155 lines
4.8 KiB
Markdown
155 lines
4.8 KiB
Markdown
# WTFnet v0.4.0 - DNS Leak Detection
|
|
|
|
v0.4.0 introduces a client-side DNS leak detector aimed at censorship-resistance threat models:
|
|
detect when DNS behavior escapes the intended safe path. The detector focuses on evidence:
|
|
transport, interface, destination, and (best-effort) process attribution.
|
|
|
|
This release does NOT include HTTP/3 or OS-native TLS verification.
|
|
|
|
## 0) Summary
|
|
|
|
New major capability: `dns leak` command group.
|
|
|
|
Core idea:
|
|
Passive monitor captures outbound DNS-like traffic -> classify (Plain DNS / DoT / DoH) ->
|
|
enrich with interface/route/process metadata -> evaluate leak definitions (A/B/C/D) ->
|
|
emit events + summary report.
|
|
|
|
Leak definitions are explicit:
|
|
- Leak-A: plaintext DNS outside safe path
|
|
- Leak-B: split-policy intent leak (proxy-required domains resolved via ISP/local path)
|
|
- Leak-C: encrypted DNS escape/bypass (DoH/DoT outside approved egress)
|
|
- Leak-D: mismatch risk indicator (DNS egress differs from TCP/TLS egress)
|
|
|
|
## 1) Goals
|
|
|
|
### G1. Detect DNS leaks without needing special test domains
|
|
Passive detection must work continuously and produce evidence.
|
|
|
|
### G2. Support censorship-resistance leak definitions
|
|
Include both classic VPN-bypass leaks and split-policy intent leaks.
|
|
|
|
### G3. Best-effort process attribution
|
|
Attach PID/PPID/process name when OS allows; degrade gracefully with confidence.
|
|
|
|
### G4. Privacy-aware by default
|
|
Support privacy modes: Full / Redacted / Minimal.
|
|
|
|
## 2) Non-goals (v0.4.0)
|
|
|
|
- No "doctor" / smart one-shot diagnosis command
|
|
- No shell completions / man pages
|
|
- No HTTP/3 support
|
|
- No OS-native TLS verifier integration
|
|
- No firewall modification / kill switch management (detection only)
|
|
|
|
## 3) New crates / architecture changes
|
|
|
|
### 3.1 New subcrate: `wtfnet-dnsleak`
|
|
Responsibilities:
|
|
- passive sensor (pcap/pnet feature-gated)
|
|
- DNS parser (plaintext only)
|
|
- transport classifier: udp53/tcp53/dot/doh (confidence)
|
|
- flow tracker + metadata enrichment
|
|
- process attribution integration
|
|
- leak rules engine (A/B/C/D)
|
|
- structured event + summary report builder
|
|
|
|
### 3.2 `wtfnet-platform` extension: flow ownership lookup
|
|
Add a new trait:
|
|
- FlowOwnerProvider: map observed traffic 5-tuple -> process info (best-effort)
|
|
|
|
Return process attribution confidence:
|
|
HIGH/MEDIUM/LOW/NONE plus failure reason.
|
|
|
|
## 4) CLI scope
|
|
|
|
### 4.1 Commands
|
|
New command group:
|
|
|
|
#### `wtfn dns leak watch`
|
|
Start passive monitoring for a bounded duration (default 10s):
|
|
- classify transports (udp53/tcp53/dot/doh)
|
|
- apply leak rules and emit events + summary
|
|
|
|
#### `wtfn dns leak status`
|
|
Print baseline snapshot:
|
|
- interfaces + routes
|
|
- system DNS configuration
|
|
- active policy summary
|
|
|
|
#### `wtfn dns leak report`
|
|
Parse a saved events file and produce a human summary.
|
|
|
|
### 4.2 Flags (proposed)
|
|
Common:
|
|
- `--duration <Ns|Nms>` (default 10s)
|
|
- `--iface <name>` (optional capture interface)
|
|
- `--policy <path>` (JSON policy file)
|
|
- `--profile <full-tunnel|proxy-stub|split>` (built-in presets)
|
|
- `--privacy <full|redacted|minimal>` (default redacted)
|
|
- `--out <path>` (write JSON report/events)
|
|
|
|
## 5) Policy model (v0.4.0)
|
|
|
|
Safe DNS path constraints can be defined by:
|
|
- allowed interfaces: loopback/tunnel
|
|
- allowed destination set: proxy IPs, internal resolvers
|
|
- allowed processes: only local stub/proxy can resolve upstream
|
|
- allowed ports: e.g. only 443 to proxy server
|
|
|
|
A DNS event is a leak if it violates safe-path constraints.
|
|
|
|
Built-in profiles:
|
|
1) full-tunnel VPN style
|
|
2) proxy + local stub (default, censorship model)
|
|
3) split policy
|
|
|
|
## 6) Outputs
|
|
|
|
### 6.1 Leak events (structured)
|
|
Each LeakEvent includes:
|
|
- timestamp
|
|
- transport: udp53/tcp53/dot/doh/unknown
|
|
- qname/qtype (nullable)
|
|
- interface + route_class
|
|
- dst ip:port
|
|
- process info (nullable) + attribution confidence
|
|
- leak_type: A/B/C/D
|
|
- severity: P0..P3
|
|
- evidence fields + optional geoip
|
|
|
|
### 6.2 Summary report
|
|
- leak counts by type
|
|
- top leaking processes (if available)
|
|
- top resolver destinations
|
|
- timeline/burst hints
|
|
|
|
## 7) Deliverables checklist
|
|
|
|
MUST:
|
|
- new `wtfnet-dnsleak` crate integrated into workspace + CLI
|
|
- passive capture for UDP/TCP 53 and TCP 853
|
|
- DoH heuristic classification (confidence-based)
|
|
- policy engine + Leak-A/B/C/D rules
|
|
- structured events + human summary
|
|
- privacy modes full/redacted/minimal
|
|
- best-effort process attribution with confidence and failure reason
|
|
|
|
SHOULD:
|
|
- saved report file support (`--out report.json`)
|
|
- route_class inference with policy hints + heuristics
|
|
|
|
NICE:
|
|
- correlation_id (DNS -> subsequent TCP/TLS connection) for Leak-D mismatch indicator
|
|
|
|
## 8) Definition of Done
|
|
|
|
- v0.4.0 builds on Linux (Debian/Ubuntu) and Windows
|
|
- `wtfn dns leak watch` detects:
|
|
- plaintext DNS leaving physical interface (Leak-A)
|
|
- DoT traffic leaving outside approved egress (Leak-C)
|
|
- DoH-ish encrypted resolver traffic outside policy (Leak-C)
|
|
- events include interface + dst + (best-effort) PID/process info
|
|
- output remains stable and additive; no breaking change to v0.3 commands
|