commit 4892f9353136baf0b00974fdb02176ca784498ff Author: Nathan Freitas <nathan@freitas.net> Date: Mon Mar 7 13:52:52 2016 -0500 DNS lookup through pdnsd should loop back into Tor DNS port While the TCP query to Google DNS before provided more robust DNS services, it could still leak outside the VPN service based on platform version and other circumstances. By using PDNSD as a proxy back into Tor's limited DNS service, we ensure DNS does not leak. --- res/values/pdnsd.xml | 3 ++- src/org/torproject/android/service/TorService.java | 5 ++++- src/org/torproject/android/vpn/OrbotVpnService.java | 6 ++++-- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/res/values/pdnsd.xml b/res/values/pdnsd.xml index cb4e802..42834d2 100644 --- a/res/values/pdnsd.xml +++ b/res/values/pdnsd.xml @@ -6,12 +6,13 @@ global { cache_dir="/data/data/org.torproject.android/app_bin"; server_port = 8091; server_ip = 0.0.0.0; - query_method=tcp_only; + query_method=udp_only; min_ttl=15m; max_ttl=1w; timeout=10; daemon=on; pid_file="/data/data/org.torproject.android/app_bin/pdnsd.pid"; + } server { diff --git a/src/org/torproject/android/service/TorService.java b/src/org/torproject/android/service/TorService.java index 627f2e9..0a66fd4 100644 --- a/src/org/torproject/android/service/TorService.java +++ b/src/org/torproject/android/service/TorService.java @@ -649,7 +649,10 @@ public class TorService extends Service implements TorServiceConstants, OrbotCon extraLines.append("TransPort ").append(transPort).append('\n'); extraLines.append("DNSPort ").append(dnsPort).append("\n"); - + + if (Prefs.useVpn()) + extraLines.append("DNSListenAddress 0.0.0.0").append('\n'); + if (Prefs.transparentTethering()) { extraLines.append("TransListenAddress 0.0.0.0").append('\n'); diff --git a/src/org/torproject/android/vpn/OrbotVpnService.java b/src/org/torproject/android/vpn/OrbotVpnService.java index c9247c2..c5f6b82 100644 --- a/src/org/torproject/android/vpn/OrbotVpnService.java +++ b/src/org/torproject/android/vpn/OrbotVpnService.java @@ -78,7 +78,9 @@ public class OrbotVpnService extends VpnService implements Handler.Callback { private final static boolean mIsLollipop = Build.VERSION.SDK_INT >= Build.VERSION_CODES.LOLLIPOP; //this is the actual DNS server we talk with over TCP/IP - private final static String DEFAULT_ACTUAL_DNS = "8.8.8.8";//use Google here, or 8.8.4.4 as backup? + private final static String DEFAULT_ACTUAL_DNS_HOST = "127.0.0.1";//"8.8.8.8";//use Google here, or 8.8.4.4 as backup? + private final static int DEFAULT_ACTUAL_DNS_PORT = TorServiceConstants.TOR_DNS_PORT_DEFAULT; + private boolean isRestart = false; @@ -288,7 +290,7 @@ public class OrbotVpnService extends VpnService implements Handler.Callback { } //start PDNSD daemon pointing to OpenDNS - startDNS(DEFAULT_ACTUAL_DNS,53); + startDNS(DEFAULT_ACTUAL_DNS_HOST,DEFAULT_ACTUAL_DNS_PORT); final String vpnName = "OrbotVPN"; final String localhost = "127.0.0.1";