-
Notifications
You must be signed in to change notification settings - Fork 456
DNS
- Description
- DNS under Android
- Already reported DNS problems
- How can I gather DNS (A/AAA/...) requests?
- How do I know if my applications are leaking DNS?
- Resolver commands
- Changing the default DNS
- Commands to check if DNS is working
- Browser
- Apps to change the current DNS
- [Useful links](#useful links)
DNS is known as not to be secure anymore for several reasons. Like most "secure" communications protocols, it is susceptible to undetectable public-key substitution MITM-attacks an populate examples was the Apple iMessages security problem.
The main problem is the protocol insecurity by DNS and X.509. See also Certificate Transparency.
The core problems are always:
- MITM (Man-In-The-Middle)
- DNS-based censorship circumvention
- Domain theft's ("seizures")
- Certificate revocation
- DOS (Denial-Of-Service) attacks
- Logging
Blocking DNS isn't possible since this is needed on Android/Windows/Linux/Mac OS or any other OS, but we simply can use secure and proofed alternatives. - Which is more or less less/more complicated and depending on your knowledge about how to change that.
There are alternatives like:
- Choosing a log free DNS resolver e.g OpenNIC
- DNSSEC/DANE
- OpenDNS (or other providers which claiming to not log/censorship anything)
- DNSCrypt / TCPCrypt (DNSCrypt is now part of CM 12.1)
- TACK / HPKP
But even with such popular alternatives there are several problems, e.g. DNSSEC suffering from miscellaneous leaks mentioned over here or here + it doesn't prevent MITM attacks.
By default the Google DNS server is set (8.8.8.8/8.8.4.4), currently the DNS servers gets overridden after each reboot even with setprop, IP change or reconnection (connectivity changes -> RIL via e.g. ndc resolver setifdns rmnet0 x.x.x.x y.y.y.y).
All AOSP based ROMs coming with TCPdump as binary included. So you can just use this to show what's going on, there are several Tutorial and documents available. If this is to complicated for you, you can just grab AdAway (needs root) and use there own TCPDump/dnsmasq/libpcap interface to list all requests - it also provides an interface to add them to your hosts or to an separate white-/blacklist.
A very detailed answer what DNS (Domain Name System) is can be found over here.
There are several ways, the most easiest way is to visit some webpages that automatically detect what is your current DNS, like:
If you Browser shows a wrong DNS according to what your own settings telling you, this usually means something is wrong or maybe compromised.
Per-Browser this must be set to get a correct behavior, because they using there own DNS internal settings:
- On Firefox / Firefox Mobile (about:config): network.dns.disablePrefetch needs to be set to true.
On the OS level you can:
- Use 3rd Party Local DNS Servers/Resolvers, here.
- Apply Windows Tweak and Registry Hacks, here - on non servers 4 hours is enouth.
- Apply MacOS Tweaks, here.
- Configure Firewall as Fail-safe To Prevent Leaks, here
- Generally use secure alternatives + use a online browser check
- Use always the latest software to ensure possible bugs and security holes are fixed tools like sumo
- Use a secure, user/privacy friendly search engine like DuckDuck, Disconnect or Ixquick. Even better would be an decentralized search like YaCy, FAROO or any other based on P2P/...
- Verify no external addons/software/app leaks something
On Tor your can:
Sometimes these messages may be false alarms. To find out, you should run a packet sniffer on your network interface. The basic command to do this is tcpdump -pni eth0 'port domain'
.
If you are using an VPN this also can "fix" the DNS problem, but sometimes even this isn't enouth, especially on Android and OpenVPN, some older versions and provider still suffering from this issue, a workaround can be found over here.
Another possible problem is that you ISP mitm and manipulate the DNS traffic (mostly due censorship or to spoof)! There are only a few methods to bypass this:
- Use TOR + setup it (simply use the setup wizard if you don't know how)
- Use a SSH tunnel
- Choose an VPN which doesn't censorship
- Use JonDo (the proxy) [but browser is also good]
- Use DNSCrypt or httpsdnsd (HTTPSDNS daemon is already running if you use JonDo)
- For general implementation info about DNS Transport over TCP take a look at here
There are also several tips, tricks and guides directly with a lot of examples over the official Tor Wiki page, see here & here. Remember that the given tricks on this pages are optimized for TOR/I2P, so you may need to adjust some example configuration given from there.
