jigsaw-code / intra Goto Github PK

,

Downloads that are implemented using DownloadManager and JobScheduler often don't work through Intra. This appears to be because Intra's VPN, with its narrow routing, is not marked by Android as having the INTERNET capability. (The Android source code indicates that a VPN must include 85% of the routing space to qualify for this mark.) When the default network doesn't have the INTERNET capability mark, DownloadManager hangs (waiting for internet access).

It's not yet clear how we can mitigate this problem in Intra.

Currently, in error cases where there is an unknown or not-applicable IP address, it is rendered in the detailed view as "::1", i.e. IPv6 localhost. This has created significant confusion. We should properly track unknown IP addresses and show an explicit error message (maybe "N/A") instead.

Making the "Recent Queries" exportable to .CSV files in Google Drive would enable onboard malware research, as well as allowing users to track down misbehaving apps. Instead of storing them on the device, can they be stored directly in Drive?

Its quite nice have hosts file support for block certain site or ip , and some redirect ip using for website

Hi, a respected developer. Is it possible to add support for normal dns in Intra? Thank you

Hey.
Is there any plans to add support for Quad9?

Thanks in advance

Version 0.0.11 is eating much battery (15%), compared to 0.0.5, which almost eat none. What are the changes between 0.0.11 and 0.0.5? I wonder if I can downgrade to 0.0.5 instead?

If a request takes too long (more than a second?), the operating system will reissue it, to mitigate UDP packet loss. Currently, this will trigger an additional DOH request. This is unnecessary and wasteful, since DOH is a reliable protocol.

To avoid this duplication, we could keep track of all queries currently in flight, and unceremoniously drop the duplicates when they arrive.

DNS stamps encode all the required information to connect to a secure DNS resolver as a single string.

A DoH stamp includes SPKI hashes and bootstrap IP addresses in addition to the URL.

Stamps prevent users from ignoring SPKI, bootstrap with the correct servers, require only a single string to copy/paste, and can be easily listed in documentations and text files: https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md

It would be nice if Intra supported DNS stamps.

Chrome appears to have activated an "async resolver" feature that gets dns servers directly from the OS using getActiveNetwork(). Unfortunately, Intra's VPN is never the active network due to handling of the INTERNET capability, so Chrome gets the physical network's resolver IPs instead. Chrome sends queries as UDP writes directly to those addresses, bypassing Intra.

To fix this, we can add the active network's DNS resolvers to our VPN's aperture.

Integration with tools like Tasker or Automate would be great. Sometimes the Wi-Fis of specific SSID has been configured to use DoH or DoT, so it is not needed to have DoH client running on the phone. Or sometimes a VPN is needed within the network, and it is not compatible to use Intra. Tasker integration would make it possible to switch the VPN service accordingly.

The content-type in the http-post-header is wrong. As of draft 7 is has to be "application/dns-message", but in the current version "application/dns-udpwireformat" is sent.

A fix is important since the implemenations I know check the content type and return an error is it does not match.

see https://datatracker.ietf.org/doc/draft-ietf-doh-dns-over-https/

I would like to set a "Backup" Domain (URL). If the 1st URL is not working it automatically uses the 2nd URL.
Compare it to the current DNS solution. Primary and Secondary DNS entry.

Attempting to enter a custom server URL does not permit entry. The "OK" button never lights even after a valid https:// URL is entered (try "https://dns.quad9.net")

On recent builds, scrolling through the recent queries seems to have gotten jankier. Systrace shows that the jank is due to long delays in LayoutInflater.inflate, which is called by RecyclerAdapter.onCreateViewHolder to inflate each row.

I can't tell what changed to make this worse. It might be due to the upgraded support libraries (now called androidx).

Currently, the VPN establishment process is somewhat messy, not well localized within the code, and does not do a good job of indicating its state in the UI. A better approach would factor the state into the following components:

• VPN: off, on
• Controller: want vpn off, want vpn on
• Connection: offline (null), new, last query succeeded, last query failed

This state then maps into what we display in the UI:

EDIT: Stopping is synchronous so there's no intermediate state there.

Currently we have polling in a couple of places in the SOCKS proxy, inherited from Sockslib:

• UDP:

  Intra/Android/app/src/main/java/app/intra/socks/UdpOverrideSocksHandler.java

  Line 74 in 0b12cde

  Thread.sleep(IDLE_TIME_MS);

• TCP:

  Intra/Android/third_party/sockslib/src/main/java/sockslib/server/Socks5Handler.java

  Line 190 in 0b12cde

  Thread.sleep(idleTime);

These polling loops exist primarily to detect an interrupt and perform a clean shutdown of the associated proxy pair.

This polling might be significantly increasing Intra's power usage. We should remove these polling loops and move to a fully event-driven threading design.

As seen in issue #69, the error message in the Custom URL dialog doesn't necessarily provide detailed information that can be used to fix an invalid URL. Specifically, it should be easy to notify users if a URL is missing a valid path.

