manbo/WTFnet
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
5a23175a83d0f5685d01e986c840f388749b88ab
WTFnet/docs/dns_leak_implementation_status.md
DaZuo0122 94762d139a Add: flag to make watch keep running
2026-01-17 20:07:13 +08:00

2.6 KiB
Raw Blame History

DNS Leak Detection - Implementation Status

This document tracks the current DNS leak detector implementation against the design in docs/dns_leak_detection_design.md and docs/requirement_docs_v0.4.md.

Implemented

  • New wtfnet-dnsleak crate with passive capture (pcap feature).
  • Transport classification:
    • Plain DNS (UDP/53, TCP/53) with qname/qtype parsing.
    • DoT (TCP/853) detection.
    • DoH detection is not implemented (skipped for now).
  • Leak rules:
    • Leak-A (plaintext DNS outside safe path).
    • Leak-B (split-policy intent leak based on proxy-required/allowlist domains).
    • Leak-C (encrypted DNS bypass for DoT).
    • Leak-D (basic mismatch: DNS response IP -> outbound TCP SYN on different route).
  • Policy profiles: full-tunnel, proxy-stub, split.
  • Privacy modes: full/redacted/minimal (redacts qname).
  • Process attribution:
    • Best-effort FlowOwnerProvider with Linux /proc and Windows netstat lookups.
    • Confidence levels and failure reasons exposed in events.
  • CLI commands:
    • dns leak status
    • dns leak watch
    • dns leak report
  • dns leak watch --iface-diag (diagnostics for capture-capable interfaces).
  • dns leak watch --follow runs until Ctrl-C by combining a long duration with a tokio::signal::ctrl_c() early-exit path.
  • Interface selection:
    • per-interface open timeout to avoid capture hangs
    • ordered scan prefers non-loopback + named ethernet/wlan and interfaces with IPs
    • verbose logging of interface selection attempts + failures (use -v / -vv)
    • overall watch timeout accounts for worst-case interface scan time
  • Capture loop:
    • receiver runs in a worker thread; main loop polls with a short timeout to avoid blocking

Partially implemented

  • Route/interface classification: heuristic only (loopback/tunnel/physical by iface name).
  • Safe path matching: allowed ifaces/dests/ports/processes; no route-based policy.

Not implemented (v0.4 backlog)

  • DoH heuristic detection (SNI/endpoint list/traffic shape).
  • GeoIP enrichment of leak events.
  • Process tree reporting (PPID chain).

Known limitations

  • On Windows, pcap capture may require selecting a specific NPF interface; use dns leak watch --iface-diag to list interfaces that can be opened.
  • Leak-D test attempts on Windows did not fire; see test notes below.

Test notes

  • dns leak watch --duration 8s --summary-only --iface <NPF> captured UDP/53 and produced Leak-A.
  • dns leak watch --duration 15s --iface <NPF> with scripted DNS query + TCP connect:
    • UDP/53 query/response captured (Leak-A).
    • TCP SYNs observed, but did not match cached DNS response IPs, so Leak-D did not trigger.
Reference in New Issue View Git Blame Copy Permalink