DNS leak problem? [OBSOLETE]

Any feedback, suggestion, bug reports, problems....
qiurou
Posts: 4
Joined: Fri Mar 15, 2013 12:30 pm

DNS leak problem? [OBSOLETE]

Post by qiurou » Fri Mar 15, 2013 1:59 pm

Hi, I have been using flagfox for a while. Recently, a dns leak problem annoys me....
I tried to disable all the extensions except Flagfox and Foxyproxy. I set a HTTP proxy in Foxyproxy and when I visit a site(which is blocked here) via the HTTP proxy, but the flag still shows...
I tried these steps, and use wireshark to test DNS query:
1. Disable Foxyproxy, Enable Flagfox (disable any other extenions)
a) set HTTP proxy in firefox, (and set using this proxy for all protocol), DNS leaks
b) set HTTP proxy in IE (also set using this proxy for all protocol), use "system proxy" in firefox, NO DNS leak
that's too strange... why setting the same proxy but resulted in two behavior...

2. Disable Flagfox, Enable Foxyproxy, set HTTP proxy in Foxyproxy (disable any other extenions)
no DNS leak

3. Disable Flagfox, Disable Foxyproxy and any other extensions, set HTTP proxy in firefox
no DNS leak

seems it's related with flagfox, am I right?

Advertisements

 

User avatar
DaveG
Flagfox Developer
Posts: 723
Joined: Wed Oct 03, 2007 9:06 pm
Location: Philadelphia, USA

Re: DNS leak problem?

Post by DaveG » Fri Mar 15, 2013 4:00 pm

Flagfox makes a point to not leak DNS requests when the proxy settings of Firefox are properly set up to ask it to not do so. An HTTP proxy + local DNS is a valid set up and Flagfox will still be allowed DNS by Firefox in this instance. FoxyProxy has its own things and its configuration can also tell Firefox and thus Flagfox not to do DNS lookups. I'm no expert on the intricacies here, but I'm pretty sure an HTTP proxy needs local DNS to be enabled and a SOCKS proxy is what you want if you don't want local DNS requests. Here's a bit from the FoxyProxy FAQ:
Can DNS lookups go through my proxies?
Yes. Ensure the following:
The proxy in use must support SOCKS 4a or SOCKS 5.
Check "Use this proxy for all DNS lookups" on the Proxy Details Tab.
Do not use add-ons like Google Toolbar that interfere with remote DNS lookups.
My FAQ on the topic: Flagfox Proxy/DNS Issues
The Firefox pref to disable remote DNS for SOCKS: network.proxy.socks_remote_dns

If you need more help with FoxyProxy, please ask someone more knowledgeable than me in their forum.

I am fairly confident that I am (still) doing everything correctly in Flagfox with respect to this, and FoxyProxy's lead developer gave me a clean bill of health (including a Wireshark checkup) a few years back. The check I'm doing is still exactly the same, just through the newer async API instead of the now removed sync one. (if there was a difference between the two that would likely be a bug in the Mozilla internals, but I don't think that's the case)

qiurou
Posts: 4
Joined: Fri Mar 15, 2013 12:30 pm

Re: DNS leak problem?

Post by qiurou » Fri Mar 15, 2013 8:31 pm

I have ask this problem in foxyproxy's forum, and there are some screen snapshot in that topic :
http://forums.getfoxyproxy.org/viewtopic.php?f=4&t=846

and after check and check again by using wireshark, I found it is more likely related with flagfox,

As I metioned above, in case 2 & 3 , I disabled flagfox, DNS leak stops.
On the other hand, in case 1, flagfox is not disabled, DNS leaks...Maybe it's a firefox bug? why using IE's proxy settings is OK, but using firefox's own settings goes wrong?

Thanks for your reply and for this pretty useful extension, with much appreciated.

qiurou
Posts: 4
Joined: Fri Mar 15, 2013 12:30 pm

Re: DNS leak problem?

