dnsproxy with configuration DoT, forward IP

[syrm]

Hello,

I run dnsproxy like that :
dnsproxy -p 5353 --tls-port=853 -u 127.0.0.1:53 --tls-crt=/fullchain.pem --tls-key=privkey.pem

But my internal DNS server (127.0.0.1) see request coming from 127.0.0.1 instead original IP, is it possible to fix that ?

[ameshkov]

Well, it makes sense as dnsproxy sends this request to it. I don't think there is an easy solution for that.

[syrm]

Can it forge package to change IP ?

[ameshkov]

In order for your DNS server to see the real the real client IP, you'll need to spoof the source address in the UDP packet (which is hard by itself). The second problem with that is that in this case the response will be sent not to dnsproxy but to that spoofed address, and you'll need to somehow intercept these packets and re-route them back to dnsproxy. I doubt it is feasible.

I've got another idea that might work, though.

There is a EDNS Client Subnet extension which allows indicating the client subnet to the upstream DNS server. Maybe if dnsproxy adds this extension to outgoing queries, your local DNS server will see it and indicate in the interface.

To test it add this code to https://github.com/AdguardTeam/dnsproxy/blob/master/proxy/proxy.go#L224

	o := new(dns.OPT)
	o.Hdr.Name = "."
	o.Hdr.Rrtype = dns.TypeOPT
	e := new(dns.EDNS0_SUBNET)
	e.Code = dns.EDNS0SUBNET
	e.Family = 1         // 1 for IPv4 source address, 2 for IPv6
	e.SourceNetmask = 32 // 32 for IPV4, 128 for IPv6
	e.SourceScope = 0
	e.Address = net.ParseIP("1.2.3.4").To4() // Hardcoded IP just for test
	o.Option = append(o.Option, e)
	d.Req.Extra = append(d.Req.Extra, o)

[syrm]

I tried like that :

   o := new(dns.OPT)
   o.Hdr.Name = "."
   o.Hdr.Rrtype = dns.TypeOPT
   e := new(dns.EDNS0_SUBNET)
   e.Code = dns.EDNS0SUBNET
   e.Family = 1         // 1 for IPv4 source address, 2 for IPv6
   e.SourceNetmask = 32 // 32 for IPV4, 128 for IPv6
   e.SourceScope = 0
   e.Address = net.ParseIP("1.2.3.4").To4() // Hardcoded IP just for test
   o.Option = append(o.Option, e)
   d.Req.Extra = append(d.Req.Extra, o)

   dnsUpstream := d.Upstream

   // execute the DNS request

Without success

[ameshkov]

Does your local DNS support ECS?

[syrm]

I think yes https://pi-hole.net/2018/12/03/pi-hole-v4-1-is-now-available/

[ameshkov]

Oh, that's not ECS support, this looks as this is simply a part of the resolver description.

Btw, on a side note, full DOH/DOT support will be in the next version of AdGuard Home:
AdguardTeam/AdGuardHome#285

[syrm]

Hum ok, i gonna ask pi-hole to support ECS so

[syrm]

pi-hole use dnsmasq which one seems supporting EDNS

[ameshkov]

I guess I might've been unclear. All modern DNS servers support EDNS, that's not the point.

What I mean by supporting ECS is somehow indicating it in the interface/logs. I've outlined the idea it here: AdguardTeam/AdGuardHome#558

[syrm]

Ok sorry, i think we can close this :-)
Thank you