manbo/WTFnet
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
master
WTFnet/docs/RELEASE_v0.4.0.md
DaZuo0122 cfa96bde08 Add: dns leak detection
2026-01-17 18:45:24 +08:00

4.8 KiB
Raw Permalink Blame History

WTFnet v0.4.0 - DNS Leak Detection

v0.4.0 introduces a client-side DNS leak detector aimed at censorship-resistance threat models: detect when DNS behavior escapes the intended safe path. The detector focuses on evidence: transport, interface, destination, and (best-effort) process attribution.

This release does NOT include HTTP/3 or OS-native TLS verification.

0) Summary

New major capability: dns leak command group.

Core idea: Passive monitor captures outbound DNS-like traffic -> classify (Plain DNS / DoT / DoH) -> enrich with interface/route/process metadata -> evaluate leak definitions (A/B/C/D) -> emit events + summary report.

Leak definitions are explicit:

  • Leak-A: plaintext DNS outside safe path
  • Leak-B: split-policy intent leak (proxy-required domains resolved via ISP/local path)
  • Leak-C: encrypted DNS escape/bypass (DoH/DoT outside approved egress)
  • Leak-D: mismatch risk indicator (DNS egress differs from TCP/TLS egress)

1) Goals

G1. Detect DNS leaks without needing special test domains

Passive detection must work continuously and produce evidence.

G2. Support censorship-resistance leak definitions

Include both classic VPN-bypass leaks and split-policy intent leaks.

G3. Best-effort process attribution

Attach PID/PPID/process name when OS allows; degrade gracefully with confidence.

G4. Privacy-aware by default

Support privacy modes: Full / Redacted / Minimal.

2) Non-goals (v0.4.0)

  • No "doctor" / smart one-shot diagnosis command
  • No shell completions / man pages
  • No HTTP/3 support
  • No OS-native TLS verifier integration
  • No firewall modification / kill switch management (detection only)

3) New crates / architecture changes

3.1 New subcrate: wtfnet-dnsleak

Responsibilities:

  • passive sensor (pcap/pnet feature-gated)
  • DNS parser (plaintext only)
  • transport classifier: udp53/tcp53/dot/doh (confidence)
  • flow tracker + metadata enrichment
  • process attribution integration
  • leak rules engine (A/B/C/D)
  • structured event + summary report builder

3.2 wtfnet-platform extension: flow ownership lookup

Add a new trait:

  • FlowOwnerProvider: map observed traffic 5-tuple -> process info (best-effort)

Return process attribution confidence: HIGH/MEDIUM/LOW/NONE plus failure reason.

4) CLI scope

4.1 Commands

New command group:

wtfn dns leak watch

Start passive monitoring for a bounded duration (default 10s):

  • classify transports (udp53/tcp53/dot/doh)
  • apply leak rules and emit events + summary

wtfn dns leak status

Print baseline snapshot:

  • interfaces + routes
  • system DNS configuration
  • active policy summary

wtfn dns leak report

Parse a saved events file and produce a human summary.

4.2 Flags (proposed)

Common:

  • --duration <Ns|Nms> (default 10s)
  • --iface <name> (optional capture interface)
  • --policy <path> (JSON policy file)
  • --profile <full-tunnel|proxy-stub|split> (built-in presets)
  • --privacy <full|redacted|minimal> (default redacted)
  • --out <path> (write JSON report/events)

5) Policy model (v0.4.0)

Safe DNS path constraints can be defined by:

  • allowed interfaces: loopback/tunnel
  • allowed destination set: proxy IPs, internal resolvers
  • allowed processes: only local stub/proxy can resolve upstream
  • allowed ports: e.g. only 443 to proxy server

A DNS event is a leak if it violates safe-path constraints.

Built-in profiles:

  1. full-tunnel VPN style
  2. proxy + local stub (default, censorship model)
  3. split policy

6) Outputs

6.1 Leak events (structured)

Each LeakEvent includes:

  • timestamp
  • transport: udp53/tcp53/dot/doh/unknown
  • qname/qtype (nullable)
  • interface + route_class
  • dst ip:port
  • process info (nullable) + attribution confidence
  • leak_type: A/B/C/D
  • severity: P0..P3
  • evidence fields + optional geoip

6.2 Summary report

  • leak counts by type
  • top leaking processes (if available)
  • top resolver destinations
  • timeline/burst hints

7) Deliverables checklist

MUST:

  • new wtfnet-dnsleak crate integrated into workspace + CLI
  • passive capture for UDP/TCP 53 and TCP 853
  • DoH heuristic classification (confidence-based)
  • policy engine + Leak-A/B/C/D rules
  • structured events + human summary
  • privacy modes full/redacted/minimal
  • best-effort process attribution with confidence and failure reason

SHOULD:

  • saved report file support (--out report.json)
  • route_class inference with policy hints + heuristics

NICE:

  • correlation_id (DNS -> subsequent TCP/TLS connection) for Leak-D mismatch indicator

8) Definition of Done

  • v0.4.0 builds on Linux (Debian/Ubuntu) and Windows
  • wtfn dns leak watch detects:
    • plaintext DNS leaving physical interface (Leak-A)
    • DoT traffic leaving outside approved egress (Leak-C)
    • DoH-ish encrypted resolver traffic outside policy (Leak-C)
  • events include interface + dst + (best-effort) PID/process info
  • output remains stable and additive; no breaking change to v0.3 commands
Reference in New Issue View Git Blame Copy Permalink