Post by qiurou » Fri Mar 15, 2013 8:41 pm

by the way, as far as I know, unlike socks proxies, HTTP proxies always do DNS query remotely? am I right?
Flagfox makes a point to not leak DNS requests when the proxy settings of Firefox are properly set up to ask it to not do so
what is the proper HTTP Proxy setting for firefox to avoid local DNS request?

User avatar
DaveG
Flagfox Developer
Posts: 723
Joined: Wed Oct 03, 2007 9:06 pm
Location: Philadelphia, USA

Re: DNS leak problem?

Post by DaveG » Fri Mar 15, 2013 8:46 pm

qiurou wrote:by the way, as far as I know, unlike socks proxies, HTTP proxies always do DNS query remotely?
I thought it was the opposite. I think HTTP don't do remote DNS while SOCKS can.

It's only a leak if DNS lookups are currently configured to be disallowed. Near as I can tell, that's always going to be the case with only an HTTP proxy and not SOCKS, so it's not a "leak" so much as DNS simply isn't disabled though Firefox. If there is a case where you can run only on an HTTP proxy without DNS at all, please explain it to me. (I don't really know enough about the subject)

What I'm doing is merely having Flagfox check for the TRANSPARENT_PROXY_RESOLVES_HOST flag on the proxy info object returned by Firefox for the given URI. If Firefox has that set either through its settings or FoxyProxy's settings, then Flagfox takes note and doesn't do a lookup. If not, then it's allowed, and it proceeds as normal. Eric Jung said this was correct over on Bugzilla a few years ago. (Mozilla bug 541567) If there's more to do here I'll gladly look into it, but I'm fairly confident that this is the correct behavior.

qiurou
Posts: 4
Joined: Fri Mar 15, 2013 12:30 pm

Re: DNS leak problem?

Post by qiurou » Fri Mar 15, 2013 8:49 pm

And please not talk about Socks proxy in this topic, SOCKS proxies run OK with flagfox and foxyproxy here, no DNS leak

User avatar
DaveG
Flagfox Developer
Posts: 723
Joined: Wed Oct 03, 2007 9:06 pm
Location: Philadelphia, USA

Re: DNS leak problem?

Post by DaveG » Fri Mar 15, 2013 9:07 pm

I'm confused, so I'm asking for help from FoxyProxy-land via email.

Here's the relevant code for reference. This is from Flagfox 4.2.7, flagfox.jsm lines 1181-1237. The asynchronicity means the first request is at the bottom, but it's fairly simple in spite of that.

Code: Select all

var DnsHandler =
{
    resolve : function(uri,returnIP)  // Returns request object wrapper
    {
        // Two async functions need to be called here, both cancelable; this wrapper will always point to the one currently in progress so it can be canceled
        var requestWrapper =
        {
            currentRequest : null,
            set : function(request) { currentRequest = request; },
            cancel : function(reason) { currentRequest.cancel(reason); }
        };

        var callback1 =
        {
            onProxyAvailable : function(_request, _uri, proxyinfo, status)
            {
                if (status == Components.results.NS_ERROR_ABORT)
                    return;  // Ignore cancel

                // If "network.proxy.socks_remote_dns" is set to true or the proxy is otherwise set up to be the one to do all DNS resolution, then don't do it here
                if ( (proxyinfo != null) && (proxyinfo.flags & proxyinfo.TRANSPARENT_PROXY_RESOLVES_HOST) )
                {
                    returnIP("PROXY");
                    return;
                }

                requestWrapper.set( dnsService.asyncResolve(uri.host, 0, callback2, threadManager.currentThread) );  // Queue second lookup to get the IP address
            }
        };

        var callback2 =
        {
            onLookupComplete : function(_request, dnsrecord, status)
            {
                if (status == Components.results.NS_ERROR_ABORT)
                    return;  // Ignore cancel

