FoxyProxy using SOCKS5 + uBlock Origin with uncloak enabled = DNS leaks

[aliron19]

Hi,

The following examples will use FoxyProxy Standard v7.5.1, uBlock Origin v1.34.0, and Firefox 87.0, under Windows 10 Pro 64bits.

##################################################
SCENARIO 1
##################################################

1. Disable FoxyProxy add-on.
2. Enable uBlock add-on.
3. Under uBlock settings, enable Uncloak canonical names.
4. Configure Firefox network settings to use a Manual proxy configuration, with a SOCKS5 proxy (for example, TorBroswer provides a free socks5 proxy), and enable Proxy DNS when using SOCKS v5.
5. Go to https://dnsleaktest.com/ and run an Extended test.

RESULT: Firefox will NOT leak DNS. 😀

##################################################
SCENARIO 2
##################################################

1. Disable uBlock add-on.
2. Enable FoxyProxy add-on.
3. Add a SOCKS5 proxy server (for example, TorBroswer as mentioned on the previous scenario), and enable Send DNS through SOCKS5 proxy.
4. Edit its patterns, and verify that is white listing All URLs (wildcard *), and black listing nothing (empty section).
5. Configure FoxyProxy to use always that SOCKS5 server.
6. Configure Firefox network settings to Use system proxy settings (so FoxyProxy will kick in action).
7. Go to https://dnsleaktest.com/ and run an Extended test.

RESULT: Firefox will NOT leak DNS. 😀

##################################################
SCENARIO 3
##################################################

1. Enable uBlock add-on.
2. Under uBlock settings, verify that Uncloak canonical names is enabled.
3. Enable FoxyProxy add-on.
4. Verify that the SOCKS5 proxy server you defined on previous scenario is enabled, with its Send DNS through SOCKS5 proxy option enabled too.
5. Verify its patterns, so that it's white listing All URLs (wildcard *), and black listing nothing (empty section).
6. Configure FoxyProxy to use always that SOCKS5 server.
7. Configure Firefox network settings to Use system proxy settings (so FoxyProxy will kick in action).
8. Go to https://dnsleaktest.com/ and run an Extended test.

RESULT: Firefox will LEAK DNS. 😓

##################################################
CONCLUSIONS
##################################################

1. Neither uBlock nor FoxyProxy cause DNS leaks by their own.
2. When both them are active, uBlock's uncloak feature will cause DNS leaks.

I'm not sure which one should we "blame", but as uBlock behaves as expected on scenario 1, which configuration is technically equivalent to scenario 3 (since both them are always using a SOCKS5 proxy even for DNS traffic), to me it looks more like it's FoxyProxy's "fault". 🤔

Can you please confirm if this is a FoxyProxy bug?

If so, how can I help to debug it?

Thanks.

[0ibaba]

I think it's actually ublock's fault because I get the same results as FoxyProxy when I use windows to configure the socks5 proxy.

One thing I noticed was that if I have DNS over HTTPS enabled, then the set DNS provider (Cloudflare for me) also shows up
This doesn't show up in https://dnsleaktest.com/ but it does in ExpressVPN's test. This happens even if I have ublock disabled so might be something else

Using Firefox's settings to manually set the proxy has no problem tho...

[jasonla]

As a followup, yes I think it's uBlock origin's "fault." Although it's not really a bug in uBlock. The documentation better explains it:

https://github.com/gorhill/uBlock/wiki/Dashboard:-Settings#uncloak-canonical-names

Important note when using extension-based proxy service: Extension-based proxy services usually are performed on the fly through a browser API. In such a case, uBO's DNS queries to uncloak canonical names will NOT be caught and proxied by an extension-based proxy service. So you may want to disable this setting when using an extension-based proxy service.

[erosman]

There are 2 options available for the proxy implementation in future development (manifest v3), each with their own pros/cons:
📌 Feedback is welcomed

On the fly browser API

• ❓ Available for Firefox only
• 👍 Save user/pass (if wanted) in extension & import/export them
• 👍 Use user/pass for SOCKS5
• 👎 No proxy from the browser start-up until extension is loaded
• 👎 Possible DNS leak from uBlock Origin (or similar)
• 👎 More resource intensive

Browser Proxy auto-config

• 👍 Available for Chrome & Firefox
• ❓ Save user/pass (if wanted) in browser settings (or system in Chrome)
• 👍 Proxy from the browser start-up
• 👍 No DNS leak from uBlock Origin (or similar)
• 👍 Less resource intensive
• 👎 Users can't import/export user/pass with their settings
• 👎 No user/pass for SOCKS5

[jasonla]

Oh tough call. I don't feel like I know enough about all of the ins and outs. On the surface, the Browser Proxy auto-config looks like it has more advantages and is less resource intensive. I don't use a user/pass for my SOCKS5 server since it's in a docker container on my local network and I control the container/server.

But with the configuration change to uBlock, it's now working great for me. Maybe while this is being decided, we can add a note in the Readme for this specific scenario?

[erosman]

Is the issue still occurring?

[MasterKia]

I can't reproduce.

[erosman]

Thank you. Therefore, I think we close this for now.

[20NE]

firefox 118.0.2
foxyproxy 7.5.1
ublock 1.52.2
The issue still occurring! DNS stop leaking only after uBlock Origin with uncloak disabled.
And when firefox use ECH (encrypted client hello) + DNS-over-HTTPS, always DNS leaking, whether uBlock Origin with uncloak enabled or disabled.
Pls reopen issue.

[erosman]

@20NE
We can only work on issues related to FoxyProxy.
Issues related to other addons should be handled by their respective developers.
You can test with FoxyProxy v8 and see if there is any difference.