2.17 DNS leakage
I'm pleased to see that 2.17 adds the ability to tunnel DNS requests through the currently-selected proxy, but I'm seeing some behavior that leads me to think there may be a bug.
To set this up, I've got a proxy running on a remote host, and a SSH tunnel setup to tunnel the proxy traffic through SSH. What I'm expecting is to be able to select this proxy for all URLs in Foxyproxy, and as long as the "Perform remote DNS lookups on hostnames loading through this proxy" option is enabled, I would expect all DNS requests in the browser to go through the SSH tunnel, through to my proxy on the other end.
However, running tcpdump locally, I still see some (but not all) DNS requests going through in the clear.
It *looks* to me like what is happening is that the first request for the HTML page seems to be tunneled through the currently-selected proxy, but requests for elements of the page (images, frames, javascript files, etc.) seem to go through the normal DNS server for my machine. I've tried verifying this by pulling down a simple page with no images/embedded content, and the DNS request seems to go through to my proxy. But if I pull down a larger page with a bunch of images, etc. then the site I pull down shows up as a local DNS request to my normal DNS server.
Is this something that can be reproduced and fixed in the future? I realize this is a new feature so I expected it to not be perfect the first time. I'm to help test any forthcoming fixes.
Thanks.
There is a bug currently.
There is a bug currently. Please use the search tool first.
I did search, and didn't see
I did search, and didn't see this bug. What I saw were references to the "Use this proxy for all DNS lookups" global setting which is a different feature.
Where's the thread for this bug, which has to do with the new per-proxy setting in 2.17?
Well, all DNS leakage bugs
Well, all DNS leakage bugs were supposed to have been fixed in 2.17. If you still see a bug, I need to reproduce it to fix it. I will try your instructions and post later.
Eric
I cannot confirm this bug. I
I cannot confirm this bug. I have successfully tunneled all DNS requests in 2.17.
I documented the DNS leaking bug in 2.14 here: http://bradconte.com/foxyproxy-firefox-dns-leaking.php . I haven't repeated those results. It looks fine to me, so far.
Gah! Figured it out!
I definitely was seeing a DNS leak, but it turns out it was coming from another extension -- FlagFox. For whatever reason, that extension's DNS lookups aren't going through FoxyProxy at all, and since it looks up each server to do IP geolocation, it was exposing the server names for each URL I visited.
I've disabled FlagFox and I'm no longer seeing any such leaks, so it looks like this one is totally my fault for not disabling the other extensions first.
Some of my other extensions that make DNS requests in the background (Weave Sync and Read it Later are two that I've noticed so far) seem to also leak their DNS requests. Their requests aren't for DNS records related to the site I'm browsing, so the leaks are more innocuous. Weave leaks the server where my Weave data is store, and Read it Later just leaks a request for readitlaterlist.com, which is no big deal.
In other words, the only leaks I'm seeing are requests coming from otehr extensions, not the my browsing. I'm not sure if that's something FoxyProxy can fix or not, but if not, the workaround is easy enough.
Thanks for double-checking my bug report, Brad, and sorry about the erroneous report, Eric.
Glad you discovered the
Glad you discovered the source of the problem.
I wish I knew more about how DNS resolution in Firefox works. However it works, FoxyProxy obviously isn't making its changes on a low-enough or global-enough level to effect (any?) other addons. I don't know if FoxyProxy isn't using the provided lower-level DNS hooks or if there simply are no lower-level DNS level hooks.
Regardless, it would be nice if there were a way to force all DNS requests from the Firefox process to go through a specific tunnel, regardless of the addons installed. But regardless, at least the big DNS tunnelling issue seems resolved.
Brad, perhaps you could
Brad, perhaps you could update your blog post (ideally at the top of the post :)) to report that the problem is fixed with FoxyProxy 2.17? I would appreciate it.
Tony, are the URLs (not DNS requests) that these addons loading through the correct proxy server based on your FoxyProxy rules? They should be. If they're not, please let me know which ones.
Thanks,
Eric
Post edited
As far as I can tell, the problem is fixed. I've added a note to my article.
Thanks for the fix, devs.
Not using rules
For all of these tests (and, in fact, 99% of my use of FoxyProxy) I have it configured to load *all* URLs through a single proxy -- not using patterns mode at all.
Then I am very surprised
Then I am very surprised about the leaks. If the URLs used by FlagFox and others are routed through FoxyProxy (you can confirm this by turning on FoxyProxy logging and watching if FlagFox's URLs appear there), and you've checked the "perform remote DNS lookups..." checkbox within FoxyProxy, then there shouldn't be any DNS leakage.
Can you confirm all of the above?
Thanks,
Eric
I think this one is all on FlagFox.
1. Yes, "Perform remote DNS lookups" is/was checked.
2. My hunch is that FlagFox is actually doing a local DNS lookup of its own but *not* initiating an HTTP request.
To test #2, I set FoxyProxy to proxy all URLs, then listened for local DNS lookups. When starting Firefox, I see URLs for background stuff like Weave Sync, Read it Later, etc. in the FoxyProxy log. This time around, I'm not seeing any DNS lookups for readitlaterlist.com or the Weave Sync server, maybe that's because those are cached or maybe I screwed up my tests yesterday. But I can confirm that, with FlagFox enabled, each server I hit results in a local DNS request that doesn't seem to be related to any web request -- in other words, FlagFox is just looking up a host to do geolocation, not actually invoking a URL.
I wouldn't imagine that FoxyProxy would get involved in DNS requests from extensions that aren't related to HTTP requests, would it? There is some reference to DNS leakage about halfway down this page. The developer mentions network.proxy.socks_remote_dns, which I have set to "true", but still, I see the leakage.
I think maybe it's time for me to take this issue up with the FlagFox developer instead -- FoxyProxy can't really intercept another extension's DNS requests, and I don't know that it should if it could.
I opened this bug with Dave
I opened this bug with Dave Garrett, Flagfox developer.
I wouldn't imagine that FoxyProxy would get involved in DNS requests from extensions that aren't related to HTTP requests, would it?
Correct.