Prevent DNS leak #2441

trueToastedCode · 2023-03-28T16:56:11Z

trueToastedCode
Mar 28, 2023

I've setup a v2ray-core server that's serves as local Proxy. I connect to it from Windows using socks5 and it then basically connects to the actual socks5 server with credentials.

Unfortunately, DNS leaks occur.

This is the configuration:
https://pastebin.com/59Y2hPE9

I understand that I need a fakedns. I don't understand Chinese and the English version features way less documentations
https://www.v2fly.org/config/fakedns.html#fakednsobject
https://www.v2fly.org/en_US/config/fakedns.html

What ip do I have to set here? What else do I need to configure that doesn't get mentioned in the English documentation?

{
    "ipPool": "240.0.0.0/8",
    "poolSize": 65535
}

I'd be really glad if anybody knows what to do. Thx!

mydogshitgold · 2023-03-28T18:27:51Z

mydogshitgold
Mar 28, 2023

Assuming that you are experiencing DNS leakage from the use of your ISP's DNS server, the solution would require adjustments to both your OS and browser's DNS settings, for which you can find tutorials on the web with ease. Note that some browsers may use DoH by default, which could override the OS settings and should be aligned accordingly. A more robust resolution is to simply hijack all DNS traffic originated from your OS.

I understand that I need a fakedns.

FakeDNS is commonly used, but not mandatory.

What ip do I have to set here?

Blindly utilizing reserved IP addresses without caution may lead to errors. Opt for the default 198.18.0.0/15 as a prudent choice.

What else do I need to configure that doesn't get mentioned in the English documentation?

In the eventuality that you encounter non-English documentation that is incomprehensible, resorting to translation software is a viable option given the significant improvements in NLP, resulting in mostly accurate translations.

My observation indicates that v2ray.com is outdated. Use v2fly.org instead.

Here be solutions:

Chage OS DNS server

Incorporate the following configuration into your own:

// vi: ft=jsonc
{
  "inbounds": [
    {
      "tag": "dns_in",
      // This should be your OS DNS address
      "listen": "127.0.0.53",
      "port": 53,
      "protocol": "dokodemo-door",
      "settings": {
        "address": "1.1.1.1",
        "port": 53,
        "network": "tcp,udp"
      }
    }
  ],
  "outbounds": [
    {
      "tag": "dns",
      "protocol": "dns",
      "proxySettings": {
        // You should tag the proxy outbound before applying this configuration
        // to prevent non proxied DNS traffic
        "tag": "tag of your proxy outbound"
      }
    }
  ],
  "dns": {
    "servers": [
      // DNS specified here will be used for internal name resolution and non A, AAAA queries
      "1.1.1.1"
    ]
  },
  "routing": {
    "rules": [
      {
        "outboundTag": "dns",
        "inboundTag": [
          "dns_in"
        ],
        "type": "field"
      }
    ]
  }
}

Subsequently, change your default DNS server to 127.0.0.53. The tutorials applicable to Windows is abundant.

Hijack all DNS traffic

Transparent proxy can facilitate this task. However, I am not sure whether Windows natively supports transparent proxy, due to the lack of documentation from Microsoft. Alternatively, you can use a Linux device as a gateway for Windows to accomplish this.

v2ray configuration:

// vi: ft=jsonc
{
  "inbounds": [
    {
      "tag": "tproxy_in",
      "port": 12345,
      "listen": "127.0.0.1",
      "protocol": "dokodemo-door",
      "settings": {
        "network": "tcp,udp",
        "followRedirect": true
      },
      "sniffing": {
        "enabled": true,
        "metadataOnly": true,
        "destOverride": [
          "fakedns"
        ]
      },
      "streamSettings": {
        "sockopt": {
          "tproxy": "tproxy",
          "mark": 255
        }
      }
    },
    {
      "tag": "tproxy6_in",
      "port": 12345,
      "listen": "::1",
      "protocol": "dokodemo-door",
      "settings": {
        "network": "tcp,udp",
        "followRedirect": true
      },
      "sniffing": {
        "enabled": true,
        "metadataOnly": true,
        "destOverride": [
          "fakedns"
        ]
      },
      "streamSettings": {
        "sockopt": {
          "tproxy": "tproxy",
          "mark": 255
        }
      }
    }
  ],
  "outbounds": [
    {
      // Here be dragons
      "tag": "proxy"
    },
    {
      "tag": "dns",
      "protocol": "dns",
      "proxySettings": {
        "tag": "proxy"
      },
      "settings": {
        "address": "1.1.1.1",
        "port": 53
      },
      "streamSettings": {
        "sockopt": {
          "mark": 255
        }
      }
    },
    {
      "tag": "direct",
      "protocol": "freedom",
      "settings": {
        "domainStrategy": "UseIPv4"
      },
      "streamSettings": {
        "sockopt": {
          "mark": 255
        }
      }
    },
    {
      "tag": "block",
      "protocol": "blackhole",
      "settings": {
        "response": {
          "type": "http"
        }
      }
    }
  ],
  "routing": {
    "domainStrategy": "AsIs",
    "domainMatcher": "mph",
    "rules": [
      {
        "outboundTag": "proxy",
        "domains": [
          "domain:msftncsi.com",
          "domain:msftconnecttest.com",
          "domain:opendns.com"
        ],
        "type": "field"
      },
      // DNS
      {
        "outboundTag": "dns",
        "inboundTag": [
          "tproxy_in",
          "tproxy6_in"
        ],
        "port": 53,
        "network": "tcp,udp",
        "type": "field"
      },
      {
        "outboundTag": "direct",
        "domains": [
          "geosite:private"
        ],
        "type": "field"
      },
      {
        "outboundTag": "direct",
        "ip": [
          "geoip:private"
        ],
        "type": "field"
      },
      // NTP
      {
        "outboundTag": "direct",
        "inboundTag": [
          "tproxy_in",
          "tproxy6_in"
        ],
        "port": 123,
        "network": "udp",
        "type": "field"
      },
      {
        "outboundTag": "proxy",
        "inboundTag": [
          "socks_in",
          "dns_in",
          "tproxy_in",
          "tproxy6_in"
        ],
        "type": "field"
      }
    ]
  },
  "dns": {
    "tag": "dns_in",
    "domainMatcher": "mph",
    "hosts": {
      // Here be dragons
    },
    "servers": [
      "fakedns",
      {
        "address": "1.1.1.1",
        "domains": [
          "domain:msftncsi.com",
          "domain:msftconnecttest.com",
          "domain:pool.ntp.org"
        ]
      }
    ],
    "fakedns": [
      "198.18.0.0/15",
      "2001:db8::/32"
    ]
  }
}

