Chute Devs

Enhance Chute iOS to Fight Against DNS Cache Poisoning

Hello everyone.

We have received some feedback about Chute iOS application. Some users tell us Chute iOS could not proxy WhatsApp in their region, sometime the proxy works, but it is not stable.

After receiving this feedback, we release our debug version to some of the users and get the log when proxy not working. By checking the log, we found the problem. To explain this problem, we need to review some old technology first.

When we connect to the Internet and visit the website we want, we use the domain of the website with web browser. Web browser will automatically convert the domain to the IP and send the request IP packets to the server. In this process, web browser will ask the IP of the domain from the DNS server. In normal situation, DNS server will return the correct IP address of the server of website, so your IP packets goes to the right direction and you will get the correct IP packets as the response. However, there are some bad DNS server which will return the wrong IP of the domain. The wrong IP will navigate you to the wrong server (fake server or not a valid server at all), so you will not get the right response. We call this case DNS Cache Poisoning. You can learn more about DNS Cache Poisoning with this link.

In this case, when user open WhatsApp, the application will ask IP of domain g.whatsapp.net from system DNS server. If DNS Cache Poisoning happened, a wrong IP will be returned to the application, let’s say the returned IP is 999.999.999.999. Then WhatsApp will use the wrong IP 999.999.999.999 and do two HTTP request:

http://999.999.999.999:5222

http://999.999.999.999:443

So WhatsApp send its requests to the wrong IP and get not response.

To solve this problem, we have implemented a new DNS strategy. Before this new strategy, Chute iOS build-in DNS server will redirect DNS UDP request to multiple DNS server in the configuration file and return the first valid DNS response from the DNS servers. The new strategy will return a fake IP in 240.0.0.0/8. When application like WhatsApp does the HTTP request to the server like http://240.0.0.x:5222, Chute Tunnel will transform the fake IP back to the domain. So the DOMAIN Rule could be applied to the request. When the direction of the DOMAIN rule is proxy, Chute Tunnel will not resolve the DNS of domain locally but in the proxy server. With this new strategy, DNS Cache Poisoning could be avoided.

However, in some cases, if the application do not get the right IP from local DNS server, the network connection could not be established. So we provide always-real-ip configuration. You could config multiple domain which required real IP return from the local DNS server, the Chute DNS server will always return the IP from the upstream DNS servers.

We will launch our new DNS strategy in the next Chute iOS version. This Strategy will also be applied to Chute macOS when Enhanced Mode turned on.

In the end of this blog, we thank everyone who found this problem and give us feedback about this. Thank you for making Chute a better application.

If you have problem when using Chute iOS/macOS, please contact us by email.

Thanks.

Chute Devs