search

tholian-network / stealth

:rocket: Stealth - Secure, Peer-to-Peer, Private and Automateable Web Browser/Scraper/Proxy
GNU General Public License v3.0
1.04k stars 301 forks source link

Stealth: DNS Protocol #58

Closed cookiengineer closed 3 years ago

cookiengineer commented 3 years ago

The current implementation of the DNS Protocol only supports fixed DNS over HTTPS requests. That was a good start, but in order to support more DNS servers out there (including DNS via TLS), it's necessary to implement an encoder and decoder inside the DNS Protocol that can be reused in an encrypted manner.

In order to to have the same conventions, DNS via TLS will be named DNSS (as it's TCP based anyways), and DNS itself will be UDP based. The Multicast DNS Protocol will be named MDNS and will implement the service-based discovery aspects that will allow to find local peers in the same NAT automatically.

This will further allow to use and observe DNS exfiltration techniques in the local network in order to break out of NATs that block HTTPS requests.

In the next iteration, the stealth/Server will also handle DNS requests in order to use DNS as a network protocol to connect to the service and handle API calls (when SRV is used) and handle host requests (when A, AAAA etc are being requested). How the Multicast DNS structure of the protocol will look like is currently unclear and needs further research; though it might make sense to use the same structure as AirPrint, AirDrop etc. for the sake of conventions and future compatibility, so the announced service will probably be stealth._tcp._local and stealth._udp._local.

protocol/DNS:

protocol/DNSS:

... this is TODO when DNS has been implemented, and will use the DNS Protocol implementation similar to how HTTPS reuses the HTTP Connection.

DNS via HTTPS implementation:

This implementation will be moved to the server/Host service, and the DNS.resolve() calls will be ported into a helper method as resolve_host().

cookiengineer commented 3 years ago

The first DNS implementation is now nearly complete.

What's left to do are the server-side resource record formatted encodings (including the string encodings of TXT entries).

The review needs further tests for the following DNS.send()/server/*:

cookiengineer commented 3 years ago

The DNS Connection has been implemented and integrated into the new RESOLVER-based API, which also has been integrated into the server's Hosts API.