An easy method to look at opened or closed threads is to search via is:issue is:open dns
/ is:issue is:closed dns
which shows the important threads (if the topic/thread content was correct labaled), alternative just click on the follow links (or copy/paste the issue number in the search e.g. https://github.com/ukanth/afwall/issues/.
Already reported DNS related topics:
- #377 DNS (port 53) is blocked for Wifi tethering
- #344 Wi-Fi-Hotspot not working while AFWall+ is enabled
- #326 Add mDNS support for local networks
- #318 Show host names in log view
- #257 USB/Bluetooth Tethering fails on CM11 mako
- #209 Bluetooth tethering borked as well
- #206 DNS Requests fail
- #178 Tethering
- #18 UDP 53 bypass because logging & whitelisting are enabled
Important: Please always use the search function here on AFWall's/AOSP issue tracker (2. under useful link), to search already known existent problems to avoid duplicate threads.
http://androidxref.com/4.0.4/xref/system/netd/CommandListener.cpp#778
ndc resolver setdefaultif <iface>
ndc resolver setifdns <iface> <dns1> <dns2> ...
ndc resolver flushdefaultif
ndc resolver flushif <iface>
http://androidxref.com/4.1.1/xref/system/netd/CommandListener.cpp#803
ndc resolver setdefaultif <iface>
ndc resolver setifdns <iface> <dns1> <dns2> ...
ndc resolver flushdefaultif
ndc resolver flushif <iface>
http://androidxref.com/4.2_r1/xref/system/netd/CommandListener.cpp#873
ndc resolver setdefaultif <iface>
ndc resolver setifdns <iface> <dns1> <dns2> ...
ndc resolver flushdefaultif
ndc resolver flushif <iface>
http://androidxref.com/4.3_r2.1/xref/system/netd/CommandListener.cpp#770
ndc resolver setdefaultif <iface>
ndc resolver setifdns <iface> <domains> <dns1> <dns2> ...
ndc resolver flushdefaultif
ndc resolver flushif <iface>
ndc resolver setifaceforpid <iface> <pid>
ndc resolver clearifaceforpid <pid>
http://androidxref.com/4.4_r1/xref/system/netd/CommandListener.cpp#941
ndc resolver setdefaultif <iface>
ndc resolver setifdns <iface> <domains> <dns1> <dns2> ...
ndc resolver flushdefaultif
ndc resolver flushif <iface>
ndc resolver setifaceforpid <iface> <pid>
ndc resolver clearifaceforpid <pid>
ndc resolver setifaceforuid <iface> <l> <h>
ndc resolver clearifaceforuid <l> <h>
ndc resolver clearifacemapping
http://androidxref.com/4.4.2_r1/xref/system/netd/CommandListener.cpp#942
ndc resolver setdefaultif <iface>
ndc resolver setifdns <iface> <domains> <dns1> <dns2> ...
ndc resolver flushdefaultif
ndc resolver flushif <iface>
ndc resolver setifaceforpid <iface> <pid>
ndc resolver clearifaceforpid <pid>
ndc resolver setifaceforuidrange <iface> <l> <h>
ndc resolver clearifaceforuidrange <l> <h>
ndc resolver clearifacemapping
http://androidxref.com/4.4.3_r1.1/xref/system/netd/CommandListener.cpp#940
ndc resolver setdefaultif <iface>
ndc resolver setifdns <iface> <domains> <dns1> <dns2> ...
ndc resolver flushdefaultif
ndc resolver flushif <iface>
ndc resolver setifaceforpid <iface> <pid>
ndc resolver clearifaceforpid <pid>
ndc resolver setifaceforuidrange <iface> <l> <h>
ndc resolver clearifaceforuidrange <if> <l> <h>
ndc resolver clearifacemapping
http://androidxref.com/4.4.4_r1/xref/system/netd/CommandListener.cpp#940
ndc resolver setdefaultif <iface>
ndc resolver setifdns <iface> <domains> <dns1> <dns2> ...
