blow commands initiation http(s) proxy <div class="snippet-clipboard-content notr

this is my server on remote computer in another country: <code class="notranslate"

it is firefox useing proxy problem，see：<a href="https://www.reddit.com/r/linuxquestion

"DNS leak" bug in http proxy mode about goproxy HOT 12 CLOSED

snail007 commented on May 18, 2024

"DNS leak" bug in http proxy mode

from goproxy.

Comments (12)

snail007 commented on May 18, 2024

default mode proxy will try access domain directly, if failed then access it through parent , you can prevent it by two ways,1:add
that domain in blocked file . 2:add argument --always in client arguments.

from goproxy.

saturn99 commented on May 18, 2024

this is very bad idea for default mode,, 👎
in http(s) proxy all domain must be resolve on server side proxy server!
the clinet must be only rely traffic to server, and not solve any domain name with DNS

The execute of the client with the argument ‍−−always‍ has the same problem :(

from goproxy.

snail007 commented on May 18, 2024

--always means client forward all raw request to parent with no resolve in client , you may have some mistake

from goproxy.

saturn99 commented on May 18, 2024

this is my server on remote computer in another country:
proxy http -t tls -p ":10801" -C p.crt -K p.key --forever --daemon -z "S"

this is my client in my personal computer:
proxy http --always -t tcp -p ":5656" -T tls -P "SERVER_IP:10801" -C p.crt -K p.key -Z "S"

i run this command on my oersonal computer:
curl -x "127.0.0.1:5656" "http://abc.efg/"

and this is my sniff date on personal computer:
https://screenshots.firefox.com/zUOV7DKQVI4M0SQ1/null

client side proxy (with --always argument) send dns packet for solving domain name

where is my mistake? :(
thank you

from goproxy.

snail007 commented on May 18, 2024

the client and server log is？

from goproxy.

snail007 commented on May 18, 2024

it is firefox useing proxy problem，see：https://www.reddit.com/r/linuxquestions/comments/7slstp/proxy_dns_when_using_socks5_not_adhered_to_when/ , if you can find which program send A query ，it wiil be firefox not proxy. you can fix that by above link page.

Only Socks v5 (not v4) supports DNS proxy on Firefox and you must also tick the checkbox "Proxy DNS when using SOCKS v5" at the bottom of the network settings screen.

from goproxy.

saturn99 commented on May 18, 2024

:|||
I use curl for test, not firefox

I have not any problem with another http(s) proxy

from goproxy.

snail007 commented on May 18, 2024

show the server log output,when exec curl.

from goproxy.

saturn99 commented on May 18, 2024

my client:
proxy http --always -t tcp -p ":5656" -T tls -P "SERVER_IP:10801" -C proxy.crt -K proxy.key -Z "S"

curl command when open abc.efg and google.com:

$curl -x "127.0.0.1:5656" "http://abc.efg/"
curl: (52) Empty reply from server

$curl -x "127.0.0.1:5656" "https://google.com"
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>

My clinet Logs:

	########  ########   #######  ##     ## ##    ## 
	##     ## ##     ## ##     ##  ##   ##   ##  ##  
	##     ## ##     ## ##     ##   ## ##     ####   
	########  ########  ##     ##    ###       ##    
	##        ##   ##   ##     ##   ## ##      ##    
	##        ##    ##  ##     ##  ##   ##     ##    
	##        ##     ##  #######  ##     ##    ##    
	
	v4.7 by snail , blog : http://www.host900.com/

2018/05/23 16:35:25 use tls parent SERVER_IP:10801
2018/05/23 16:35:25 tcp http(s) proxy on [::]:5656
2018/05/23 16:35:27 GET:http://abc.efg/
2018/05/23 16:35:27 use proxy : true, abc.efg:80
2018/05/23 16:35:29 conn 127.0.0.1:49334 - SERVER_IP:10801 connected [abc.efg:80]
2018/05/23 16:35:39 conn 127.0.0.1:49334 - SERVER_IP:10801 released [abc.efg:80]
2018/05/23 16:40:46 CONNECT:google.com:443
2018/05/23 16:40:46 use proxy : true, google.com:443
2018/05/23 16:40:46 conn 127.0.0.1:49468 - SERVER_IP:10801 connected [google.com:443]
2018/05/23 16:40:47 conn 127.0.0.1:49468 - SERVER_IP:10801 released [google.com:443]

SERVER Logs when open abc.efg:

./proxy http -t tls -p ":10801" -C proxy.crt -K proxy.key --forever -z "S"

2018/05/23 12:05:18 worker ./proxy [PID] 10556 running...

