Skip to content

Weaken DNS isolation to deal with broken Android platforms

eta requested to merge eta/weaken-dns-isolation into main
  • Unfortunately, it looks like our plans for DNS isolation aren't actually going to work in practice on many devices.
    • Testing with an Android Oreo VM reveals that getting the owning UID of a DNS query using /proc/net/udp often fails or returns 0, which is no good.
    • Indeed, even on platforms where getConnectionOwnerUid is available, it might fail for UDP if the device's kernel doesn't have the CONFIG_INET_UDP_DIAG flag enabled (1), which might explain the issues @cyberta was having.
  • We therefore weaken the DNS isolation to deal with these cases: if we can't determine which app is sending us a DNS request, we generate a response anyway, and store it in an 'empty' DNS cookie map. The proxy code then queries this map if it can't find a DNS cookie in the actual app UID's cookie map.
    • This sucks a bit from a privacy perspective, but hopefully not too much: given these addresses are now randomized, it's harder to guess them.
Edited by eta

Merge request reports

Loading