# WTFnet v0.4.0 - DNS Leak Detection v0.4.0 introduces a client-side DNS leak detector aimed at censorship-resistance threat models: detect when DNS behavior escapes the intended safe path. The detector focuses on evidence: transport, interface, destination, and (best-effort) process attribution. This release does NOT include HTTP/3 or OS-native TLS verification. ## 0) Summary New major capability: `dns leak` command group. Core idea: Passive monitor captures outbound DNS-like traffic -> classify (Plain DNS / DoT / DoH) -> enrich with interface/route/process metadata -> evaluate leak definitions (A/B/C/D) -> emit events + summary report. Leak definitions are explicit: - Leak-A: plaintext DNS outside safe path - Leak-B: split-policy intent leak (proxy-required domains resolved via ISP/local path) - Leak-C: encrypted DNS escape/bypass (DoH/DoT outside approved egress) - Leak-D: mismatch risk indicator (DNS egress differs from TCP/TLS egress) ## 1) Goals ### G1. Detect DNS leaks without needing special test domains Passive detection must work continuously and produce evidence. ### G2. Support censorship-resistance leak definitions Include both classic VPN-bypass leaks and split-policy intent leaks. ### G3. Best-effort process attribution Attach PID/PPID/process name when OS allows; degrade gracefully with confidence. ### G4. Privacy-aware by default Support privacy modes: Full / Redacted / Minimal. ## 2) Non-goals (v0.4.0) - No "doctor" / smart one-shot diagnosis command - No shell completions / man pages - No HTTP/3 support - No OS-native TLS verifier integration - No firewall modification / kill switch management (detection only) ## 3) New crates / architecture changes ### 3.1 New subcrate: `wtfnet-dnsleak` Responsibilities: - passive sensor (pcap/pnet feature-gated) - DNS parser (plaintext only) - transport classifier: udp53/tcp53/dot/doh (confidence) - flow tracker + metadata enrichment - process attribution integration - leak rules engine (A/B/C/D) - structured event + summary report builder ### 3.2 `wtfnet-platform` extension: flow ownership lookup Add a new trait: - FlowOwnerProvider: map observed traffic 5-tuple -> process info (best-effort) Return process attribution confidence: HIGH/MEDIUM/LOW/NONE plus failure reason. ## 4) CLI scope ### 4.1 Commands New command group: #### `wtfn dns leak watch` Start passive monitoring for a bounded duration (default 10s): - classify transports (udp53/tcp53/dot/doh) - apply leak rules and emit events + summary #### `wtfn dns leak status` Print baseline snapshot: - interfaces + routes - system DNS configuration - active policy summary #### `wtfn dns leak report` Parse a saved events file and produce a human summary. ### 4.2 Flags (proposed) Common: - `--duration ` (default 10s) - `--iface ` (optional capture interface) - `--policy ` (JSON policy file) - `--profile ` (built-in presets) - `--privacy ` (default redacted) - `--out ` (write JSON report/events) ## 5) Policy model (v0.4.0) Safe DNS path constraints can be defined by: - allowed interfaces: loopback/tunnel - allowed destination set: proxy IPs, internal resolvers - allowed processes: only local stub/proxy can resolve upstream - allowed ports: e.g. only 443 to proxy server A DNS event is a leak if it violates safe-path constraints. Built-in profiles: 1) full-tunnel VPN style 2) proxy + local stub (default, censorship model) 3) split policy ## 6) Outputs ### 6.1 Leak events (structured) Each LeakEvent includes: - timestamp - transport: udp53/tcp53/dot/doh/unknown - qname/qtype (nullable) - interface + route_class - dst ip:port - process info (nullable) + attribution confidence - leak_type: A/B/C/D - severity: P0..P3 - evidence fields + optional geoip ### 6.2 Summary report - leak counts by type - top leaking processes (if available) - top resolver destinations - timeline/burst hints ## 7) Deliverables checklist MUST: - new `wtfnet-dnsleak` crate integrated into workspace + CLI - passive capture for UDP/TCP 53 and TCP 853 - DoH heuristic classification (confidence-based) - policy engine + Leak-A/B/C/D rules - structured events + human summary - privacy modes full/redacted/minimal - best-effort process attribution with confidence and failure reason SHOULD: - saved report file support (`--out report.json`) - route_class inference with policy hints + heuristics NICE: - correlation_id (DNS -> subsequent TCP/TLS connection) for Leak-D mismatch indicator ## 8) Definition of Done - v0.4.0 builds on Linux (Debian/Ubuntu) and Windows - `wtfn dns leak watch` detects: - plaintext DNS leaving physical interface (Leak-A) - DoT traffic leaving outside approved egress (Leak-C) - DoH-ish encrypted resolver traffic outside policy (Leak-C) - events include interface + dst + (best-effort) PID/process info - output remains stable and additive; no breaking change to v0.3 commands