I wanted to let you know that Quad9 has recently added support for DOH.

https://dns9.quad9.net/dns-query for our service that includes blocking of malicious domains/dnssec validation
https://dns10.quad9.net/dns-query for vanilla encrypted dns

We'd be happy to do a pull request but not sure how you might want to handle a network with two entries or if we should only submit one.

Thanks

Danielle

If the user has another VPN active, or has DNS-over-TLS enabled (Android P), indicating that queries are "exposed" is not accurate. We need a better indicator for the current system state in these situations.

Intra crashes if there's a relevant systemwide GMS update. The logs show

ChimeraModuleLdr: Module config changed, forcing restart due to module com.google.android.gms.flags
Process : Sending signal. PID: 10926 SIG: 9
...
ActivityManager: Service done with onDestroy, but not inDestroying: ServiceRecord{7f1640d u0 com.google.android.gms/.icing.service.AppIndexingService}, app=ProcessRecord{ca2b025 0:com.google.android.gms/u0a22}
...
lowmemorykiller: Error writing /proc/10926/oom_score_adj; errno=22
ActivityManager: Exception when unbinding service app.intra/.DnsVpnService
ActivityManager: android.os.DeadObjectException
ActivityManager: at android.os.BinderProxy.transactNative(Native Method)
ActivityManager: at android.os.BinderProxy.transact(Binder.java:1127)
ActivityManager: at android.app.IApplicationThread$Stub$Proxy.scheduleUnbindService(IApplicationThread.java:1100)
ActivityManager: at com.android.server.am.ActiveServices.removeConnectionLocked(ActiveServices.java:2894)
ActivityManager: at com.android.server.am.ActiveServices.unbindServiceLocked(ActiveServices.java:1758)
ActivityManager: at com.android.server.am.ActivityManagerService.unbindService(ActivityManagerService.java:20538)
ActivityManager: at android.app.ContextImpl.unbindService(ContextImpl.java:1695)
ActivityManager: at com.android.server.connectivity.Vpn$3.interfaceRemoved(Vpn.java:1417)
ActivityManager: at com.android.server.NetworkManagementService.lambda$notifyInterfaceRemoved$3(NetworkManagementService.java:482)
ActivityManager: at com.android.server.-$$Lambda$NetworkManagementService$FsR_UD5xfj4hgrwGdX74wq881Bk.sendCallback(Unknown Source:2)
ActivityManager: at com.android.server.NetworkManagementService.invokeForAllObservers(NetworkManagementService.java:442)
ActivityManager: at com.android.server.NetworkManagementService.notifyInterfaceRemoved(NetworkManagementService.java:482)
ActivityManager: at com.android.server.NetworkManagementService.access$700(NetworkManagementService.java:137)
ActivityManager: at com.android.server.NetworkManagementService$NetdCallbackReceiver.onEvent(NetworkManagementService.java:821)
ActivityManager: at com.android.server.NativeDaemonConnector.handleMessage(NativeDaemonConnector.java:160)
ActivityManager: at android.os.Handler.dispatchMessage(Handler.java:102)
ActivityManager: at android.os.Looper.loop(Looper.java:193)
ActivityManager: at android.os.HandlerThread.run(HandlerThread.java:65)
ActivityManager: at com.android.server.ServiceThread.run(ServiceThread.java:44)
Vpn : setting state=DISCONNECTED, reason=agentDisconnect
ConnectivityService: NetworkAgentInfo [VPN () - 142] EVENT_NETWORK_INFO_CHANGED, going from CONNECTED to DISCONNECTED
ConnectivityService: NetworkAgentInfo [VPN () - 142] got DISCONNECTED, was satisfying 9 0

It looks like GMS does "kill -9" on all affected apps before an update. Most apps restart after the update completes, but this doesn't appear to apply to our foreground service.

GMS updates are relatively infrequent (~once a month) but this is still unfortunate and worth investigating.

The appearance of lowmemorykiller in the logs is interesting, but it may just indicate a cleanup operation that is failing because the process no longer exists after kill -9. Similarly, the DeadObjectException likely indicates that the system is trying to notify Intra that the VPN has been disconnected, but Intra is no longer running.

Latencies to dns.google.com seem to be dramatically higher than the ping time. This could be an indication that socket pooling and reuse is not working correctly. Needs investigation.

User reported observed behavior:
Intra does not allow wifi calling to connect on the Metro by T-mobile network using either the google or cloudflare resolver.

Expected behavior:
Wifi calling is allowed through with Intra on.

Steps to reproduce:

1. Install Intra on a device with Metro by T-Mobile (and/or other device with Wifi calling)
2. Try to make a call with Intra on

Don't know why but cannot turn it to On.
Did it need root?

The new VPN core doesn't support IPv6. We should fix that.

Hi! Like many people i'm not using the Play Store (or any Google services) on my Android phone, but I'm very interested in trying out DNS over HTTPS on my phone.

I would like to compile the project, but i think it would be nice to distribute the application outside of Google. F-Droid is a free-software app manager for Android. The main repo at f-droid.org contains only free software, and there may be a few steps to meet the inclusion policy.

