DNS request don't prompt me for Wine / Proton on Linux

[Zesko]

PortMaster -> Global Settings -> Privacy Filter -> General -> Default Network Action -> Change Allow to Prompt

That works fine on Linux and the notification asks me whether I accept new connection or not. For example :

That is good.

But that has one issue with Wine/Proton.

What happened:

I installed GE-Proton 8 or any Proton 8 version for Steam.
one part of Proton is a binary executable wine-preloader:

Any Windows game uses this binary wine-preloader to perform DNS queries. But PortMaster does not prompt me or can not block them.

PortMaster allows all of DNS queries of Windows game without asking me. 😯

What did you expect to happen?:

My expectation is that PortMaster should prompt me to decide "block" or "allow" when playing any Windows game on Linux.

How did you reproduce it?:

1. I am using NetworkManager that generates /etc/resolv.conf instead of systemd-resolve
2. Install any Proton 8 or GE-Proton 8 in Steam
3. Create a new profile "Protin Wine Preloader" to edit Process Matching: (wine64-preloader|wine-preloader)$

3. Edit this profile settings -> Privacy -> Filter -> General -> Default Network Action -> Change Allow to Prompt or Block

4. Test Windows game using this Proton.

5. But many DNS queries of game are allowed by PortMaster without asking me. That is problematic.

[Raphty]

what reason does the connection give when you expand it for being allowed?

[Raphty]

[Zesko]

PortMaster version 1.6.2

[Zesko]

Just Info:

There is a combination between two binary files of Wine (Part of Proton):

• wine-preloader or wine64-preloader that requests any DNS without an IP address
• wineserver that gets IP addresses after resolving any domain name and then connects to any server.

PortMaster can block any connection of the binary wineserver after resolving any domain name, but it can only see randomly different IP addresses without domain name / URL.

This looks like that PortMaster can ask me to allow or block only IP addresses. But it cannot block DNS requests from some binaries for example wine-preloader and ping.

[Raphty]

domain requests are handled by Portmaster itself.

what this tells you is what app is requesting the domain.

A dns request is not a connection.

Portmaster resolves those requests so it can tell you where the actual connection wanted to go afterwards.
No data has been sent by the application requesting the DNS

[Zesko]

Portmaster resolves those requests so it can tell you where the actual connection wanted to go afterwards.

We want to be notified when any unknown random DNS request appears BEFORE domain resolution and connection, if its domain / URL is not in the block list.

[Raphty]

It is before a connection is established.

This is expected behavior. If you tell me what your use case is, and why you want to change this behavior. I might be able to help on mitigation ideas that fit your chosen threat model.

[Zesko]

If you tell me what your use case is, and why you want to change this behavior.

I think that a chance of malware is on Wine/Proton greater than native apps on Linux.

There are two binaries wine-preloader and wineserver in Wine / Proton, both communicate together. Both do not use the same things.

• wine-preloader only does DNS requests and does not use a connection to any server, no IP.

• wineserver connects directly to any server via IP address without domain name / URL.

1. When you start any Window programs on Wine, an internet connection to their servers is required.
2. wine-preloader sends domain queries to DNS and receives IP addresses after resolving the domain names .
3. wine-preloader passes information to wineserver, which establishes a connection to the servers.
4. When wineserver wants to connect to any server, portmaster prompts you to see only IP addresses, but the profile wineserver does not tell you which domain name.
5. You do not know which IP address belongs to which domain.

The list of the wine-preloader profile shows only domain queries.

The list of the wineserver profile shows only IP addresses without domain.

In Portmaster both are separate, but in Wine they communicate together.

[Zesko]

PortMaster can block or allow selected IP connections from the profile wineserver according to your decision, but you do not know which IP connections belong to which domains. This is why you need to control the profile wine-preloader to restrict random domain queries.

[Raphty]

Interesting, it seems that wine emulates the windows dns service, which is why the structure is like this.

[github-actions]

This issue has been automatically marked as inactive because it has not had activity in the past two months.

If no further activity occurs, this issue will be automatically closed in one week in order to increase our focus on active topics.

[Zesko]

Is that possible to add a new option that should prompt people when "DNS request" comes in?

Thanks!