safing / portmaster

🏔 Love Freedom - ❌ Block Mass Surveillance
https://safing.io
GNU General Public License v3.0
8.84k stars 277 forks source link

[Compatibility Report] Linux Mint Cinnamon DNS requests are not always routed through the DNS in Portmaster #1616

Open Uneccessary opened 2 weeks ago

Uneccessary commented 2 weeks ago

What worked?

Everything besides the reported issue.

What did not work?

Portmaster configures itself as the DNS resolver, but it's often ignored, with DNS requests being made through the System/Network DNS instead. I tested this on a fresh installation of Linux Mint, after disabling the pre-installed firewall. The logs are not from this test.

I conducted the tests via: https://www.dnscheck.tools/.

Additional Information:

I have "Ignore System/Network Servers" enabled, which solves the issue of the DNS configured in Portmaster being bypassed. However, DNS requests that would have been routed through the System's DNS are not resolved, causing an error. These are shown as DNS requests in Portmaster with a yellow dot (see attachment for further information).

image

github-actions[bot] commented 2 weeks ago

Hey @Uneccessary, thank you for reporting on a compatibility.

We keep a list of compatible software and user provided guides for improving compatibility in the wiki - please have a look there. If you can't find your software in the list, then a good starting point is our guide on How do I make software compatible with Portmaster.

If you have managed to establish compatibility with an application, please share your findings here. This will greatly help other users encountering the same issues.

github-actions[bot] commented 2 weeks ago

Greetings and welcome to our community! As this is the first issue you opened here, we wanted to share some useful infos with you:

github-actions[bot] commented 2 weeks ago

Hey @Uneccessary, thank you for raising this issue with us.

After a first review we noticed that this does not seem to be a technical issue, but rather a configuration issue or general question about how Portmaster works.

Thus, we invite the community to help with configuration and/or answering this questions.

If you are in a hurry or haven't received an answer, a good place to ask is in our Discord community.

If your problem or question has been resolved or answered, please come back and give an update here for other users encountering the same and then close this issue.

If you are a paying subscriber and want this issue to be checked out by Safing, please send us a message on Discord or via Email with your username and the link to this issue, so we can prioritize accordingly.

Raphty commented 2 weeks ago

it does not look like ca compatibility but a configuration error - in the debug info you sent I don't see that you disabled system DNS, also the configured dns servers look to be wrong... which would lead to Portmaster having to fall back to the system dns.

further, browsers sometimes want to use their own dns, if you say sometimes, then I would assume that it happens depending on the browser you use. Portmaster tells you that there was a bypass attempt - but depending on your config you can block a bypass or allow it.

again, I feel like you miss configured Portmaster. Even though mint is not officially supported by us, I know of several people who have no issues running Portmaster on mint

Uneccessary commented 2 weeks ago

I don't see that you disabled system DNS

System DNS is unconfigured, and the DNS of my ISP is being used.

also the configured dns servers look to be wrong...

They are not. They work fine on Windows 11, and they are just like in your documentation for NextDNS. Also, using the presets would probably end up with the same issue. I can try it too.

further, browsers sometimes want to use their own dns, if you say sometimes, then I would assume that it happens depending on the browser you use.

Sorry, I wasn't probably really clear about that one. It basically depends if Portmaster has been restarted recently, which somehow solves the issue (for a short time period), and if the DNS query is cached or not. DNS queries that are cached are not affected.

I tested it in Brave, LibreWolf, and Chromium build by Linux Mint. I disabled Secure DNS in each of them.

Even though mint is not officially supported by us, I know of several people who have no issues running Portmaster on mint

I suggest them to test if their configured DNS is actually being bypassed or not. Most people are probably not aware that their DNS configured in Portmaster is bypassed.

https://dnscheck.tools/

Uneccessary commented 2 weeks ago

You can test it yourself using a Virtual Machine (ensure the host OS does not have the DNS used which is in Portmaster configured, nor should Portmaster be running, to avoid false-positives). Install Linux Mint, disable Linux Mint's Firewall application (as it could cause issues) and then setup Portmaster. And run the test in your preferred browser.

https://dnscheck.tools/

Raphty commented 2 weeks ago

You can test it yourself using a Virtual Machine (ensure the host OS does not have the DNS used which is in Portmaster configured, nor should Portmaster be running, to avoid false-positives). Install Linux Mint, disable Linux Mint's Firewall application (as it could cause issues) and then setup Portmaster. And run the test in your preferred browser.

https://dnscheck.tools/

again mint is not supported by us, we don't test it you are the first and only report of this, and we do have many reports to the contrary.

If someone else wants to test this please let us know what your results are.

Uneccessary commented 2 weeks ago

again mint is not supported by us, we don't test it

I apologize, I thought compatibility reports were available to report non-compatible Linux distributions, etc. and that these would receive appropriate treatment.

Raphty commented 2 weeks ago

You got me ❤️ .... we honestly want and try to help... but we need to focus on getting things done... I see you are not an developer (at least not on GH) so maybe you don't understand how entitled free users behave, thinking that everything needs to work on their platforms how they want...

I did install the vm... and it showed me why I hate mint... which is partially why we are not supporting it 🤣

I did not fiddle with the built in firewall or anything, just tried with firefox that came preinstalled and it did not show your described behavior... I am sorry but it seems to be your system that has issues... not a compatibility thing...

I hope you find a solution, maybe someone else can chime in and help, but we will not consider this an issue.

Uneccessary commented 2 weeks ago

I did the test once again, and have recorded it. The DNS requests were sometimes routed through the underlying OS's DNS. It seems you probably forgot to turn off Secure DNS in Firefox, which doesn't appear to have such issues.

https://github.com/safing/portmaster/assets/145043411/4437d0a7-c56b-4925-b71d-102b9d6a7218

I apologize for the low resolution, had to compress it due the upload limit.

I did not disable the pre-installed Firewall application, just as you did. I used the pre-installed version of Firefox, as you did. The only difference is that I've disabled Secure DNS within Firefox.

Uneccessary commented 2 weeks ago

In addition you can also try: https://dnsleaktest.com/

It's provided by IVPN and shows the same results as the other test.

NormPlum commented 1 week ago

I'd like to help test this as I run Portmaster on Linux Mint.

Here's what I have/did:

When I go to https://www.dnscheck.tools/ it says my DNS resolvers are NextDNS (which is what my router uses.

However, if I change Portmaster's DNS servers to Cloudflare (from Quick Settings) and restart, then dnscheck says Cloudflare... And if I set Portmaster to use Adguard, dnscheck says Cloudflare and Google.

So maybe it has to do with the specific DNS servers...?