WTFnet/docs/dns_leak_implementation_status.md

DNS Leak Detection - Implementation Status

This document tracks the current DNS leak detector implementation against the design in docs/dns_leak_detection_design.md and docs/requirement_docs_v0.4.md.

Implemented

• New wtfnet-dnsleak crate with passive capture (pcap feature).
• Transport classification:
  • Plain DNS (UDP/53, TCP/53) with qname/qtype parsing.
  • DoT (TCP/853) detection.
  • DoH detection is not implemented (skipped for now).
• Leak rules:
  • Leak-A (plaintext DNS outside safe path).
  • Leak-B (split-policy intent leak based on proxy-required/allowlist domains).
  • Leak-C (encrypted DNS bypass for DoT).
• Policy profiles: full-tunnel, proxy-stub, split.
• Privacy modes: full/redacted/minimal (redacts qname).
• Process attribution:
  • Best-effort FlowOwnerProvider with Linux /proc and Windows netstat lookups.
  • Confidence levels and failure reasons exposed in events.
• CLI commands:
  • dns leak status
  • dns leak watch
  • dns leak report
• dns leak watch --iface-diag (diagnostics for capture-capable interfaces).
• Interface selection:
  • per-interface open timeout to avoid capture hangs
  • stable default pick (up, non-loopback, named ethernet/wlan) before fallback scan
  • verbose logging of interface selection attempts (use -v / -vv)

Partially implemented

• Route/interface classification: heuristic only (loopback/tunnel/physical by iface name).
• Safe path matching: allowed ifaces/dests/ports/processes; no route-based policy.

Not implemented (v0.4 backlog)

• DoH heuristic detection (SNI/endpoint list/traffic shape).
• Leak-D mismatch correlation (DNS -> TCP/TLS flows).
• GeoIP enrichment of leak events.
• Process tree reporting (PPID chain).

Known limitations

• On Windows, pcap capture may require selecting a specific NPF interface; use dns leak watch --iface-diag to list interfaces that can be opened.