Circumvent censorship: allow DNS overrides #45

Open
opened 3 months ago by ncc1988 · 2 comments
ncc1988 commented 3 months ago
Owner

Dissident websites or websites that encourage the de-commercialisation of art in a very practical way are likely to be subject to censorship attempts on the DNS level. MoeNavigatorEngine should therefore provide functionality to override DNS queries to circumvent DNS-level censorship.

DNS overrides shall be made possible by passing resolve lists to the engine. Those lists contain domains and the IP addresses they shall be resolved to. If an attempt to access one of the domains on the resolve list is made, the engine will not make a DNS request and instead try to reach the IP address that is mapped to the domain on the resolve list.

For HTTPS requests, TLS certificate validation in the NetworkHandler_GnuTLS-component must be modified since from GnuTLS point of view it looks like the request is made to an IP address, resulting in a "bad certificate" error. In that case, the domain name of the certificate must be compared to the domain name from the resolve list and it must be accepted if the domain names match.

Dissident websites or websites that encourage the de-commercialisation of art in a very practical way are likely to be subject to censorship attempts on the DNS level. MoeNavigatorEngine should therefore provide functionality to override DNS queries to circumvent DNS-level censorship. DNS overrides shall be made possible by passing resolve lists to the engine. Those lists contain domains and the IP addresses they shall be resolved to. If an attempt to access one of the domains on the resolve list is made, the engine will not make a DNS request and instead try to reach the IP address that is mapped to the domain on the resolve list. For HTTPS requests, TLS certificate validation in the NetworkHandler_GnuTLS-component must be modified since from GnuTLS point of view it looks like the request is made to an IP address, resulting in a "bad certificate" error. In that case, the domain name of the certificate must be compared to the domain name from the resolve list and it must be accepted if the domain names match.
ncc1988 added the
TODO
label 3 months ago
Poster
Owner

This is the part that has to be implemented on the engine level since it goes deep into the network functionality.

This is the part that has to be implemented on the engine level since it goes deep into the network functionality.
Poster
Owner

Implementation plan:

  • Add the following methods to the NetworkHandler interface:
    • addDnsOverride(std::string domain, std::string ip): Add one DNS override for one domain.
    • addDnsOverrides(std::map<std::string, std::string> overrides): Add multiple DNS overrides.
    • setDnsOverrides(std::map<std::string, std::string> overrides): Set all DNS overrides, removing the ones previously set.
    • getDnsOverrides: Return all set DNS overrides as std::map<std::string, std::string>
    • clearDnsOverrides: Removes all set DNS overrides.
      These methods may also be implemented directly in NetworkHandler.
  • Implement code to handle network overrides
    • in NetworkHandler_POSIX
    • in NetworkHandler_GnuTLS (which also has to alter the certificate check to work with requests to IP addresses)
  • Add the following methods to MoeNavigatorEngine:
    • addDnsOverride (same as above)
    • addDnsOverrides (same as above)
    • setDnsOverrides (same as above)
    • getDnsOverrides (same as above)
    • clearDnsOverrides (same as above)
      Those methods essentially pass the overrides through to the network handlers. Since one engine instance can have multiple network handlers, the overrides need to be passed to each of them.
Implementation plan: - [ ] Add the following methods to the NetworkHandler interface: - [ ] addDnsOverride(std::string domain, std::string ip): Add one DNS override for one domain. - [ ] addDnsOverrides(std::map<std::string, std::string> overrides): Add multiple DNS overrides. - [ ] setDnsOverrides(std::map<std::string, std::string> overrides): Set all DNS overrides, removing the ones previously set. - [ ] getDnsOverrides: Return all set DNS overrides as std::map<std::string, std::string> - [ ] clearDnsOverrides: Removes all set DNS overrides. These methods may also be implemented directly in NetworkHandler. - [ ] Implement code to handle network overrides - [ ] in NetworkHandler_POSIX - [ ] in NetworkHandler_GnuTLS (which also has to alter the certificate check to work with requests to IP addresses) - [ ] Add the following methods to MoeNavigatorEngine: - [ ] addDnsOverride (same as above) - [ ] addDnsOverrides (same as above) - [ ] setDnsOverrides (same as above) - [ ] getDnsOverrides (same as above) - [ ] clearDnsOverrides (same as above) Those methods essentially pass the overrides through to the network handlers. Since one engine instance can have multiple network handlers, the overrides need to be passed to each of them.
Sign in to join this conversation.
Loading…
There is no content yet.