safing / portmaster

🏔 Love Freedom - ❌ Block Mass Surveillance
https://safing.io
GNU General Public License v3.0
9.39k stars 305 forks source link

DNS response is sent back (and possibly leaked) to the resolver within ICMP error when querying process stops waiting for response #1734

Open AdamJedl opened 2 days ago

AdamJedl commented 2 days ago

What happened: I was capturing network traffic in Wireshark with display filter "dns" and saw packets with ICMP protocol that had unencrypted DNS data in them and additional records with the name "inf.portmaster". It happens only when Windows Defender Firewall is disabled. It doesn't happen on linux. This can also be seen on router when doing sshdump capture in Wireshark.

What did you expect to happen?: That Pormaster send dns queries with DNS over HTTPS and redirect all plain dns queries.

How did you reproduce it?: download "Top 1000000 domains" from cloudflare https://radar.cloudflare.com/domains run nslookup on random domains from the list run wireshark with display filter "dns" some dns queries are visible in wireshark

example packet: Frame 291105: 355 bytes on wire (2840 bits), 355 bytes captured (2840 bits) on interface \Device\NPF_{xxxxxxxxxxxxx}, id 0 Ethernet II, Src: xx:xx:xx:xx:xx:xx (xx:xx:xx:xx:xx:xx), Dst: xx:xx:xx:xx:xx:xx (xx:xx:xx:xx:xx:xx) Internet Protocol Version 4, Src: 192.168.x.xxx (192.168.x.xxx), Dst: dns9.quad9.net (9.9.9.9) Internet Control Message Protocol Type: 3 (Destination unreachable) Code: 3 (Port unreachable) Checksum: 0xxxxx [correct] [Checksum Status: Good] Unused: 00000000 Internet Protocol Version 4, Src: dns9.quad9.net (9.9.9.9), Dst: 192.168.x.xxx (192.168.x.xxx) User Datagram Protocol, Src Port: 53, Dst Port: 59904 Source Port: 53 Destination Port: 59904 Length: 293 Checksum: 0xd720 [unverified] [Checksum Status: Unverified] [Stream index: 1512] UDP payload (285 bytes) Domain Name System (response) Transaction ID: 0x0002 Flags: 0x8180 Standard query response, No error Questions: 1 Answer RRs: 2 Authority RRs: 0 Additional RRs: 3 Queries mall.com: type A, class IN Name: mall.com [Name Length: 8] [Label Count: 2] Type: A (1) (Host Address) Class: IN (0x0001) Answers mall.com: type CNAME, class IN, cname cname.mall.com Name: mall.com Type: CNAME (5) (Canonical NAME for an alias) Class: IN (0x0001) Time to live: 17 (17 seconds) Data length: 16 CNAME: cname.mall.com cname.mall.com: type A, class IN, addr 116.63.177.106 Name: cname.mall.com Type: A (1) (Host Address) Class: IN (0x0001) Time to live: 17 (17 seconds) Data length: 4 Address: cname.mall.com (116.63.177.106) Additional records inf.portmaster: type TXT, class IN Name: inf.portmaster Type: TXT (16) (Text strings) Class: IN (0x0001) Time to live: 0 (0 seconds) Data length: 31 TXT Length: 30 TXT: accepted: allowing dns request inf.portmaster: type TXT, class IN Name: inf.portmaster Type: TXT (16) (Text strings) Class: IN (0x0001) Time to live: 0 (0 seconds) Data length: 61 TXT Length: 60 TXT: freshly resolved by Quad9 (https://dns.quad9.net:443#config) inf.portmaster: type TXT, class IN Name: inf.portmaster Type: TXT (16) (Text strings) Class: IN (0x0001) Time to live: 0 (0 seconds) Data length: 23 TXT Length: 22 TXT: record valid for 10m0s [Unsolicited: True]

Debug Information: debug_info.txt debug info is from beta channel but it also happens on stable

github-actions[bot] commented 2 days ago

Greetings and welcome to our community! As this is the first issue you opened here, we wanted to share some useful infos with you:

dhaavi commented 1 day ago

Hey @AdamJedl, thanks for your report.

It seems that the process stopped waiting for the DNS response, triggering a ICMP error message - including the DNS response - back to the resolver.

Unfortunately, there is no immediate fix we can apply here. Until we have a fix, I recommend you mitigate with the following options: