(In reply to Honza Bambas (:mayhemer) from comment #2) > (In reply to Shane Caraveo (:mixedpuppy) from comment #1) > > Honza, IIUC from reading a few bugs, nsIDNSService will bypass socks. This is what we use in the dns api. From bug 1470411 there doesn't seem to be a clear path to addressing this. Is that correct? > > The Necko DNS service (nsIDNSService) doesn't know anything about proxy settings. As I understand, the request here is that if there is a socks proxy enabled and is also set to resolve hosts on its own, we should make `browser.dns` just fail? AFAIK, there is now way to use the proxy to only resolve hosts (as a DNS resolver of sort) - a.k.a to forward `browser.dns` to the proxy. Tor supports this, but it is non-standard. > > If `browser.dns` failing is the possible fix, then the API implementation has to check for the proxy settings. It would be `network.proxy.type == 1`, `network.proxy.socks` is non-empty and `network.proxy.socks_remote_dns == true`. This would be idea in this scenario. Tor Browser has a patch that mitigates this, but it'd be great to have something like this in Firefox. https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-68.7.0esr-9.5-1&id=680a234d549e63cd69e4429af183cab19caa2977 It looks like the defense-in-depth protected Tor Browser, here.
Bug 1618271 Comment 7 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
(In reply to Honza Bambas (:mayhemer) from comment #2) > (In reply to Shane Caraveo (:mixedpuppy) from comment #1) > > Honza, IIUC from reading a few bugs, nsIDNSService will bypass socks. This is what we use in the dns api. From bug 1470411 there doesn't seem to be a clear path to addressing this. Is that correct? > > The Necko DNS service (nsIDNSService) doesn't know anything about proxy settings. As I understand, the request here is that if there is a socks proxy enabled and is also set to resolve hosts on its own, we should make `browser.dns` just fail? AFAIK, there is now way to use the proxy to only resolve hosts (as a DNS resolver of sort) - a.k.a to forward `browser.dns` to the proxy. Tor supports this, but it is non-standard. > > If `browser.dns` failing is the possible fix, then the API implementation has to check for the proxy settings. It would be `network.proxy.type == 1`, `network.proxy.socks` is non-empty and `network.proxy.socks_remote_dns == true`. This would be ideal in this scenario. Tor Browser has a patch that mitigates this, but it'd be great to have something like this in Firefox. https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-68.7.0esr-9.5-1&id=680a234d549e63cd69e4429af183cab19caa2977 It looks like the defense-in-depth protected Tor Browser, here.