	########  ########   #######  ##     ## ##    ## 
	##     ## ##     ## ##     ##  ##   ##   ##  ##  
	##     ## ##     ## ##     ##   ## ##     ####   
	########  ########  ##     ##    ###       ##    
	##        ##   ##   ##     ##   ## ##      ##    
	##        ##    ##  ##     ##  ##   ##     ##    
	##        ##     ##  #######  ##     ##    ##    
	
	v4.7 by snail , blog : http://www.host900.com/

2018/05/23 12:05:18 tls http(s) proxy on [::]:10801
2018/05/23 12:05:27 GET:http://abc.efg/
2018/05/23 12:05:28 use proxy : false, abc.efg:80
2018/05/23 12:05:28 connect to , err:dial tcp: lookup abc.efg on 213.133.98.98:53: no such host,retrying...
2018/05/23 12:05:30 connect to , err:dial tcp: lookup abc.efg on 213.133.98.98:53: no such host,retrying...
2018/05/23 12:05:32 connect to , err:dial tcp: lookup abc.efg on 213.133.98.98:53: no such host,retrying...
2018/05/23 12:05:34 connect to , err:dial tcp: lookup abc.efg on 213.133.98.98:53: no such host,retrying...
2018/05/23 12:05:36 connect to , err:dial tcp: lookup abc.efg on 213.133.98.98:53: no such host,retrying...
2018/05/23 12:05:38 connect to , err:dial tcp: lookup abc.efg on 213.133.98.98:53: no such host
2018/05/23 12:05:38 connect to abc.efg:80 fail, ERR:dial tcp: lookup abc.efg on 213.133.98.98:53: no such host

SERVER Logs when open google.com:

./proxy http -t tls -p ":10801" -C proxy.crt -K proxy.key --forever -z "S"

2018/05/23 12:10:32 worker ./proxy [PID] 10586 running...
2018/05/23 12:10:32 tls http(s) proxy on [::]:10801

	########  ########   #######  ##     ## ##    ## 
	##     ## ##     ## ##     ##  ##   ##   ##  ##  
	##     ## ##     ## ##     ##   ## ##     ####   
	########  ########  ##     ##    ###       ##    
	##        ##   ##   ##     ##   ## ##      ##    
	##        ##    ##  ##     ##  ##   ##     ##    
	##        ##     ##  #######  ##     ##    ##    
	
	v4.7 by snail , blog : http://www.host900.com/

2018/05/23 12:10:45 CONNECT:google.com:443
2018/05/23 12:10:45 use proxy : false, google.com:443
2018/05/23 12:10:45 conn 31.56.172.109:32994 - 216.58.208.46:443 connected [google.com:443]
2018/05/23 12:10:46 conn 31.56.172.109:32994 - 216.58.208.46:443 released [google.com:443]

and i sniff two DNS request on my client side for resolving doman name

thank you

from goproxy.

snail007 commented on May 18, 2024

no matter what ever,the server log means that the abc.efg requested by server and dns also
in server ,but dns lookup fail.

from goproxy.

saturn99 commented on May 18, 2024

i found line of this bug:

goproxy/services/http.go

Line 232 in bfcc27e

if !utils.IsIternalIP(host) {

this line execute before check --always argument!!!!!!!!
inside this function, we see net.LookupIP(domainOrIP) and this method use DNS for resolving domain name

LookupIP looks up host using the local resolver. It returns a slice of that host's IPv4 and IPv6 addresses.

source

then:
if we use http mode, proxy in client side send DNS request!!! and this is e bug!

solation:

check *s.cfg.Always before use IsIternalIP

thank you

from goproxy.

saturn99 commented on May 18, 2024

This problem solved at commit 5c9fc85 on dev branch

from goproxy.

"DNS leak" bug in http proxy mode about goproxy HOT 12 CLOSED

Comments (12)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent