Closed Bug 458303 Opened 16 years ago Closed 7 years ago

socks_remote_dns not working - always uses local dns proxy instead of remote

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: deon, Assigned: xeonchen)

References

Details

(Whiteboard: [necko-active][proxy]) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3

The DNS is always performed on the local DNS instead of across the Socks v5 proxy
Setting the socks_remote_dns entry on the about:config page has not affect

Reproducible: Always

Steps to Reproduce:
1.Configure putty for dynamic port forwarding L1080 127.0.0.1:1080
2.freesshd is the sshd running at the remote end
3.Configure firefox to use socks v5
4.Wireshark shows DNS lookups are still occuring on the local network
5.Traffic is encrypted. Lookup is not.


Expected Results:  
DNS should be performed at the remote end
Component: General → Networking
Product: Firefox → Core
QA Contact: general → networking
Make sure you have Firefox set to only use the socks proxy, and no other proxies.
Firefox is only set to use the single socks v5 proxy. No other proxies enabled.

Thanks
I'll have to check this out.
I can't confirm this on Linux. However I'm about to file a like bug: socks_remote_dns does not work if you set the proxy in gnome-proxy and use  Firefox's "Use System Proxy Settings" rather than setting the proxy in Firefox directly.
I can confirm that this problem happens in Ubuntu under some circumstances.

Assuming you set about:config socks_remote_dns to true.

If you set the proxy manually for socks in the preferences then it seems to do DNS through the proxy. 

If you set it to use the system proxy (as set by System->Preferences->Network Proxy from desktop) then it does use the proxy but DNS are still done locally. 

For me this is definitely an information leak to be fixed. I verified it with Wireshark. I can see the encrypted traffic through socks proxy but also the DNS requests in the open through local DNS.
I have tested under ubuntu and did not get a leak. 

Still getting a DNS leak under windows XP.

My ip configuration is set to auto and my computer gets configured with two DNS servers. 

Tested with wireshark.
I also see this problem under 64-bit Windows 7 using Firefox 16.0.2 and Firefox 17. Verified using Wireshark. Disabled HTTPS-Everywhere Add-on just in case it had an impact but problem persisted.
Whiteboard: [necko-backlog]
It's been 8 years ... the bug still exists in FF 46 (reported by me in #1272035). Is nobody at Mozilla interested at all to fix, or at least confirm, this rather big privacy issue?
still open!
FF49, Ubuntu 16.04.1 LTS, kernel 4.8.1-040801-generic, 
proxy-setting: SOCKS 5, Remote DNS [x] (is checked).

see output of: 
sudo tcpdump -i enp3s0 port 53
(In reply to Evan Carroll from comment #4)
> I can't confirm this on Linux. However I'm about to file a like bug:
> socks_remote_dns does not work if you set the proxy in gnome-proxy and use 
> Firefox's "Use System Proxy Settings" rather than setting the proxy in
> Firefox directly.

This has been fixed recently in bug 624837.
(In reply to Asperner from comment #10)
> still open!
> FF49, Ubuntu 16.04.1 LTS, kernel 4.8.1-040801-generic, 
> proxy-setting: SOCKS 5, Remote DNS [x] (is checked).
> 
> see output of: 
> sudo tcpdump -i enp3s0 port 53

Did you use manual proxy or system proxy setting?  If system proxy, please try again on Firefox nightly to see if this issue still exists.
Flags: needinfo?(bugzilla.mozilla.org)
See Also: → 134105
(In reply to Shian-Yow Wu [:swu] from comment #12)
> (In reply to Asperner from comment #10)
> > still open!
> > FF49, Ubuntu 16.04.1 LTS, kernel 4.8.1-040801-generic, 
> > proxy-setting: SOCKS 5, Remote DNS [x] (is checked).
> > 
> > see output of: 
> > sudo tcpdump -i enp3s0 port 53
> 
> Did you use manual proxy or system proxy setting?  If system proxy, please
> try again on Firefox nightly to see if this issue still exists.

I used manual proxy, and it has been fixed partly in version 54. 
One thing a quick test showed. When I switched to manual proxy and enabled DNS lookups via proxy => working as expected (lookups are seen on proxy server), when I disabled it => working as expected (lookups are seen on my PC), when I re-enabled it, the setting was ignored (lookups are still seen on my PC instead of server). 
testetd via: sudo tcpdump -i enp3s0 port 53 | grep <domain>
Thanks for your quick feedback!

