#85 Network Boundary Shield leaks DNS Server when using different Proxys and Firefox container
Closed: Fixed 12 months ago by polcak. Opened a year ago by m-u-m-p-i-t-z.

Summary

Hi,
I use the Container Function of Firefox with the addon Container Proxy with which I can assign an own proxy to each container to be connected once with a VPN service and at the same time with my true IP. For this to work correctly you need a squid web proxy on your own router.

How to reproduce

-Container 1 is connected to squid web proxy
-container 2 is connected to an external http proxy via VPN service

If I check with the page ip-leak
-Container 1 has my true IP and DNS servers of my router &
-container 2 has a VPN IP and the DNS servers from the VPN service.

if I now install the addon JShelter and enable JS with option Recommend, NBS On and FPD On it looks a bit different
-Container 1 my true IP and the DNS servers of my router plus the DNS servers of the VPN service &
-Container 2 is fortunately unchanged.

Expected result

unchanged DNS-Server in both container

Actual result

DNS-Leak with container with real IP

Reproducibility

tried only firefox

Workarounds

If I deactivate the Network Boundary Shield everything is correct again.

Have you tried other steps to solve the issue?

I have checked all installed addons individually and found the problem to be UBlock Origin and JShelter and have gone through each option to find the error.

Additional information / notes

I can't tell you why, but I had the same problem with the addon uBlock Origin.
but after disabling the function Uncloak canonical names the problem doesn't exist anymore.

Likewise, if you try without squid web proxy, you have the IP of the VPN service and the DNS servers of the VPN service plus those of the router, which is of course disastrous and is also propagated everywhere as DNS leak.

If I understood everything I read about the two options it must be the way the DNS query of the addon is done. Apparently the connected proxies are not taken into account. But why this information can be queried from the outside, no idea.

I am not a programmer but just a small insignificant user who tries everything to ensure his security and privacy and my knowledge is limited, but I think that this DNS leak with the true IP to betray the DNS servers of the VPN service is not in the sense of an addon, which is supposed to ensure me privacy.

Best regards and Thank you!


Not sure how we could reproduce this issue easily.

I know it is a somewhat strange composition, but I have the possibility and use it just. And I find it very comfortable to use VPN and my real IP in parallel. Only the two lines should be completely separate from each other and not provide any info on the other lines.
I actually use three lines, as one container is connected to a Tor proxy, so there are 3 parallel connections.

I have also thought about how this can happen. NBS secures the access from the Internet to an internal IP through the browser.
For some reason the DNS query is not only routed through the proxy but also to the tab device of the VPN, where the DNS servers of the VPN provider are stored and are leaked during the test.
So by activating the option NBS the proxy settings for the two containers are not considered and a DNS request is made for all network adapters. Maybe this helps to understand where you can start.
I don't know exactly how the shield works or what is done to prevent the browser from becoming a proxy and a path into my network.

uBlock has in the info to the option for example made this note, which actually describes it well, DNS queries no longer go the normal way.

"Important note when using extension-based proxy service: Extension-based proxy services usually are performed on the fly through a browser API. In such a case, uBO's DNS queries to uncloak canonical names will NOT be caught and proxied by an extension-based proxy service. So you may want to disable this setting when using an extension-based proxy service."

To reproduce the whole thing, should it not be enough to create a tab device on the PC which establishes an active VPN connection and there will be other DNS servers enter than the lan adapter? The leak test should then appear with NBS both DNS Servers and without NBS only the DNS of the lan adapter. At least if I am right with my assumption how it happens.

To describe it more exactly how I set it up,
I open a connection to the VPN provider via the tab device, let's say server is located in England, all internet traffic is now routed through this tunnel, local requests are not routed through the tunnel. So I am able to use a container to address the local squid proxy and route past the VPN and this container has my true IP from Ireland.
Now I build a ssl tunnel to a http proxy in France and open a port locally that goes through this tunnel.
In the Firefox container proxy settings, I set the link to the proxy to France. This container has a French IP.
A container is directly connected without proxy has the English IP from VPN Adapter.
Now NBS is added and the following happens.
The container that goes past the VPN via the squid browser now has an English DNS server in addition to the Irish IP.
The container which is connected to the http proxy in France now has an English DNS server in addition. Even if I use a SOCKS5 proxy where all DNS requests should go through, the English DNS also appears.
The directly connected container remains unchanged purely English, it does not leak any other DNS question, which makes me very happy but also surprises me, purely logically there should also appear two different DNS servers, but on this way nothing is leaked.

