DNS leak? Process escapes sandbox to use host's DNS call?

[garywill]

I used firejail in this way:

brctl addbr tmp0

Set tmp0 ip 192.168.88.1 and serve DHCP and DNS using dnsmasq on tmp0, and provide Internet to NATed tmp0 via iptables.

If dnsmasq receives DNS query, I'll see in the log.

firejail --noprofile --net=tmp0 --dns=192.168.88.1

In firejail shows the right DNS I specified:

$ cat /etc/resolv.conf
nameserver 192.168.88.1

Problem is, in firejail dig and nslookup use the DNS that my dnsmasq provides, but curl and firefox still use host's DNS , as if the run not in sandbox. (In firejail Internet is provided by iptables NAT, and I banned it's access to host's DNS )

[garywill]

I did strace and found ping,curl don't read /etc/resolve.conf. host,dig,nslookup does. I guess that's one of the reasons. Still, the problem is sandbox escaped.

[rusty-snake]

@garywill IDK how curl finds out where to look-up, but I tryed with --dns=0.0.0.0 to see if the cutom dns-server is used or not. I found out that if you use --net the --dns is considered.

[garywill]

It's because of nscd. Need --blacklist=/var/run/nscd

[glitsj16]

It's because of nscd. Need --blacklist=/var/run/nscd

@garywill Can you do a PR on the profiles that need this please?

[rusty-snake]

@garywill what shows grep ^hosts /etc/nsswitch.conf?

[garywill]

@rusty-snake

$ grep ^hosts /etc/nsswitch.conf
hosts:      files mdns_minimal [NOTFOUND=return] dns

@glitsj16 I don't know. I know hardly nothing about firejail's profile mechanism. What profile will be accounted when --net is used?

[glitsj16]

$ grep ^hosts /etc/nsswitch.conf hosts: files mdns_minimal [NOTFOUND=return] dns

When you change this to hosts: files mdns_minimal dns, do you observe any changes (for the better hopefully)?

[garywill]

@glitsj16 Nope. Nothing different with editted nsswitch.conf