ndc resolver flushdefaultif
ndc resolver flushif <iface>
ndc resolver setifaceforpid <iface> <pid>
ndc resolver clearifaceforpid <pid>
ndc resolver setifaceforuid <iface> <l> <h>
ndc resolver clearifaceforuid <if> <l> <h>
ndc resolver clearifacemapping
http://androidxref.com/5.0.0_r2/xref/system/netd/server/CommandListener.cpp#776
ndc resolver setnetdns <netId> <domains> <dns1> <dns2> ...
ndc resolver flushnet <netId>
http://androidxref.com/5.1.0_r1/xref/system/netd/server/CommandListener.cpp#791
ndc resolver setnetdns <netId> <domains> <dns1> <dns2> ...
ndc resolver clearnetdns <netId>
ndc resolver flushnet <netId>
Master tree (latest versions 08.07.2015 checked)
ndc resolver setnetdns <netId> <domains> <dns1> <dns2> ...
ndc resolver clearnetdns <netId>
ndc resolver flushnet <netId>
On Android <4.4 we can use the command
getprop | grep dns
to know all the DNS properties being used. This command requires BusyBox! 'rmnet0’ is the interface name for the 3G connection. net.rmnet0.dns1 and net.rmnet0.dns2 are the properties to be changed to point to OpenDNS server (the settings are still present in CM/AOSP code). Since, these properties are changed after the connection is established, net.dns1 and net.dns2 also have to be changed. Execute these commands as root user:setprop net.rmnet0.dns1 208.67.222.222.
setprop net.rmnet0.dns2 208.67.220.220
.setprop net.dns1 208.67.222.222
.setprop net.dns2 208.67.220.220
. Remember, the settings will be applicable only for the current session! You will have to repeat it when you are re-connecting to the network.
Android system chooses the DNS servers using the script located at /system/etc/dhcpcd/dhcpcd-hooks/20-dns.conf
20-dns.conf
To change the DNS servers, use the command setprop property name
setprop net.dns1=208.67.222.222 setprop net.dns2=208.67.220.220 setprop net.eth0.dns1=208.67.222.222 setprop net.eth0.dns2=208.67.220.220 setprop net.rmnet0.dns1=208.67.222.222 setprop net.rmnet0.dns2=208.67.220.220 setprop dhcp.tiwlan0.dns1=208.67.222.222 setprop dhcp.tiwlan0.dns2=208.67.220.220 setprop net.ppp0.dns1=208.67.222.222 setprop net.ppp0.dns2=208.67.220.220 setprop net.pdpbr1.dns1=208.67.222.222 setprop net.pdpbr1.dns2=208.67.220.220
Or via init.d script (won't reapply after connectivity change):
#!/system/bin/sh setprop net.dns1 208.67.222.222 setprop net.dns2 208.67.220.220 # Optional setprop dhcp.tiwlan0.dns1 208.67.222.222 setprop dhcp.tiwlan0.dns2 208.67.220.220 setprop net.ppp0.dns1 208.67.222.222 setprop net.ppp0.dns2 208.67.220.220 setprop net.rmnet0.dns1 208.67.222.222 setprop net.rmnet0.dns2 208.67.220.220 setprop net.pdpbr1.dns1 208.67.222.222 setprop net.pdpbr1.dns2 208.67.220.220
To check against it (on e.g. wlan) use
tcpdump -ns0 -i wlan0 'port 53'
DNS check tool is a secure proof if DNS is working or not, alternative you can use nslookup via command line. Please remember that there are some problems generally with the DNS security protocol, there are several known attacks, like DOS, Cache poisoning, ghost domain names & others. For more information take a look over here
If there is no setprop you can write the values before the
unset_dns_props()
begins. Here is an example 20-dns.conf file. You can get the dns information by using the getprop | grep dns command but this will only work for Android <4.3 devices.
The
getprop
orsetprop
method does not work on Android versions >4.4+ anymore. Those values, when changed, get simply ignored by the netd daemon. It's necessary to communicate directly to the daemon via the/dev/socket/netd socket
. In Android it's now present a tool calledndc
which does exactly this job.
