Intercept DNS requests sent by systemd-resolved.#552
Merged
brianmay merged 2 commits intosshuttle:masterfrom Nov 4, 2020
Merged
Intercept DNS requests sent by systemd-resolved.#552brianmay merged 2 commits intosshuttle:masterfrom
brianmay merged 2 commits intosshuttle:masterfrom
Conversation
Previously, we would find DNS servers we wish to intercept traffic on by reading /etc/resolv.conf. On systems using systemd-resolved, /etc/resolv.conf points to localhost and then systemd-resolved actually uses the DNS servers listed in /run/systemd/resolve/resolv.conf. Many programs will route the DNS traffic through localhost as /etc/resolv.conf indicates and sshuttle would capture it. However, systemd-resolved also provides other interfaces for programs to resolve hostnames besides the localhost server in /etc/resolv.conf. This patch adds systemd-resolved's servers into the list of DNS servers when --dns is used. Note that sshuttle will continue to fail to intercept any traffic sent to port 853 for DNS over TLS (which systemd-resolved also supports). For more info, see: sshuttle issue sshuttle#535 https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html systemd/systemd#6076
Contributor
Author
|
On second thought, we should probably just use resolv.conf on the server (that has been working fine) and resolv.conf + the systemd-resolved's file on the client (which is where the issue is). I'll update this with another commit later. |
The server should just read from resolv.conf to find DNS servers to use. This restores this behavior after the previous commit changed it. The client now reads both /etc/resolv.conf and /run/systemd/resolve/resolv.conf. The latter is required to more reliably intercept regular DNS requests that systemd-resolved makes.
Contributor
Author
|
I fixed the issue mentioned in my previous comment. |
brianmay
approved these changes
Nov 4, 2020
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Previously, we would find DNS servers we wish to intercept traffic on
by reading /etc/resolv.conf. On systems using systemd-resolved,
/etc/resolv.conf points to localhost and then systemd-resolved
actually uses the DNS servers listed in
/run/systemd/resolve/resolv.conf. Many programs will route the DNS
traffic through localhost as /etc/resolv.conf indicates and sshuttle
would capture it. However, systemd-resolved also provides other
interfaces for programs to resolve hostnames besides the localhost
server in /etc/resolv.conf.
This patch adds systemd-resolved's servers into the list of DNS
servers when --dns is used.
Note that sshuttle will continue to fail to intercept any traffic sent
to port 853 for DNS over TLS (which systemd-resolved also supports).
For more info, see:
sshuttle issue #535
https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html
systemd/systemd#6076