Weaken DNS isolation to deal with broken Android platforms
- Unfortunately, it looks like our plans for DNS isolation aren't
actually going to work in practice on many devices.
- Testing with an Android Oreo VM reveals that getting the owning UID of a DNS query using /proc/net/udp often fails or returns 0, which is no good.
- Indeed, even on platforms where
getConnectionOwnerUid
is available, it might fail for UDP if the device's kernel doesn't have theCONFIG_INET_UDP_DIAG
flag enabled (1), which might explain the issues @cyberta was having.
- We therefore weaken the DNS isolation to deal with these cases: if we
can't determine which app is sending us a DNS request, we generate a
response anyway, and store it in an 'empty' DNS cookie map. The proxy
code then queries this map if it can't find a DNS cookie in the actual
app UID's cookie map.
- This sucks a bit from a privacy perspective, but hopefully not too much: given these addresses are now randomized, it's harder to guess them.
Edited by eta