Leaking reverse DNS lookups to the WAN

When I navigate to the router’s IP at 192.168.x.x an rDNS lookup for 168.192.therootserver.arpa goes to my ISP DNS server.

This been discovered how/where, e.g.

  • router logs?
  • packet dump on the router?
  • client logs?
  • packet dump on the client?

arpa. zone is part of the internet’s eco system https://www.iana.org/domains/arpa and the query is not actually leaking privacy data, or is it?

Unless the client or the router is configured to leverage the ISP’s DNS servers the ISP would not be aware of the query, that is if the ISP is not deploying DPI in the first place.

Some resolvers, and probably kresd does as well, support upstream zone transfers to the local instance and thereby mitigating such “leak”.

I understand. That is Turris OS 4.x, right?

There was a mistake in our defaults where these special zones kept being forwarded to ISP servers (only – not with different forwarding or without forwarding). The mistake was fixed recently on 5.x and 3.x versions; 4.x won’t get any updates anymore. 5.x seems relatively close to stable release; for details see Turris OS 5.0.0 is released in HBT

1 Like

I now tested for the leak on current 3.x and 5.x (each in the three possible upstream set ups). The fix wasn’t focused on that aspect and the leak was more of a side effect.

1 Like

tcpdump on the eth2 (WAN) interface of the router.

It definitely is making its way out to my ISP’s DNS server and I am getting a response back.

I’m on 5.0 and seeing this BTW. As mentioned elsewhere OPKG won’t update because of the no valid architectures issue.

No doubt, considering


Certainly rDNS queries for 192.168/16 should not be egressing to WAN.

I expect your Turris OS is too old 5.0 then, considering the behavior, in which case that’s what you want to address first (but I know almost nothing about the updater). This DNS fix came in knot-resolver 5.0.1-3 if I read it right; current one on HBT:

root@turris:~# opkg info knot-resolver | grep Version
Version: 5.1.1-1.0

The coincidence of Turris OS and Knot Resolver versions is a bit confusing ATM.