Skip to content

Draft: main/pmos-base-ui: use dnsane for DNS

clayton craft requested to merge dnsane into master

Update: we probably won't merge this.. but keeping open as "draft" until I can come up with something better!

Fixes #1430 by basically filtering DNS queries to remove any with addresses that might cause traffic to go over a lower priority interface. See that issue for a more detailed explanation of the problem.

It does this by:

  1. configuring NetworkManager to send DNS config to resolvconf, instead of writing to resolv.conf directly. In my (limited) testing, this seems to be necessary to get NM to trigger resolvconf which is needed for...
  2. configuring resolvconf to ignore any DNS it receives and use localhost, when writing resolv.conf

openresolv is used because the alternative of modifying resolv.conf manually gets messy, specifically with apk where it may not replace /etc/resolv.conf if the user / something else has modified it...

Note that there's still some possibilities for apps that have hardcoded DNS nameservers to bypass dnsane. It's not trivial to catch this. The most straight forward way is to use a firewall rule to redirect all outbound DNS to dnsane. But this would break mmsd and any other apps that actually need to query specific nameservers to function properly.

I used a SIM that had a mobile data connection, but traffic was dropped by the carrier outside of the phone. In other words, my phone was often in the exact situation described in #1430. When connected to wifi, I could very easily notice when traffic was being routed incorrectly because anything destined for mobile data would fail (pages stopped loading, etc). After some amount of casual testing while using the phone "normally", I haven't noticed any failures yet from that problem.

Edited by clayton craft

Merge request reports