Allow SOCKS DNS tunnelling to depend on which proxy is selected
Tue, 10/13/2009 - 21:04 — tonycpsu
I understand that, by default, Firefox will leak DNS requests unless you check the "Use SOCKS proxy for DNS lookups" setting in FoxyProxy. Setting this globally is problematic for me, because my SOCKS proxy isn't always reachable. What I'd like is for the default proxy setting to do normal DNS requests, but tunnel DNS through SOCKS when I have a certain proxy chosen with FoxyProxy. Is this something that can be added in a future release, and if not, is there any workaround?
The new behaviour in 2.16.1 breaks things for me
The new behaviour in 2.16.1 breaks things for me. I have been using FoxyProxy to 'split tunnel' across networks.
By using FoxyProxy (2.15 and older) I have been able to simultaneously access my network at home, my parents' network, and my employer's network, all by choosing the right patterns. Since my home network and work network have working internal DNS, this lets me do things like go to http://twiki.myemployer.example/ and http://eris.myhome.example/bwmon.cgi
All DNS requests then would go through the appropriate proxy.
2.16.1 appears to break this for me. I need the old behaviour back. For now, I've downgraded to 2.15.
Hi, DNS lookups in FoxyProxy
Hi,
DNS lookups in FoxyProxy 2.15 do not go through SOCKS proxies even if that is what choose on FoxyProxy's Global Settings tab. Test it yourself to see.
If you want the old behavior back, just uncheck "Use this proxy for all DNS lookups" in the Proxy Settings tab of all of your proxies defined in FoxyProxy.
Then kindly please explain why
If I use 2.15, I can access http://twiki.myemployer.example/. This site is _not_ resolvable outside of the network. But it works anyway. Thus, either Firefox is not requesting the IP but the hostname to connect to, or it is doing the DNS request through the proxy. I don't much care which. But it does in fact work.
The funny thing is, 2.16.1 worked until I added a second URL pattern, and then it broke and wouldn't come back even if I removed the pattern.
I just had a report from a
I just had a report from a contractor (for my employer) who was using FoxyProxy to, again, access the company TWiki. It has stopped working for him since he upgraded to 2.16.1. But it did work before.
Quote: I can access
I can access http://twiki.myemployer.example/. This site is _not_ resolvable outside of the network. But it works anyway. Thus, either Firefox is not requesting the IP but the hostname to connect to, or it is doing the DNS request through the proxy. I don't much care which.
I don't know why this is confusing you. It's not confusing me. Your network has its own DNS server. Your PC is using that DNS server to resolve twiki.myemployer.example.
Once again, uncheck "Use this proxy for all DNS lookups" in the Proxy Settings tab of all of your proxies defined in FoxyProxy. If you've done that and it still isn't resolving, I want to know.
Thanks,
Eric
I don't know why this is confusing YOU
I will re-explain what I am doing
I have a laptop. A, personally owned by me, laptop. It is signed onto the Corp-Guest network. This is connected to a separate internet connection from the rest of the company. My laptop has multiple SSH tunnels with SOCKS proxies (f.e. ssh -xD1082 hostname).
So, I have a tunnel into my employer's network. I have a tunnel into my home network. I am able to access my corporate network through the SSH/SOCKS tunnel. I have setup patterns so that http*://*.myemployer.example*/* gets directed through to my employer's network.
I do not have the 'use this proxy for all DNS lookups' checked. I did have the old Global Setting 'use SOCKS proxy for DNS lookups' under 2.15, that is gone under 2.16.
I was having what I believe
I was having what I believe to be the same problem. I found http://bradconte.com/foxyproxy-firefox-dns-leaking.php, which suggested setting network.proxy.type = 1.
More details on what that setting does here: http://kb.mozillazine.org/Network.proxy.type
Unfortunately, foxyproxy resets this value back to 0 every time I manually switch proxies. I believe that this value should be set to 1 at all times.