I hope I was able to help a little further, I just do without the NBS completely and now additionally use the noscript addon and have in the advanced settings the cross-site request cleaned and the cross-tab protection against identity leaks always enabled, which provides similar protection but does not cause DNS leaks.

If there is anything else I can do to help, please let me know.

Hello,

reagarding uBlock Origin and Uncloak canonical names please see https://blog.lukaszolejnik.com/large-scale-analysis-of-dns-based-tracking-evasion-broad-data-leaks-included/.

Both uBO and NBS use DNS API https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/dns.

The containers use https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/contextualIdentities. JShleter ATM does not support contextual identitites.

To get further with this issue, we need to learn if the DNS API can be linked with the contextual identity. If not, the bug is actually in Firefox. We call the DNS API from a background page. Hence, it is not liked with the contextual identity of the tab that initiated the request. The API cannot be called from the content script https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_scripts#webextension_apis. I do not see a way how to link the call of the DNS API with a tab and the contextual identity. But I admit I may be missing something.

Giorgio, if you solved the issue in NoS, is there a way how to port the functionality to JShelter? (Also see https://pagure.io/JShelter/webextension/issue/41)

If we do not fix the issue, I propose to add a warning like "Important note when using extension-based proxy service: Extension-based proxy services usually are performed on the fly through a browser API. In such a case, uBO's DNS queries to uncloak canonical names will NOT be caught and proxied by an extension-based proxy service. So you may want to disable this setting when using an extension-based proxy service." to the NBS in Firefox.

Metadata Update from @polcak:
- Issue assigned to gioma1
- Issue tagged with: bug, design decision

12 months ago

Well, looking at #41, it seems that this issue is basically a duplicate of #41 (with additional information and an affected user).

I will keep this one open as there might be additional information to this specific case.

Metadata Update from @polcak:
- Issue marked as depending on: #41

12 months ago

#41 is now closed, fixed by 8c7b439.
Let's keep this open pending user verification?

0.11.3 contains the fix. @m-u-m-p-i-t-z: Can you please verify that the fix works in your setup?

We notify Firefox users about possible NBS deactivation (2750740) and I added a FAQ entry (5fb96a2). Feel free to comment if you think there is something to add/clarify.

Metadata Update from @polcak:
- Issue tagged with: question

12 months ago

Hi,
I have now installed 0.11.3 and now have separate DNS servers, as it should be.
Thanks a lot!

Did I understand correctly that when a proxy is used, NBS is disabled?
And what if socks proxies are used instead of http ?

Hi,
I have now installed 0.11.3 and now have separate DNS servers, as it should be.
Thanks a lot!

Did I understand correctly that when a proxy is used, NBS is disabled?

No, actually 2750740 and 5fb96a2 are a bit misleading and should be backed off.

NBS is still enabled, but it just doesn't use DNS on any request which is handled by a proxy which does name resolution by itself.

And what if socks proxies are used instead of http ?

The same.

Metadata Update from @gioma1:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

12 months ago

But it is written in the options -->
"Network Boundary Shield is not active if you are using HTTP proxy to prevent DNS leaks of your queries initiated from this computer."

After editing your post it is clear..thank you very much!

Metadata Update from @polcak:
- Issue status updated to: Open (was: Closed)

12 months ago

Metadata Update from @polcak:
- Issue unmarked as depending on: #41

12 months ago

Metadata Update from @polcak:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

12 months ago

Hello m-u-m-p-i-t-z, I added a comment to #41. If there are further questions regarding the clarifications of the docs, please, discuss in #41.

(Sorry for reopening this issue but this was the only way to add this comment.)

Login to comment on this ticket.

Metadata