Monday, October 19, 2009

DNS Leak in Firefox 3.5.3 with Dynamic Proxy Switching Add-ons

The DNS leak problem in a simplified scenario: the domain name in the URL address has to be converted to an IP address before the http request can be made. The DNS conversion request and the http request are two separate process performed by different servers. If you have something to hide by using an http proxy, only the http request goes through the proxy. The DNS request may or may not go through the proxy. The implication is that, for example, someone monitoring your activities at your ISP knows approximately when and which websites you are visiting, even though your http requests are encrypted and your IP hidden by the proxy.

DNS leak should be a thing of the past ever since the preference network.proxy.socks_remote_dns was introduced in Firefox 3, the value of which should be set to true to avoid leaks via about:config. However there were some changes in around Firefox 3.5 that made DNS leak possible.

I suppose that the changes are: the DNS and http request are not synchronized or loosely synchronized. This should not affect anything if the proxy selection is static, like editing the Firefox proxy option by hand. DNS leak may occur in dynamic proxy switching add-ons like FoxyProxy. There were no leaks prior to around FF v3.5.

In dynamic switching add-ons, the proxy preference is switched for the http request, but revered to the previous Firefox setting after the request. I would think that the DNS request is made before the correct proxy is selected for the next http request. The previous FoxyProxy, the new Standard and Basic versions all leak DNS requests.

To avoid leaks in FoxyProxy, one must use a sock proxy, and check the global option to use the sock proxy for DNS.

However, one of the free and fast censorship circumvention system, ultrasurf, do not allow socks. In this case, simple and static switching should be used, such as Multiproxy Switch.

There is no DNS leak if you use a VPN - all network request goes through the VPN server. However, if you use a proxy on top of a VPN, any DNS leak from the proxy will be protected by the VPN, but not both.

I use Wireshark for testing. The simple capture filter should be set to "port 53" to capture DNS requests only.


Eric said...

I have a beta of FoxyProxy that fixes DNS leaks. Please email me if you are able to test it.


The Player said...

Thanks but I prefer simplicity. If your life depends on censors NOT finding you out, you don't want any complications.

The only reason I used Foxy Proxy is that it was the only one that can handle 5 or above proxies, with respectable GUI to add and edit the details. I don't need any fancy stuff, and when I selected a proxy, I don't want it to change without me knowing.

Eric Jung said...



This is now fixed in FoxyProxy Standard 2.16, FoxyProxy Basic 1.3, and FoxyProxy Plus 3.3. Try it with Wireshark to see for yourself.

If you agree that it's fixed, I'd appreciate another blog post (or an update to this one) so people finding your blog on the internet--like me--get more accurate information.

Best regards,
Eric Jung

The Player said...

I tested the Standard version with Firefox 3.6. There's no DNS leak as seen from Wireshark.

Still, even the Basic version do not have a painless way to select one of, say, five proxies, using two clicks.

I returned to Foxyproxy because the other simple switcher do not update with Firefox. Autoproxy is pretty good, but it's a pain to switch proxies and there's no indication of which proxy is being used.

Anonymous said...

Still, even the Basic version do not have a painless way to select one of, say, five proxies, using two clicks.

Right-click on the FoxyProxy statusbar or toolbar icon. Click the proxy to select. Proxy selected in two clicks. Shortcut keys (customizable per proxy) coming soon.

The Player said...

To show the context menu? Total three clicks.