Gary, could you take a look at comment 13?
Flags: needinfo?(bugzilla.mozilla.org) → needinfo?(xeonchen)
(In reply to Shian-Yow Wu [:swu] from comment #11)
> (In reply to Evan Carroll from comment #4)
> > I can't confirm this on Linux. However I'm about to file a like bug:
> > socks_remote_dns does not work if you set the proxy in gnome-proxy and use 
> > Firefox's "Use System Proxy Settings" rather than setting the proxy in
> > Firefox directly.
> 
> This has been fixed recently in bug 624837.

No, this is not.

Bug 624837 is for Windows platform only, and Evan's platform is Linux.
(In reply to Asperner from comment #13)
> I used manual proxy, and it has been fixed partly in version 54. 
> One thing a quick test showed. When I switched to manual proxy and enabled
> DNS lookups via proxy => working as expected (lookups are seen on proxy
> server), when I disabled it => working as expected (lookups are seen on my
> PC), when I re-enabled it, the setting was ignored (lookups are still seen
> on my PC instead of server). 
> testetd via: sudo tcpdump -i enp3s0 port 53 | grep <domain>

If you use manual proxy in Firefox rather than using system proxy settings,
it is (almost) supposed to have the same effect on different platform.

However, I cannot reproduce this on my macOS, I'll check this again when
I get my Linux desktop.
(leave needinfo uncleared)
Assignee: nobody → xeonchen
Whiteboard: [necko-backlog] → [necko-active][proxy]
(In reply to Gary Chen [:xeonchen] (needinfo plz) from comment #15)
> (In reply to Shian-Yow Wu [:swu] from comment #11)
> > (In reply to Evan Carroll from comment #4)
> > > I can't confirm this on Linux. However I'm about to file a like bug:
> > > socks_remote_dns does not work if you set the proxy in gnome-proxy and use 
> > > Firefox's "Use System Proxy Settings" rather than setting the proxy in
> > > Firefox directly.
> > 
> > This has been fixed recently in bug 624837.
> 
> No, this is not.
> 
> Bug 624837 is for Windows platform only, and Evan's platform is Linux.

Thanks for the correction. I found Even filed bug 474824 for that specific issue on Linux, not sure if the issue still exist in recent versions.
I can't reproduce this on Ubuntu, Firefox 54.0 (Build ID 20170612122310) using system proxy (set by unity-control-center)
Pref "network.proxy.socks_remote_dns" works as expected for both true/false cases.

I'm using Tor as my local socks server, and checked by tcpdump command.
Flags: needinfo?(xeonchen)
of course you can't reproduce this, as the Ubuntu's system proxy is working correctly, tunneling the the DNS requests as well. The point is that Firefox 54.0 did not tunnel the DNS request after checked->unchecked->checked the DNS setting. this can be dangerous for some persons out there, trusting in the FF security.
--> please try without using the system's proxy.
See Also: → 783178
Flags: needinfo?(xeonchen)
Sorry for late reply, but I still cannot reproduce this (on Firefox Nightly 57.0a1 2017-08-06 Linux x64).

step 1. use SOCKS proxy, leave other proxy types blank, check proxy DNS.
step 2. open a terminal, launch tcpdump to display DNS lookups
step 3. connect to web site A, no DNS lookup in the terminal
step 4. uncheck proxy DNS, connect to web site B, tcpdump shows some DNS lookups.
step 5. check proxy DNS, connect to web site C, tcpdump display nothing.
Flags: needinfo?(xeonchen)
Hi Shian-Yow, would you like to try reproducing this when you have a cycle?
Flags: needinfo?(swu)
I cannot reproduce it with steps in comment 21 on Firefox 54 & 57.

Asperner, could you confirm the problem is reproducible with the steps in comment 21?
Flags: needinfo?(swu) → needinfo?(bugzilla.mozilla.org)
(In reply to Shian-Yow Wu [:swu] (56 Regression Engineering support) from comment #23)
> I cannot reproduce it with steps in comment 21 on Firefox 54 & 57.
> 
> Asperner, could you confirm the problem is reproducible with the steps in
> comment 21?

Re-tested with (Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0), and COULD NOT REPRODUCE the issue again. 
Test: I changed the DNS checkbox multiple times and checked via tcpdump locally as well as on our proxy server. the DNS requests were made as expected locally OR at server.  So you can close that issue. Although I am sure, that in Version 49 I could see the wrong behaviour, not tunneling the DNS requests.

btw: thanks to all working on Firefox and improving it!!!
Flags: needinfo?(bugzilla.mozilla.org)
Based on comment 24, I'm going to close this.
Please feel free to reopen it or file a new bug (please cc me) if anyone still encounters this issue.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.