Bug 1618271 Comment 7 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

(In reply to Honza Bambas (:mayhemer) from comment #2)
> (In reply to Shane Caraveo (:mixedpuppy) from comment #1)
> > Honza, IIUC from reading a few bugs, nsIDNSService will bypass socks.  This is what we use in the dns api.  From bug 1470411 there doesn't seem to be a clear path to addressing this.  Is that correct?
> 
> The Necko DNS service (nsIDNSService) doesn't know anything about proxy settings.  As I understand, the request here is that if there is a socks proxy enabled and is also set to resolve hosts on its own, we should make `browser.dns` just fail?  AFAIK, there is now way to use the proxy to only resolve hosts (as a DNS resolver of sort) - a.k.a to forward `browser.dns` to the proxy.

Tor supports this, but it is non-standard.

> 
> If `browser.dns` failing is the possible fix, then the API implementation has to check for the proxy settings.  It would be `network.proxy.type == 1`, `network.proxy.socks` is non-empty and `network.proxy.socks_remote_dns == true`.

This would be idea in this scenario.

Tor Browser has a patch that mitigates this, but it'd be great to have something  like this in Firefox. https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-68.7.0esr-9.5-1&id=680a234d549e63cd69e4429af183cab19caa2977

It looks like the defense-in-depth protected Tor Browser, here.
(In reply to Honza Bambas (:mayhemer) from comment #2)
> (In reply to Shane Caraveo (:mixedpuppy) from comment #1)
> > Honza, IIUC from reading a few bugs, nsIDNSService will bypass socks.  This is what we use in the dns api.  From bug 1470411 there doesn't seem to be a clear path to addressing this.  Is that correct?
> 
> The Necko DNS service (nsIDNSService) doesn't know anything about proxy settings.  As I understand, the request here is that if there is a socks proxy enabled and is also set to resolve hosts on its own, we should make `browser.dns` just fail?  AFAIK, there is now way to use the proxy to only resolve hosts (as a DNS resolver of sort) - a.k.a to forward `browser.dns` to the proxy.

Tor supports this, but it is non-standard.

> 
> If `browser.dns` failing is the possible fix, then the API implementation has to check for the proxy settings.  It would be `network.proxy.type == 1`, `network.proxy.socks` is non-empty and `network.proxy.socks_remote_dns == true`.

This would be ideal in this scenario.

Tor Browser has a patch that mitigates this, but it'd be great to have something  like this in Firefox. https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-68.7.0esr-9.5-1&id=680a234d549e63cd69e4429af183cab19caa2977

It looks like the defense-in-depth protected Tor Browser, here.

Back to Bug 1618271 Comment 7