sam.hadow/Useful-scripts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

DNS leak prevention

Browse Source
This commit is contained in:
Sam Hadow
2025-11-03 22:27:24 +01:00
parent 83c3a4400b
commit fa3cd23ec5
2 changed files with 64 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
NetworkManager/90-nft-wg.sh Normal file
View File

@@ -0,0 +1,52 @@
#!/bin/bash
# /etc/NetworkManager/dispatcher.d/90-nft-wg
# Automatically toggle DNS leak protection for wireguard
INTERFACE="$1"
ACTION="$2"
NFT_BIN="$(command -v nft || true)"
FAMILY="inet"
TABLE="filter"
CHAIN="output"
log() { logger -t nft-wg "$*"; }
add_dns_protection() {
$NFT_BIN add rule inet filter output udp dport 53 oifname "!= \"$INTERFACE\"" drop\; 2>/tmp/nft-wg-add.err
if [ $? -ne 0 ]; then
log "failed to add udp rule for $INTERFACE: $(cat /tmp/nft-wg-add.err)"
exit 1
fi
$NFT_BIN add rule inet filter output tcp dport 53 oifname "!= \"$INTERFACE\"" drop\; 2>/tmp/nft-wg-add.err
if [ $? -ne 0 ]; then
log "failed to add tcp rule for $INTERFACE: $(cat /tmp/nft-wg-add.err)"
exit 1
fi
rm -f /tmp/nft-wg-add.err
log "Added DNS leak protection for $INTERFACE"
}
remove_dns_protection() {
$NFT_BIN --handle --numeric list chain inet filter output \
| awk -v iface="$INTERFACE" '$0 ~ iface && /drop/ {print $NF}' \
| xargs -r -I {} sudo $NFT_BIN delete rule inet filter output handle {}
log "Removed DNS leak protection for $INTERFACE"
}
# Only run for WireGuard interfaces (start with "wg-")
if [[ "$INTERFACE" == wg-* ]]; then
case "$ACTION" in
up)
add_dns_protection
;;
down)
remove_dns_protection
;;
esac
fi
exit 0

12
README.md
View File

@@ -31,3 +31,15 @@ move all the files in $1 subdirectories to $1.
script to backup firefox config directory and restore the latest backup script to backup firefox config directory and restore the latest backup
adapt the hostnames and paths to what you need, not made to be easily configured with environment variables. adapt the hostnames and paths to what you need, not made to be easily configured with environment variables.
**Careful**, firefox config folder includes all your profiles, including their cookies and localstorage (access tokens of your accounts can be there). **Careful**, firefox config folder includes all your profiles, including their cookies and localstorage (access tokens of your accounts can be there).
## NetworkManager
NetworkManager related scripts.
These scripts need to be moved in /etc/NetworkManager/dispatcher.d/ and must be executable
### 90-nft-wg-sh
Automatically toggle DNS leak protection for wireguard connections with nftables.
Adds tcp/udp rules to block outgoing traffic to dns port (53) if the outgoing interface isn't the wireguard connection.
It assumes wireguard connection names start with "wg-"
You can check for DNS leaks with [this website](https://www.dnsleaktest.com/)