iptables:

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:v2ray - [0:0]
:divert - [0:0]
-A PREROUTING -j v2ray
-A PREROUTING -p tcp -m socket -j divert
-A v2ray -d 127.0.0.0/8 -j RETURN
-A v2ray -d 0.0.0.0/32 -j RETURN
-A v2ray -d 10.0.0.0/8 -p udp ! --dport 53 -j RETURN
-A v2ray -d 10.0.0.0/8 -p tcp ! --dport 53 -j RETURN
-A v2ray -d 192.168.0.0/16 -p udp ! --dport 53 -j RETURN
-A v2ray -d 192.168.0.0/16 -p tcp ! --dport 53 -j RETURN
-A v2ray -d 172.16.0.0/12 -p udp ! --dport 53 -j RETURN
-A v2ray -d 172.16.0.0/12 -p tcp ! --dport 53 -j RETURN
-A v2ray -d 169.254.0.0/16 -p udp ! --dport 53 -j RETURN
-A v2ray -d 169.254.0.0/16 -p tcp ! --dport 53 -j RETURN
-A v2ray -d 192.0.0.0/24 -j RETURN
-A v2ray -d 224.0.0.0/4 -j RETURN
-A v2ray -d 255.255.255.255/32 -j RETURN
-A v2ray -d 100.64.0.0/10 -j RETURN
-A v2ray -m mark --mark 0xff -j RETURN
-A v2ray -p udp -j TPROXY --on-port 12345 --on-ip 127.0.0.1 --tproxy-mark 0x1/0xffffffff
-A v2ray -p tcp -j TPROXY --on-port 12345 --on-ip 127.0.0.1 --tproxy-mark 0x1/0xffffffff
-A divert -j MARK --set-xmark 0x1/0xffffffff
-A divert -j ACCEPT
:v2ray_mask - [0:0]
-A OUTPUT -j v2ray_mask
-A v2ray_mask -d 10.0.0.0/8 -p udp ! --dport 53 -j RETURN
-A v2ray_mask -d 10.0.0.0/8 -p tcp ! --dport 53 -j RETURN
-A v2ray_mask -d 192.168.0.0/16 -p udp ! --dport 53 -j RETURN
-A v2ray_mask -d 192.168.0.0/16 -p tcp ! --dport 53 -j RETURN
-A v2ray_mask -d 172.16.0.0/12 -p udp ! --dport 53 -j RETURN
-A v2ray_mask -d 172.16.0.0/12 -p tcp ! --dport 53 -j RETURN
-A v2ray_mask -d 169.254.0.0/16 -p udp ! --dport 53 -j RETURN
-A v2ray_mask -d 169.254.0.0/16 -p tcp ! --dport 53 -j RETURN
-A v2ray_mask -d 192.0.0.0/24 -j RETURN
-A v2ray_mask -d 224.0.0.0/4 -j RETURN
-A v2ray_mask -d 255.255.255.255/32 -j RETURN
-A v2ray_mask -d 100.64.0.0/10 -j RETURN
-A v2ray_mask -p udp --dport 53 -m owner --uid-owner dnsmasq -j RETURN
-A v2ray_mask -d 10.0.0.0/8 -p udp -m udp ! --dport 53 -j RETURN
-A v2ray_mask -d 192.168.0.0/16 -p udp -m udp ! --dport 53 -j RETURN
-A v2ray_mask -m mark --mark 0xff -j RETURN
-A v2ray_mask -p udp -j MARK --set-xmark 0x1/0xffffffff
-A v2ray_mask -p tcp -j MARK --set-xmark 0x1/0xffffffff
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A OUTPUT -d 127.0.0.1 -p udp --dport 53 -j DNAT --to 10.10.10.10:53
-A OUTPUT -d 127.0.0.1 -p tcp --dport 53 -j DNAT --to 10.10.10.10:53
COMMIT

The ip6tables follows the same principal.

The routing table needs to be modified accordingly

ip rule add fwmark 1 lookup 100
ip route add local default dev lo table 100
ip -6 rule add fwmark 1 lookup 100
ip -6 route add local default dev lo table 100

I hereby disclaim any liability for any harm caused to your electronic or digital system, and shall not be held responsible for any such damages.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Prevent DNS leak #2441

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

Prevent DNS leak #2441

Uh oh!

Uh oh!

trueToastedCode Mar 28, 2023

Replies: 1 comment

Uh oh!

Uh oh!

mydogshitgold Mar 28, 2023

Chage OS DNS server

Hijack all DNS traffic

trueToastedCode
Mar 28, 2023

mydogshitgold
Mar 28, 2023