Add: Leak-D for dns leak detection
This commit is contained in:
DaZuo0122
@@ -30,4 +30,4 @@ This is a practical checklist to execute v0.4.0.
|
||||
|
||||
## 5) follow-ups
|
||||
- [ ] add DoH heuristic classification (optional)
|
||||
- [ ] add Leak-D mismatch correlation (optional)
|
||||
- [x] add Leak-D mismatch correlation (optional)
|
||||
|
||||
@@ -13,6 +13,7 @@ This document tracks the current DNS leak detector implementation against the de
|
||||
- Leak-A (plaintext DNS outside safe path).
|
||||
- Leak-B (split-policy intent leak based on proxy-required/allowlist domains).
|
||||
- Leak-C (encrypted DNS bypass for DoT).
|
||||
- Leak-D (basic mismatch: DNS response IP -> outbound TCP SYN on different route).
|
||||
- Policy profiles: `full-tunnel`, `proxy-stub`, `split`.
|
||||
- Privacy modes: full/redacted/minimal (redacts qname).
|
||||
- Process attribution:
|
||||
@@ -37,10 +38,16 @@ This document tracks the current DNS leak detector implementation against the de
|
||||
|
||||
## Not implemented (v0.4 backlog)
|
||||
- DoH heuristic detection (SNI/endpoint list/traffic shape).
|
||||
- Leak-D mismatch correlation (DNS -> TCP/TLS flows).
|
||||
- GeoIP enrichment of leak events.
|
||||
- Process tree reporting (PPID chain).
|
||||
|
||||
## Known limitations
|
||||
- On Windows, pcap capture may require selecting a specific NPF interface; use
|
||||
`dns leak watch --iface-diag` to list interfaces that can be opened.
|
||||
- Leak-D test attempts on Windows did not fire; see test notes below.
|
||||
|
||||
## Test notes
|
||||
- `dns leak watch --duration 8s --summary-only --iface <NPF>` captured UDP/53 and produced Leak-A.
|
||||
- `dns leak watch --duration 15s --iface <NPF>` with scripted DNS query + TCP connect:
|
||||
- UDP/53 query/response captured (Leak-A).
|
||||
- TCP SYNs observed, but did not match cached DNS response IPs, so Leak-D did not trigger.
|
||||
|
||||
Reference in New Issue
Block a user