So does it matter if you
So does it matter if you check the box "Use this proxy for all DNS lookups"? See this screenshot: http://foxyproxy.mozdev.org/images/screenshots/2.17/proxy-settings.png
Split DNS is needed
Hi Eric,
What several people (including me!) need is for each SOCKS5 proxy to handle its own DNS, because in many cases a hostname will only be understood on the far side of the particular proxy tunnel which matches that URL. This is similar to "split horizon" DNS, but managed within the browser - and it worked flawlessly up to FoxyProxy version 2.15.
That's very different from saying that one particular proxy should be responsible for *all* DNS lookups in Firefox, which is what 2.16 now seems to assume if that new box is ticked.
What seemed to happen (from the user's perspective) prior to 2.16 was:
1) Compare the URL with the configured proxies, and decide which proxy to use.
2) If it's a SOCKS5 proxy, and the global "use SOCKS for DNS" flag is set, then don't attempt any local DNS lookup (or, if FF does one anyway, throw away the result), and pass the hostname through to the SOCKS server to be looked up at the far side.
3) Otherwise, if it's a SOCKS4 proxy (or a SOCKS5 one without the "use SOCKS for DNS" flag set), look up the hostname locally and pass the IP address through to the SOCKS server.
4) Otherwise (direct connection, or HTTP proxy), do whatever Firefox normally does.
What 2.16 now seems to do is:
1) If any SOCKS5 proxy has the "use this proxy for DNS" option set, then unconditionally look up the hostname using that server.
2) If the lookup fails, bomb out, even if the proxy which matches the URL might have worked anyway with the unresolved hostname.
3) Only then decide which proxy to use.
I do like the idea of making the "use this proxy for DNS" a per-proxy setting, but it's crucial that this decision only happens *after* the correct proxy has been chosen, on a per-URL basis.
If there were in fact some local lookups happening with SOCKS5 proxies (as reported by a number of users), that is of course an issue if information leakage is a concern. However, for many common use-cases of FoxyProxy, leakage is not the primary concern - it's the ability to have separate DNS per proxy. Hopefully we can have both separate DNS *and* no leakage!
As an aside, HTTP proxies shouldn't need a local lookup either, because they work directly with the hostname. The only kinds of connection which require an IP address for the web server are "direct" and SOCKS4 (or SOCKS5 with "remote DNS" not selected), so ideally those would be the only circumstances where a local lookup is attempted.
Is there perhaps a combination of global options which FoxyProxy can set, to cause Firefox not to attempt any DNS lookups itself at all? Perhaps by telling FF that all URLs use a SOCKS5 proxy (even if they don't)? Then, in the specific cases where an IP address is required, FoxyProxy can do the local lookup, but only *after* it's decided what kind of proxy is needed for that particular URL and hence whether a lookup is needed.
Jesus, this is incredibly
Jesus, this is incredibly complicated... for more reasons than you can possibly realize. If you can help me one-on-one via email with beta testing, please contact me directly at eric dot jung at yahoo dot com.
thanks,
eric
YES YES YES! This is
YES YES YES!
This is EXACTLY what is needed.
Socks 5 proxies were always working before, because they ALWAYS did remote DNS lookups. With the new setting they are broken in such a way that split DNS is basically impossible.
Note: I would be willing to beta [or alpha!] test any solution you come up with...
Spidey!!!
D'oh -- just realized that
D'oh -- just realized that 2.17 is out, and it seems to resolve this...
Yes, 2.17 should resolve all
Yes, 2.17 should resolve all remote DNS over SOCKS issues. Please let me know if you find a problem.
thanks,
eric
Success, so far.
I've only tested this on one computer so far (PowerMac G5 running OSX Leopard), but it seems to work there.
I haven't tried this yet, as
I haven't tried this yet, as it would seem to defeat the purpose of being able to split tunnel across _three_ networks (HomeNet, Internet, and EmployerNet).
Thank you Thank You Thank
Thank you Thank You Thank You Thank You.
This is precisely what it has been doing (SOCKS5 supports this, SOCKS4 doesn't. I don't remember if SOCKS4a does). I've written some code to use SOCKS proxies (specifically intended for proxy testing).