2.0 KiB
2.0 KiB
DNS Leak Detection - Implementation Status
This document tracks the current DNS leak detector implementation against the design in
docs/dns_leak_detection_design.md and docs/requirement_docs_v0.4.md.
Implemented
- New
wtfnet-dnsleakcrate with passive capture (pcap feature). - Transport classification:
- Plain DNS (UDP/53, TCP/53) with qname/qtype parsing.
- DoT (TCP/853) detection.
- DoH detection is not implemented (skipped for now).
- Leak rules:
- Leak-A (plaintext DNS outside safe path).
- Leak-B (split-policy intent leak based on proxy-required/allowlist domains).
- Leak-C (encrypted DNS bypass for DoT).
- Policy profiles:
full-tunnel,proxy-stub,split. - Privacy modes: full/redacted/minimal (redacts qname).
- Process attribution:
- Best-effort
FlowOwnerProviderwith Linux/procand Windowsnetstatlookups. - Confidence levels and failure reasons exposed in events.
- Best-effort
- CLI commands:
dns leak statusdns leak watchdns leak report
dns leak watch --iface-diag(diagnostics for capture-capable interfaces).- Interface selection:
- per-interface open timeout to avoid capture hangs
- ordered scan prefers non-loopback + named ethernet/wlan and interfaces with IPs
- verbose logging of interface selection attempts (use
-v/-vv) - overall watch timeout accounts for worst-case interface scan time
- Capture loop:
- receiver runs in a worker thread; main loop polls with a short timeout to avoid blocking
Partially implemented
- Route/interface classification: heuristic only (loopback/tunnel/physical by iface name).
- Safe path matching: allowed ifaces/dests/ports/processes; no route-based policy.
Not implemented (v0.4 backlog)
- DoH heuristic detection (SNI/endpoint list/traffic shape).
- Leak-D mismatch correlation (DNS -> TCP/TLS flows).
- GeoIP enrichment of leak events.
- Process tree reporting (PPID chain).
Known limitations
- On Windows, pcap capture may require selecting a specific NPF interface; use
dns leak watch --iface-diagto list interfaces that can be opened.