Proxy DNS problem

[frepke]

Hello Quentin,

I'm using the container with Proxy=on for a while now, it works great but I've some problems with the DNS routing.

On my MacBook I've set the proxy settings in the advanced network settings. When I check the connection in my browser as you described, it reports an VPN IP-address and Cloudflares DNS-addresses so everything looks fine (even when I change my DNS-address in the network settings to an not existing address). But when I change this DNS-address, my e-mail client (and some other progs) won't connect to the internet anymore. The same problem I've with my Kodi box, with an non existing DNS-address it won't find or play anything from the internet.

kr., Frepke

[qdm12]

In my opinion, the HTTP proxy does only tunnel the TCP traffic of the application connected to it. DNS resolution happens on port UDP 53 which should unfortunately not go through the http proxy. Maybe I'm wrong!

You would need a VPN server to tunnel everything. Maybe run a openvpn server as a docker container connected to this PIA container? but that's configuration heavy unfortunately..

[frepke]

Thanks,

Is your wireguard docker a possible solution?

Kr., Patrick

[qdm12]

Unfortunately Wireguard runs in the Kernel space so it's hard if not impossible to run it as a container. You could however try your way with iptables but that seems like a very complicated way.

You might have an easier path with an openvpn server container!

[frepke]

Unfortunately Wireguard runs in the Kernel space so it's hard if not impossible to run it as a container. You could however try your way with iptables but that seems like a very complicated way. ...

@qdm12 gonna try (again 😊). Now the possibility exist to publish the server ports in the pia container, it's maybe possible.

Kr., Patrick

[qdm12]

Maybe you could have an UDP proxy program running connected to PIA, and proxying to the host Wireguard server/interface listening port. That seems easier, although you might make it with iptables only (but no idea how yet).

[frepke]

Last week I've received an router firmware update. This new firmware supports DoT and DNSSEC, so I think I'm good for now. Al DNS-requests trough DoT and all the data trough the PIA-container.

In a few weeks I receive an other router so maybe your cloudflare DNS-server is a good option.

kr., Frepke

[qdm12]

You could also simply run my dns image on your server machine and point your router DNS resolver to your machine LAN IP address. This way all your DNS traffic would go through it. It's more of a work around in your situation but it works.

You can also run it on your client machine and set your DNS to 127.0.0.1

[frepke]

Hi Quentin,

You mean you dns image as I mentioned before (cloudflare dns server)?

Kr., Frepke

[qdm12]

Hi there,

I mean this image I made. The only difference is that Cloudflare will see the DNS request is coming from your actual client IP address and not from the PIA one.

On the other hand, I am seeing this answer stating that a SOCKS5 proxy could work to tunnel UDP traffic. For example, dante could work, I'll look into it soon to replace tinyproxy.

[frepke]

Sounds great 😊 I hope it will run on an ARM device.

[qdm12]

Hi Frepke,

I just added support for Shadowsocks which seems to tunnel both UDP and TCP. It should also tunnel DNS queries (as it complained about some domains so it probably does!).

It's also better than tinyproxy as:

• there are Shadowsocks clients on all platforms
• you can either proxy your whole system or just an app

You could also support multiple ports with different passwords to access it, if you have multiple users but it seems a bit out of scope for now.

Let me know if it works on ARM !

Thank you for your patience.

[frepke]

Thanks Quentin,

There it is, I'll try it asap and let you know the result.

Kr., Patrick

[frepke]

Hello Quentin,

The container is running on my ARM device. Unfortunately the DNSSEC test fails. I've DOT=on, but the DNS is OpenDNS :(

kr., Frepke

[qdm12]

Did you publish the UDP port 8388 as well? On your client, did you enable the Send DNS over UDP with the remote DNS as 127.0.0.1? (Yes I should specify this in the readme...)

The Android client supports this for example, although some other clients don't. How do you test the DNSSEC?

Thanks!

[frepke]

Yes I published UDP port 8388. I didn't enable the Send DNS over UDP on the client (don't know where to enable, I'm using the Outline client on Mac and iPhone).

DNSSEC validation: https://www.internet.nl/connection/

[qdm12]

Nice website! I'll add it to the readme.

Ok so it's a client issue.

On my Windows desktop, I have tried with shadowsocks-win and the DNSSEC fails so it does not tunnel UDP nor DNS requests. On the other hand, on my Android phone, using Shadowsocks by Max Lv (official one), there is the DNS tunneling option and the DNSSEC test works. So I'm happy it works although you should test it with another client and I have no idea which ones support DNS tunneling unfortunately.

[frepke]

Hi Quentin,

It's a nice website indeed, I've got the site from you :) https://github.com/qdm12/cloudflare-dns-server#verify-dns-connection

I saw Potatso Lite for iOS works with DNSSEC and ShadowsocksX for MacOS also.

kr., Frepke

[qdm12]

Indeed it was already on the readme haha I forgot!

I'll add a list of Shadowsocks clients supporting DNS tunneling.