go through the sandboxed network to 127.1.1.1. I don't know whether such an exception can be set.

rusty-snake commented 2 years ago

OT

since you have to use sudo to launch an "everyday" app.

https://github.com/rusty-snake/fdns4users#alternatives

GFNIAE commented 2 years ago

Thanks rusty-snake for the link ! That's obviously what I needed.

I found another useful way to start fdns : I wrote a "/usr/bin/fdns --dameonize" file in /etc/network/if-up.d That launches fdns when the network is up, which is nice. That way I don't need to add a command when I launch an app through fdns, and I don't need sudo as well. Of course I have only one fdns running with one port available, so less abilities than with "sudo fdns --options...." for each application.

Surprisingly I didn't manage to switch off fdns in /etc/network/if-down.d, it seems to have no effect (with /usr/bin/pkill fdns). I use connman as my network manager.