                if (status != 0 || !dnsrecord || !dnsrecord.hasMore())
                {
                    returnIP("FAIL");
                    return;  // IP not found in DNS
                }

                returnIP(dnsrecord.getNextAddrAsString());  // Done looking up the IP address
            }
        };

        requestWrapper.set( proxyService.asyncResolve(uri, 0, callback1) );  // Queue first lookup to see if DNS is allowed

        return requestWrapper;
    },

    cancelRequest : function(request)
    {
        try { request.cancel(Components.results.NS_ERROR_ABORT); } catch(e) {}  // calls back with status=Components.results.NS_ERROR_ABORT
    }
};

gkoppen
Posts: 2
Joined: Wed Mar 20, 2013 8:42 pm

Re: DNS leak problem?

Post by gkoppen » Wed Mar 20, 2013 9:40 pm

DaveG wrote:
qiurou wrote:by the way, as far as I know, unlike socks proxies, HTTP proxies always do DNS query remotely?
I thought it was the opposite. I think HTTP don't do remote DNS while SOCKS can.
SOCKS5 can do local and remote DNS resolution and if you specified HTTP proxies then DNS resolution is done remotely only (on the proxy-side). I looked around on mxr.mozilla.org to find a short code-snippet that would explain things to you. But, alas, there was no such snippet. Thus, the simplest thing you could do is to ask Patrick McManus (the necko proxy guru) in #necko on irc.mozilla.org. He is mcmanus there and living on the east coast in the U.S (just to give you a feeling when you might reach him). Or even simpler: grab/set up an HTTP proxy, enter its details into Firefox and sniff your network with Wireshark, do the same with Flagfox enabled and compare the results. You'll see that only the latter combination is leaking DNS. (Disclaimer: I am from the FoxyProxy Team)

ericjung
Posts: 5
Joined: Wed Mar 06, 2013 3:31 pm

Re: DNS leak problem?

Post by ericjung » Wed Mar 20, 2013 11:54 pm

I thought it was the opposite. I think HTTP don't do remote DNS while SOCKS can.
Here is a request from Firefox to an HTTP proxy server for http://flagfox.net. Look at the first two lines.

Code: Select all

GET http://flagfox.net/ HTTP/1.1
Host: flagfox.net
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: <redacted>
Proxy-Authorization: Basic <redacted>
Connection: keep-alive
Cache-Control: max-age=0
You can see Firefox (and foxyproxy) pass domain names to the HTTP proxy server, not IP addresses. That is why DNS lookups are performed remotely--by the HTTP proxy server or, more accurately, the operating system on which the HTTP proxy server is running.

HTH,
eric

User avatar
DaveG
Flagfox Developer
Posts: 723
Joined: Wed Oct 03, 2007 9:06 pm
Location: Philadelphia, USA

Re: DNS leak problem?

Post by DaveG » Sat Mar 23, 2013 12:17 am

Thank you both for clarifying. Ok, so both SOCKS and HTTP proxies can do remote DNS lookups. The question is then: why is Firefox not giving me TRANSPARENT_PROXY_RESOLVES_HOST if this is the case? The whole point of this flag is to decide whether or not something else should be looking the host up. Again, near as I can tell, even if this is not the desired result in this case, Flagfox is doing the right thing here by relying on this flag. Disabling altogether when a proxy is in use but not expecting only remote DNS works against a separate population of users who want things to work (and have mentioned so, at some point in the past).

If setting "network.proxy.socks_remote_dns" to true doesn't help it, where is the HTTP equivalent? Why is this SOCKS specific anyway if HTTP proxies can do remote DNS as well? And, if FoxyProxy is doing its own thing here, what settings are (supposed) to get Firefox to know and relay that local DNS is not to be used?

Honestly, this proxy stuff has always ticked me off. If Firefox is set up to use a proxy and not local DNS, then it should just spit out an error code when something tries to do otherwise instead of relying on every caller to somehow figure out what is or is not allowed. >.<

Locked