# DNS Leak Detection - Implementation Status This document tracks the current DNS leak detector implementation against the design in `docs/dns_leak_detection_design.md` and `docs/requirement_docs_v0.4.md`. ## Implemented - New `wtfnet-dnsleak` crate with passive capture (pcap feature). - Transport classification: - Plain DNS (UDP/53, TCP/53) with qname/qtype parsing. - DoT (TCP/853) detection. - DoH detection is not implemented (skipped for now). - Leak rules: - Leak-A (plaintext DNS outside safe path). - Leak-B (split-policy intent leak based on proxy-required/allowlist domains). - Leak-C (encrypted DNS bypass for DoT). - Policy profiles: `full-tunnel`, `proxy-stub`, `split`. - Privacy modes: full/redacted/minimal (redacts qname). - Process attribution: - Best-effort `FlowOwnerProvider` with Linux `/proc` and Windows `netstat` lookups. - Confidence levels and failure reasons exposed in events. - CLI commands: - `dns leak status` - `dns leak watch` - `dns leak report` - `dns leak watch --iface-diag` (diagnostics for capture-capable interfaces). - Interface selection: - per-interface open timeout to avoid capture hangs - ordered scan prefers non-loopback + named ethernet/wlan and interfaces with IPs - verbose logging of interface selection attempts (use `-v` / `-vv`) - overall watch timeout accounts for worst-case interface scan time - Capture loop: - receiver runs in a worker thread; main loop polls with a short timeout to avoid blocking ## Partially implemented - Route/interface classification: heuristic only (loopback/tunnel/physical by iface name). - Safe path matching: allowed ifaces/dests/ports/processes; no route-based policy. ## Not implemented (v0.4 backlog) - DoH heuristic detection (SNI/endpoint list/traffic shape). - Leak-D mismatch correlation (DNS -> TCP/TLS flows). - GeoIP enrichment of leak events. - Process tree reporting (PPID chain). ## Known limitations - On Windows, pcap capture may require selecting a specific NPF interface; use `dns leak watch --iface-diag` to list interfaces that can be opened.