-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
uBlock Origin v1.25.0 new feature cause DNS leaks. #911
Comments
I think uBlock Origin shouldn't check the DNS CNAME record when users setting their proxy configure on Firefox. |
uBO just makes use of the You can disable uBO's canonical name-uncloaking from advanced settings if you do not like the feature. |
Okay, Edited: I open a thread on bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1618271 |
Recently I notice DNS leaks too. I looked everywhere and finally found uBlock Origin. Even this is unavoidable or broken because the browser API I think uBlock Origin should make people aware of this issue. BTW why isn't uBlock Origin using the |
@lilydjwg Is your setup similar to OP, i.e. using a socks5 proxy? |
@gorhill I use a PAC file to proxy part of my requests, and some of them are proxied to a socks5 proxy. Flagfox will show that it doesn't have the DNS information on proxied websites. I saw some DNS requests for domains that should have gone to the proxy and after some observation I found uBlock Origin was doing this. Setting |
@lilydjwg From your profile, it seems you would be able to use the debugger to step into uBO's code? If so, I would be curious to find out whether the My thinking is that uBO could maybe avoid using |
@gorhill Yes it's set and Edit: I mean it's set when the request is proxied (all properties seem ready). It's null if not proxied. |
I am also a user of Flagfox, notice that it doesn't cause DNS leaks. Reading the code finding that it uses |
What Flagfox does is not applicable to uBO -- uBO uses the API in a blocking manner, i.e. the |
Related issue: - uBlockOrigin/uBlock-issues#911 Since cname-uncloaking is available only on Firefox at the moment, the fix is relevant only to Firefox. By default uBO will no longer cname-uncloak when it detects that network requests are being being proxied. This default behavior can be overriden by setting the new advanced setting `cnameUncloakProxied` to `true`. The new setting default to `false`, i.e. cname-uncloaking is disabled when uBO detects that a proxy is in use. This new advanced setting may disappear once the following Firefox issue is fixed: - https://bugzilla.mozilla.org/show_bug.cgi?id=1618271
In the latest dev build, 1.25.3b7, uBO will automatically disable cname-uncloaking when it detects that requests are proxied. To find out if this work as intended, you will of course need to put back Feedback appreciated. |
I still have the problem in uBlock Origin v1.25.3b7. Settings
What I seeI open the https://ipleak.net/ and doing some test. Using $ sudo tcpdump udp port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlp3s0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:50:07.166089 IP tomacat.37560 > _gateway.domain: 11448+ A? nwv5dyztu6o1o7xg5yp8nmr0dnqyf48qw32pzslo.ipleak.net. (69)
12:50:07.166111 IP tomacat.37560 > _gateway.domain: 23238+ AAAA? nwv5dyztu6o1o7xg5yp8nmr0dnqyf48qw32pzslo.ipleak.net. (69)
12:50:07.167239 IP tomacat.39124 > _gateway.domain: 46747+ A? g15hezrsl41pg2n3xice1chrvkbpwzr8k2fo68k1.ipleak.net. (69)
12:50:07.167252 IP tomacat.39124 > _gateway.domain: 35495+ AAAA? g15hezrsl41pg2n3xice1chrvkbpwzr8k2fo68k1.ipleak.net. (69)
12:50:07.168623 IP tomacat.53883 > _gateway.domain: 7761+ A? soycqomnr363xhy64o4vgskbbhszu1aowji5ekeb.ipleak.net. (69)
12:50:07.168638 IP tomacat.53883 > _gateway.domain: 1628+ AAAA? soycqomnr363xhy64o4vgskbbhszu1aowji5ekeb.ipleak.net. (69)
12:50:07.571706 IP _gateway.domain > tomacat.37560: 11448 1/0/0 A 95.85.16.212 (85)
12:50:07.571720 IP _gateway.domain > tomacat.53883: 7761 1/0/0 A 95.85.16.212 (85)
12:50:07.571728 IP _gateway.domain > tomacat.43213: 61608 1/0/0 A 95.85.16.212 (85)
12:50:07.571735 IP _gateway.domain > tomacat.43213: 3763 1/0/0 AAAA 2a03:b0c0:0:1010::509:d001 (97)
12:50:07.572258 IP tomacat.53185 > _gateway.domain: 35947+ A? zaqyly2w67351l9ks4dq52wa3eggjh41xejzn663.ipleak.net. (69)
12:50:07.572272 IP tomacat.53185 > _gateway.domain: 52853+ AAAA? zaqyly2w67351l9ks4dq52wa3eggjh41xejzn663.ipleak.net. (69)
[...] Then I setting |
I'm afraid that it didn't work. I still observe the same DNS leak. |
I don't have a proxy provider. Is there a way for me to test this on my side? |
Tor browser provide one, it is listen on 127.0.0.1:9150. Steps
user_pref("network.proxy.type", 1);
user_pref("network.proxy.socks", "127.0.0.1");
user_pref("network.proxy.socks_port", 9150);
user_pref("network.proxy.socks_remote_dns", true); (Edited: I can't reproduce on Tor Browser itself, I think TBB may have some security hardening on this side.) |
@tomac4t Great, this works for testing purpose -- I already had the Tor browser installed. So anyways now that I could test the code path I see that there is a typo in the code. I will publish a fix asap. |
Related issue: - uBlockOrigin/uBlock-issues#911 Related commit: - 3f7ece94691f
Related commit: - uBlockOrigin/uBlock-issues#911 The motivation is to avoid executing code which is unnecessary on platforms not supporting the browser.dns API.