Is this something you would be willing to do ? Thanks for building intra :)

It might make sense to enable TCP_NODELAY in our SOCKS server to avoid unnecessary Nagling.

I have my own doh server, so would be nice to have this option

Hello,

I wanted to ask if there's a reliable mechanism to know that my DNS queries are essentially encrypted, in addition to seeing Intra running background?

I meant no offense to the Intra team. I had this question because I checked out the Cloudflare DNS blogs and run a test at https://1.1.1.1/help ; this test seems to show that neither DoH nor DoT was in use for me. The attached screenshot shows my result on my Pixel C tablet.
I should note that if I switched DNS server from Google to Cloudflare, it would show that DoT was in use.

Hope to hear from you soon!

Cheers,
Sam

When the main view becomes visible, and also when it switches between connected and disconnected, it has a tendency to scroll down. This seems to be because the first focusable element, usually the DNS server name, is offscreen.

Ideally, the main view should start scrolled to the top, and the scroll position mostly shouldn't change on these transitions.

Observed behavior:
If the default server isn't reachable during the initial setup flow, the OS can interpret intra as non-responsive. Users also can't cancel the connection and are not offered another choice.

Expected behavior:

1. Remain responsive, and allow users to cancel a connection and change the desired server.
2. Time-out more quickly with a detailed notification to suggest changing the server.

Steps to reproduce:

1. Start and enable intra
2. Restart phone
3. Open Intra before it reconnects

Expected behavior:
Intra continues to reconnect

Observed behavior:
Intra does not connect

I don't know Java much, and Android programming even less, so maybe I have overlooked something, but it seems that Intra doesn't implement any kind of certificate pinning, nor implements any ways to do ensure that the certificate chain includes required certificates.

This is important for security, as TLS alone encrypts the communications, but doesn't ensure that the client is actually talking to the right server.

Domain names switch hands (see dnscrypt.org that is now owned by some kind of advertising company) and IP addresses get reassigned (see the recent PowerDNS case, where a DNS record they forgot about eventually ended up pointing to a malicious IP).

To mitigate this, pinning should at least be implemented. Or the client configuration should include a set of hashes, at least one of them having to match the hash of a certificate in the chain.

User feature request: landscape support for tablets.

Intra seems to support TLS session resumption.

This mechanism can be used to link queries to devices. So that individual devices between NAT can be fingerprinted. More importantly, different IP addresses can be linked to the same device (in particular: VPN IP addresses can be associated to the real client IP).

This effectively reduces privacy over standard DNS, giving more information to DNS operators.

Intra should allow disabling TLS session resumption.

It would be great to add a config URL instead of setting the DoH Server.

Example:
I'm using different servers. I would like to define them by myself and instead of Google or Cloudflare I can choose my own pre defined DoH Server.
This config is i.e. a JSON file. At the very first start I need to type in my Config URL for Intra. Let's say it's http://www.myweb.com/intra

Intra will take the JSON file and bases of the content I can switch between my own DoH Servers instead of having only Google and Cloudflare.

Every other settings i.e. "Show recent queries" is also able to set within this file (true or false)

Can the app support Always on VPN and/or ability to turn on at startup?

This is a DNS service deployed in China.

https://neatdns.ustclug.org/resolve

It'll be very useful if user can manage black & white list of domains.

It can be used for ad-block function without rooting.

Thank you

The size of DNS queries and their responses are among the most important features that can be used to classify encrypted DNS traffic.

To mitigate this, implementing padding is essential. This is also mentioned in the security considerations of the current DoH draft.

HTTP/2 frames can include padding. This mechanism can be leveraged by DoH clients and servers.

The app shouldn't try to resolve internal subnets using an external DNS server. My local DNS server should pick those up.

Intra seems to interfere with Threema's WebRTC connection to Threema Web

possibly relevant: julian-klode/dns66#193

Proposal:
Allow users to have Intra automatically re-enable itself when another VPN provider disconnects

Considerations:

• Is this feasible?
• Would this be unexpected?
• How would users enable this functionality?
• How would users disable Intra in this state?

On older versions of Android, the visualization shows a version of this problem. It's purely cosmetic but still annoying.

i'm the founder and Inventor of keweon and with this DoH Server it's not working. keweonDNS is more than just an Adblocker and with the keweon Root Certificate it becomes an incredible security solution which is DNS based.

The current DoH Domain is:

https://secdns.keweon.center/keweonDNS

Yesterday it was working for a view hours but suddenly the App is not longer connecting.

Via Browser the Name request is still working. I'll keep the Server up if you are interested.

Reporting crashes from debug builds is unhelpful and confusing. We should disable it.

Settings takes a long time to open, presumably because of disk I/O while enumerating the list of installed applications (for the app exclusion option). This could probably be made asynchronous to avoid slowing down the UI.

Most of the queries are for the same hosts. Caching the result for sometime could provide significant increase in response time.

Clicking on the detail tiles should take the user to an explanation page. In the case of the server tile, the explanation page should also link to (or embed) the server selection dialog.