DNS leakage in VPN mode about orbot HOT 7 CLOSED

root@falcon_umts:/ # ps -n | grep pdns
10088 26230 1 113844 748 ffffffff b6e96c20 S /data/data/org.torproject.android/app_bin/pdnsd

root@falcon_umts:/ # ip ru ls
0: from all lookup local
10000: from all fwmark 0xc0000/0xd0000 lookup legacy_system
11000: from all iif tun0 lookup local_network
12000: from all fwmark 0xc009e/0xcffff lookup tun0
12000: from all fwmark 0x0/0x20000 uidrange 0-10087 lookup tun0
12000: from all fwmark 0x0/0x20000 uidrange 10089-99999 lookup tun0
13000: from all fwmark 0x10063/0x1ffff lookup local_network
13000: from all fwmark 0x1009a/0x1ffff lookup wlan0
13000: from all fwmark 0x1009e/0x1ffff uidrange 0-0 lookup tun0
13000: from all fwmark 0x1009e/0x1ffff uidrange 0-10087 lookup tun0
13000: from all fwmark 0x1009e/0x1ffff uidrange 10089-99999 lookup tun0
14000: from all oif wlan0 lookup wlan0
14000: from all oif tun0 uidrange 0-10087 lookup tun0
14000: from all oif tun0 uidrange 10089-99999 lookup tun0
15000: from all fwmark 0x0/0x10000 lookup legacy_system
16000: from all fwmark 0x0/0x10000 lookup legacy_network
17000: from all fwmark 0x0/0x10000 lookup local_network
19000: from all fwmark 0x9a/0x1ffff lookup wlan0
21000: from all fwmark 0x9e/0x1ffff lookup wlan0
22000: from all fwmark 0x0/0xffff lookup wlan0
23000: from all fwmark 0x0/0xffff uidrange 0-0 lookup main
32000: from all unreachable

Looks like uid=10088 doesn't match ip rules for tun0

from orbot.

Right, because we exclude the tor process, but that also shares the same
uid with pdsnd.

We need to launch pdnsd in another process.

That said, it does pass dnsleaktest in the sense that the local phone
DNS is not exposed and request to google DNS are over tcp.

I am going to try routing pdnsd to the tor DNS port.

On Thu, Mar 3, 2016, at 04:15 AM, andreyde wrote:

root@falcon_umts:/ # ps -n | grep pdns
10088 26230 1 113844 748 ffffffff b6e96c20 S
/data/data/org.torproject.android/app_bin/pdnsd

root@falcon_umts:/ # ip ru ls
0: from all lookup local
10000: from all fwmark 0xc0000/0xd0000 lookup legacy_system
11000: from all iif tun0 lookup local_network
12000: from all fwmark 0xc009e/0xcffff lookup tun0
12000: from all fwmark 0x0/0x20000 uidrange 0-10087 lookup tun0
12000: from all fwmark 0x0/0x20000 uidrange 10089-99999 lookup tun0
13000: from all fwmark 0x10063/0x1ffff lookup local_network
13000: from all fwmark 0x1009a/0x1ffff lookup wlan0
13000: from all fwmark 0x1009e/0x1ffff uidrange 0-0 lookup tun0
13000: from all fwmark 0x1009e/0x1ffff uidrange 0-10087 lookup tun0
13000: from all fwmark 0x1009e/0x1ffff uidrange 10089-99999 lookup tun0
14000: from all oif wlan0 lookup wlan0
14000: from all oif tun0 uidrange 0-10087 lookup tun0
14000: from all oif tun0 uidrange 10089-99999 lookup tun0
15000: from all fwmark 0x0/0x10000 lookup legacy_system
16000: from all fwmark 0x0/0x10000 lookup legacy_network
17000: from all fwmark 0x0/0x10000 lookup local_network
19000: from all fwmark 0x9a/0x1ffff lookup wlan0
21000: from all fwmark 0x9e/0x1ffff lookup wlan0
22000: from all fwmark 0x0/0xffff lookup wlan0
23000: from all fwmark 0x0/0xffff uidrange 0-0 lookup main
32000: from all unreachable

Looks like uid=10088 doesn't match ip rules for tun0

---

Reply to this email directly or view it on GitHub:
#30 (comment)

from orbot.

DNS leakage is not my primary concern in this case.
Initially I started to dig into it because orbot doesn't work with my cell provider. It doesn't work with android wifi tethering apn as well.
They both block traffic to external dns servers like google 8.8.8.8

from orbot.

Ah, that is another problem. So you really need the Tor DNS solution,

On Thu, Mar 3, 2016, at 04:57 AM, andreyde wrote:

DNS leakage is not my primary concern in this case.
Initially I started to dig into it because orbot doesn't work with my
cell provider. It doesn't work with android wifi tethering apn as well.
They both block traffic to external dns servers like google 8.8.8.8

---

Reply to this email directly or view it on GitHub:
#30 (comment)

from orbot.

Is it possible to fix the issue with some config tweaks or the only way for
me is to wait for new version?
On Mar 3, 2016 6:00 PM, "Nathan Freitas" [email protected] wrote:

Ah, that is another problem. So you really need the Tor DNS solution,

On Thu, Mar 3, 2016, at 04:57 AM, andreyde wrote:

DNS leakage is not my primary concern in this case.
Initially I started to dig into it because orbot doesn't work with my
cell provider. It doesn't work with android wifi tethering apn as well.
They both block traffic to external dns servers like google 8.8.8.8

---

Reply to this email directly or view it on GitHub:
#30 (comment)

—
Reply to this email directly or view it on GitHub
#30 (comment).

IMPORTANT MESSAGE
Internet communications are not secure, and therefore Unovation Inc. does
not accept legal responsibility for the contents of this message. However,
Unovation Inc. reserves the right to monitor the transmission of this
message and to take corrective action against any misuse or abuse of its
e-mail system or other components of its network.
The information contained in this e-mail is confidential and may be legally
privileged. It is intended solely for the addressee. If you are not the
intended recipient, any disclosure, copying, distribution, or any action or
act of forbearance taken in reliance on it, is prohibited and may be
unlawful. Any views expressed in this e-mail are those of the individual
sender, except where the sender specifically states them to be the views of
Unovation Inc. or of any of its affiliates or subsidiaries.
END OF DISCLAIMER

from orbot.

Wait for a new version,but I can try for a test build today

On Thu, Mar 3, 2016, at 06:08 AM, andreyde wrote:

Is it possible to fix the issue with some config tweaks or the only way
for
me is to wait for new version?
On Mar 3, 2016 6:00 PM, "Nathan Freitas" [email protected]
wrote:

Ah, that is another problem. So you really need the Tor DNS solution,

On Thu, Mar 3, 2016, at 04:57 AM, andreyde wrote:

DNS leakage is not my primary concern in this case.
Initially I started to dig into it because orbot doesn't work with my
cell provider. It doesn't work with android wifi tethering apn as well.
They both block traffic to external dns servers like google 8.8.8.8

---

Reply to this email directly or view it on GitHub:
#30 (comment)

—
Reply to this email directly or view it on GitHub
#30 (comment).

IMPORTANT MESSAGE
Internet communications are not secure, and therefore Unovation Inc. does
not accept legal responsibility for the contents of this message.
However,
Unovation Inc. reserves the right to monitor the transmission of this
message and to take corrective action against any misuse or abuse of its
e-mail system or other components of its network.
The information contained in this e-mail is confidential and may be
legally
privileged. It is intended solely for the addressee. If you are not the
intended recipient, any disclosure, copying, distribution, or any action
or
act of forbearance taken in reliance on it, is prohibited and may be
unlawful. Any views expressed in this e-mail are those of the individual
sender, except where the sender specifically states them to be the views
of
Unovation Inc. or of any of its affiliates or subsidiaries.
END OF DISCLAIMER

---

Reply to this email directly or view it on GitHub:
#30 (comment)

from orbot.

/** 15.1.3 BETA 1 / 9-March-2016 /
6452075 **/

APK: https://guardianproject.info/releases/Orbot-v15.1.3-beta-1.apk
Sig: https://guardianproject.info/releases/Orbot-v15.1.3-beta-1.apk.asc

Important fixes for VPN mode

9097b79 Move OrbotVPNService to a Manager and consolidate services This
allows for the VPN service to be set in the foreground with th
cec82ec VPN code cleanup and ensure DNS is listening on all interfaces
4892f93 DNS lookup through pdnsd should loop back into Tor DNS port
While the TCP query to Google DNS before provided more robust DNS

... and one for Briar and other apps with their own tor daemon

2973eac change how we look for processes to kill. fixes tor trac #18502

from orbot.