03/24/2020: After trying uBlock Origin v1.25.3b8, I also test the case when setting a proxy with an add-on like SwitchyOmega. PAC (Automatic proxy configuration, which @lilydjwg comment above) case I didn't test, because I don't familiar with it. But I think it also could work. 03/25/2020: Firefox 74.0 with uBlock Origin v1.25.3b9 works fine. |
I don't see leaked DNS queries now but I'm still monitoring. |
its still leak with latest ublock origin 1.25.3rc0, when check use Steps to Reproduce use DNS leaks test site but when check use |
FF 68.6.1esr and uBO 1.26.0 works as intended. Cname lookup is disabled when browser is proxied. And enabled when not. Also I find that http://browserleaks.com/dns gives the most correct results. It resolves 100 randomly generated domain names asynchronously, 50 with A record (IPv4-only) and 50 with both A and AAAA records. And does so really fast compared to the other tests. Orbot on android with FF 68.6.0esr and uBO 1.26.0 does some magic with the "vpn" feature and uBO doesn't detect browser is proxied and Cname lookup works. That with no dns leakage. Before uBO 1.26.0 I made a script that cleared /etc/resolv.conf and Cname lookup stopped working on uBO 1.25.2, further prooving the FF bug. I really hope FF devs fix the bug since Cname lookup is a cool feature in uBO. When uMA gets it I hope it also have the fix from uBO to disable it on proxied browsers until FF is fixed. Thank you gorhill for the awesome work with both extensions. |
CNAME uncloaking is already present in the dev build of uMatrix, the workaround added in uBO however is not, so you might reproduce it with uMatrix dev build. |
This comment has been minimized.
This comment has been minimized.
Related issue: - uBlockOrigin/uBlock-issues#911 This was fixed in Firefox 80: - https://bugzilla.mozilla.org/show_bug.cgi?id=1618271
Prerequisites
Description
Hello there, I notice that uBlock Origin v1.25.0 have a new way to block 1st-party tracking. This problem is related to #780.
Let me explain a little bit of background first. To protect my privacy, I use a socks5 proxy to surfing the internet. I setting a manual proxy configuration on my Firefox and check the box "Proxy DNS when using SOCKS v5". It shouldn't have any UDP DNS traffic, but it happened (
sudo tcpdump udp
can confirm it.).It makes me pretty annoying that It exposed my real location and the ISP will know what I browse. I wonder if it's a bug of Debian Firefox ESR. So I download the latest Firefox stable, the problem was gone. Then I switch to old Firefox profile, the problem back again. So I suspect some extensions may cause. Finally, I found it is uBlock Origin cause UDP DNS traffic. I remember that it requires IP/Hostname permission after yesterday upgrade.
A specific URL where the issue occurs
No specific URL.
Steps to Reproduce
You can find the "DNS leaks" exposed your location. Meanwhile, it could use
tcpdump udp
to look realtime UDP DNS traffic, it can be confirmed it happened. Disable the uBlock Origin, the problem is gone.Expected behavior:
It shouldn't be any UDP DNS traffic if you setting the socks5 proxy on Firefox.
Actual behavior:
UDP DNS traffic happened when I setting the socks5 proxy on Firefox, even I check the box "Proxy DNS when using SOCKS v5".
Your environment
The text was updated successfully, but these errors were encountered: