-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] "Replacing resolv.conf" fails without error #76
Comments
This bug happens because a mount point with --bind option cannot be a symbolic link, it needs to be a file or a folder. I had this problem before. Perhaps uninstalling the package resolvconf in Debian/Ubuntu should solve this issue. |
I don't want to remove this symbolic link: systemd-resolved. How about redirect via iptables? |
There is no way to forward DNS at port 53 to a uplayer IP. Let's suppose a veth pair inside a netns sandbox: veth --> 10.0.0.1 iptables cannot forward DNS queries to 10.0.0.1, the DNS port must be at 10.0.0.2 (locally) or 127.0.0.1. For achieving this you should run a UDP port forwarder inside the sandbox to forward 10.0.0.1:53 to 127.0.0.1:53 (or 127.0.0.1:9053). An so add this iptables rule: iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 9053 There is a UDP port forwarder called udpxd, it can do the job: https://github.com/TLINDEN/udpxd Run the udpxd inside the orjail
Add a iptables rule:
|
I think it does not work: 1 2 3.
Ok, i found 2 issues when
|
If you forward the 53 port from veth to loopback and apply the iptables rule for forwarding, I'm sure it'll work. |
I tested the UDP port forwarding inside orjail and it works. Start orjail:
Find the address of orjail veth:
Run udpxd inside orjail pointing to the address of veth
Add iptables rule:
Test it:
|
This only works if you haven't installed systemd-resolved is a systemd service that provides network name resolution to local applications via a D-Bus interface . And yes, i think curl (and maybe other apps) uses systemd-resolved via D-Bus. My tests inside the orjail:
I found a simple solution (inside the orjail:):
It does not prevent dns leaks via systemd-resolved (curl, etc..), but works without udpxd. How about add this behavior if |
There is no need for iptables rules, as by default the resolv.conf in network namespaces are placed at: /etc/<netns_name/resolv.conf I'm contributor but @lesion should commit if he want. Instead of creating a resolv.conf and bind to /etc/resolv.conf, a folder /etc/netns should be created and a sub-folder /etc/netns/orjail too, in which a resolv.conf should be placed. This is the correct way. |
|
It works here:
The only way is to use iptables rules in your case. In orjail, when an error happens in the /etc/resolv.conf mount, a trigger that runs iptables should be added, @lesion should implement this. |
O modified orjail to deal with /etc/resolv.conf if it's a symbolic link: Test to see if it works. I added this lines:
|
Without:
it will not work if Now I use this:
|
Any news or updates? In firejail it's works without iptables rules. And about the dns leak netblue30/firejail#2869 (comment) |
I think the issue here is with
my proposal is to solve this issue by mounting our
I also do not understand the symlink issue you have with debian# ls -la /etc/resolv.conf
lrwxrwxrwx 1 root root 29 26 nov 2020 /etc/resolv.conf -> ../run/resolvconf/resolv.conf
debian# echo test > test1
debian# mount --bind test1 /etc/resolv.conf
debian# cat /etc/resolv.conf
test
|
@ExceptionGit could you test this solution in feat/nsswitch branch ? |
Test "feat/nsswitch branch" - curl work, no dns leak. Symlink issue
|
I'm not able to reproduce this 😢 , also this sounds really strange to me (I cannot understand how this could be possible), but I pushed another commit to modify the logic and use |
interesting thread: slingamn/namespaced-openvpn#7 -> https://github.com/slingamn/namespaced-openvpn#dns-hardening |
Similar result after How about firejail implementation?
|
using
What about mount-binding the whole /etc and replacing relevant files (resolv.conf/nsswitch.conf)? This is done in 8bdfe75, I'm confident this is the way to go. |
I think this is the best way, everything works now. Maybe completely remove Lines 154 to 155 in 8bdfe75
|
Merged in master. |
Remove if this is the last namespace? It is very strange to get the directory in home What happens if the |
When
/etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf
no replacement and dns leaking via systemd-resolvednameserver 127.0.0.53
.orjail/usr/sbin/orjail
Lines 227 to 229 in a0b9e6c
The text was updated successfully, but these errors were encountered: