Re: [Tails-dev] network.proxy.socks_remote_dns and localhost

Nachricht löschen

Nachricht beantworten
Autor: adrelanos
Datum:  
To: tails-dev
Betreff: Re: [Tails-dev] network.proxy.socks_remote_dns and localhost
Ague Mill:
> Hi!
>
> Since we now include Torbrowser patches, we gained the
> `network.proxy.socks_remote_dns` preference.
>
> Its implemented in:
> <https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0016-Prevent-WebSocket-DNS-leak.patch>
>
> When this option is true, Firefox will fail every name resolving request
> that is not going through a proxy (except when asked the noop that is
> resolving an IP address).
>
> socks_remote_dns is set to true by Torbutton. This is currently seen as
> mandatory: when set to false, Torbutton assumes we are out of "Tor mode"
> and display a broken onion.
>
> This state of affairs currently breaks (at least) two things in Tails
> 0.14:
>
>  * Access to the I2P router console through `http://localhost:7657/`.
>  * The Monkeysphere extension is not able to connect the validation
>    agent. (This one also requires a new whitelist rule in FoxyProxy
>    to fully work again.)

>
> Both can be fixed by using `127.0.0.1` instead of `localhost`. That's
> good enough if there's not an army of similar issues behind.
>
> But given that Tails system resolver is using Tor, this already takes care
> of the leaks that `socks_remote_dns` prevents. So we could also modify
> Torbutton think good things about our torrified system resolver.


"socks_remote_dns true" uses Tor Browser's socks port (SocksPort) for
DNS resolution while "socks_remote_dns false" uses the torified system
DNS resolver (DnsPort). SocksPort and DnsPort are stream isolated.

I recommend against using "socks_remote_dns false". It would lead to
having a different Tor circuit resolving DNS, thus worsening Tails's web
fingerprint. (http://check2ip.com/ demonstrates showing your dns server)

Cheers,
adrelanos