On 4.3 or 4.4 KitKat (#su):
ndc resolver setifdns eth0 "" 208.67.222.222 208.67.220.220 192.168.1.1 ndc resolver setdefaultif eth0
Or via AFWall+ custom script:
$IPTABLES -t nat -D OUTPUT -p tcp --dport 53 -j DNAT --to-destination 208.67.222.222:53 || true $IPTABLES -t nat -D OUTPUT -p udp --dport 53 -j DNAT --to-destination 208.67.222.222:53 || true
Or via init.d:
#!/system/bin/sh # File without file extension IP6TABLES=/system/bin/ip6tables IPTABLES=/system/bin/iptables # Maybe need to change $IPTABLES to iptables (if there are troubles applying them) $IPTABLES -t nat -I OUTPUT -p tcp --dport 53 -j DNAT --to-destination 208.67.222.222:53 $IPTABLES -t nat -I OUTPUT -p udp --dport 53 -j DNAT --to-destination 208.67.222.222:53
Only Google Puplic DNS supports native IPv6! So uncheck IPv6 in your Kernel (if checked!) or just disable it via an external custom script.
If you still like external apps, you should take a look at Override DNS [tested, working on 4.4.4/5.1] which does more or less the same. That may solve some problems on Android 4.4/Lollipop/M but there is no guarantee, some ROMs may handle it different.
The following may are necessary to indicate if all is working (dhcp/nameserver/dnsmasq,...), may needs to be changed for your interfaces you want to check: cellular, tethered, ...
- Grep the current DNS resolver/settings, reads them via:
adb shell getprop | grep dns
- The actual DNS servers used are the ones listed in the output of:
adb shell dumpsys connectivity
oradb shell dumpsys connectivity | grep DnsAddresses
- Via nslookup
nslookup google.com
- See the current dhcp info
cat /system/etc/dhcpcd/dhcpcd.conf
- List the tethered dns configuration
adb logcat | egrep '(TetherController|dnsmasq)'
- Check routing via
ip ru
+ip route ls
- On Bluetooth tethering
ip addr show bt-pan
(optional)
- TCPDump check state and export them:
tcpdump -ni any -s0 -U -w /sdcard/icmp4.pcap icmp4
oradb shell /data/tcpdump -ni wlan0 "icmp6 or port 67 or port 68"
Working without any manual adjustments:
- Dolphin
- Naked Browser
- Firefox
- ....
Needs changes in the settings:
- Chrome -> Clean DNS cache ....
- Firefox -> for Tor/Orbot ....
- ...
The following apps are success tested on all systems to work:
- OverrideDNS (paid)
- ... add more, remember they must work on all systems (even 5.1.1/M)
- Latest AOSP netd version (source code) | Android.GoogleSource.com
- List common DNS issues (read-only) | Google Issue Tracker
- DNS (local) resolution on Android Lollipop #79504 | Android Open Source Project - Issue Tracker
- Android 5 broke tethering (DNS REFUSED) #82545 | Android Open Source Project - Issue Tracker
- NsdManager | Android Developers.com
- Microsoft KB99686 – Enabling IP Routing | Support.Microsoft.com
Todo:
Complete the missing parts- Link all dns related stuff in this thread (e.g. from the FAQ)
-
Add several workarounds since newer systems ignoring the etc/resolver.conf or dhcpcd/dhcpcd-hooks/20-dns.conf files, explained with given links Add AFWall+ workarounds via custom scripts or separate tips- Possible explain why Android 4.4.+/5+ wants to call the RIL with RIL_REQUEST_SETUP_DATA_CALL
- Explain the broken MTU (saw this on so many roms) and list this bug (see ConnectivityService), since Android 5.1.x always seems to use 1500 regardless of what value has dhcp daemon set in option 26 (call interface_mtu).
- How can I gather DNS (A/AAA/...) requests? must be re-written
- Add example output how it should looks like, really? (low-prio)
- On DNS problems on Android 5.x try to disable IPv6, since Android 5.0.1/5.x doesn't like DHCPv6 (maybe next android version will be called N for next bullshit) :)
Footer