github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #2869] DNS leak? Process escapes sandbox to use host's DNS call? #1793

New issue

Open

opened 2026-05-05 08:27:58 -06:00 by gitea-mirror · 8 comments

gitea-mirror commented

2026-05-05 08:27:58 -06:00

Owner

Originally created by @garywill on GitHub (Jul 25, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2869

I used firejail in this way:

brctl addbr tmp0

Set tmp0 ip 192.168.88.1 and serve DHCP and DNS using dnsmasq on tmp0, and provide Internet to NATed tmp0 via iptables.

If dnsmasq receives DNS query, I'll see in the log.

firejail --noprofile --net=tmp0 --dns=192.168.88.1

In firejail shows the right DNS I specified:

$ cat /etc/resolv.conf
nameserver 192.168.88.1

Problem is, in firejail dig and nslookup use the DNS that my dnsmasq provides, but curl and firefox still use host's DNS , as if the run not in sandbox. (In firejail Internet is provided by iptables NAT, and I banned it's access to host's DNS )

Originally created by @garywill on GitHub (Jul 25, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2869 I used firejail in this way: ``` brctl addbr tmp0 ``` Set `tmp0` ip `192.168.88.1` and serve DHCP and DNS using `dnsmasq` on `tmp0`, and provide Internet to NATed `tmp0` via iptables. If dnsmasq receives DNS query, I'll see in the log. ``` firejail --noprofile --net=tmp0 --dns=192.168.88.1 ``` In firejail shows the right DNS I specified: ``` $ cat /etc/resolv.conf nameserver 192.168.88.1 ``` **Problem is**, in firejail `dig` and `nslookup` use the DNS that my `dnsmasq` provides, but `curl` and firefox still use host's DNS , **as if the run not in sandbox**. (In firejail Internet is provided by iptables NAT, and I **banned** it's access to host's DNS )

gitea-mirror added the

networking

question_old

security

labels 2026-05-05 08:27:58 -06:00

gitea-mirror commented

2026-05-05 08:28:01 -06:00

Author

Owner

@garywill commented on GitHub (Jul 26, 2019):

I did strace and found ping,curl don't read /etc/resolve.conf.
host,dig,nslookup does.
I guess that's one of the reasons.
Still, the problem is sandbox escaped.

@garywill commented on GitHub (Jul 26, 2019): I did `strace` and found `ping`,`curl` don't read `/etc/resolve.conf`. `host`,`dig`,`nslookup` does. I guess that's one of the reasons. Still, the problem is sandbox escaped.

gitea-mirror commented

2026-05-05 08:28:02 -06:00

Author

Owner

@rusty-snake commented on GitHub (Sep 10, 2019):

@garywill IDK how curl finds out where to look-up, but I tryed with --dns=0.0.0.0 to see if the cutom dns-server is used or not. I found out that if you use --net the --dns is considered.

@rusty-snake commented on GitHub (Sep 10, 2019): @garywill IDK how curl finds out where to look-up, but I tryed with `--dns=0.0.0.0` to see if the cutom dns-server is used or not. I found out that if you use `--net` the `--dns` is considered.

gitea-mirror commented

2026-05-05 08:28:03 -06:00

Author

Owner

@garywill commented on GitHub (Oct 26, 2019):

It's because of nscd.
Need --blacklist=/var/run/nscd

@garywill commented on GitHub (Oct 26, 2019): It's because of nscd. Need `--blacklist=/var/run/nscd`

gitea-mirror commented

2026-05-05 08:28:04 -06:00

Author

Owner

@ghost commented on GitHub (Jan 20, 2020):

It's because of nscd.
Need --blacklist=/var/run/nscd

@garywill Can you do a PR on the profiles that need this please?

@ghost commented on GitHub (Jan 20, 2020): > It's because of nscd. > Need --blacklist=/var/run/nscd @garywill Can you do a PR on the profiles that need this please?

gitea-mirror commented

2026-05-05 08:28:05 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 20, 2020):

@garywill what shows grep ^hosts /etc/nsswitch.conf?

@rusty-snake commented on GitHub (Jan 20, 2020): @garywill what shows `grep ^hosts /etc/nsswitch.conf`?

gitea-mirror commented

2026-05-05 08:28:06 -06:00

Author

Owner

@garywill commented on GitHub (Jan 21, 2020):

@rusty-snake

$ grep ^hosts /etc/nsswitch.conf
hosts:  	files mdns_minimal [NOTFOUND=return] dns

@glitsj16
I don't know. I know hardly nothing about firejail's profile mechanism. What profile will be accounted when --net is used?

@garywill commented on GitHub (Jan 21, 2020): @rusty-snake ``` $ grep ^hosts /etc/nsswitch.conf hosts: files mdns_minimal [NOTFOUND=return] dns ``` @glitsj16 I don't know. I know hardly nothing about firejail's profile mechanism. What profile will be accounted when `--net` is used?

gitea-mirror commented

2026-05-05 08:28:07 -06:00

Author

Owner

@ghost commented on GitHub (Jan 21, 2020):

$ grep ^hosts /etc/nsswitch.conf
hosts: files mdns_minimal [NOTFOUND=return] dns

When you change this to hosts: files mdns_minimal dns, do you observe any changes (for the better hopefully)?

@ghost commented on GitHub (Jan 21, 2020): > $ grep ^hosts /etc/nsswitch.conf > hosts: files mdns_minimal [NOTFOUND=return] dns When you change this to `hosts: files mdns_minimal dns`, do you observe any changes (for the better hopefully)?

gitea-mirror commented

2026-05-05 08:28:08 -06:00

Author

Owner

@garywill commented on GitHub (Jan 22, 2020):

@glitsj16 Nope. Nothing different with editted nsswitch.conf

@garywill commented on GitHub (Jan 22, 2020): @glitsj16 Nope. Nothing different with editted `nsswitch.conf`

gitea-mirror referenced this issue

2026-05-05 08:28:15 -06:00

[GH-ISSUE #2874] Write to console error message when trying to rename a whitelisted file #1797

gitea-mirror referenced this issue

2026-05-05 08:28:18 -06:00