Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Debian 12 (bookworm) Template has broken DNS resolution when using http_proxy=http://127.0.0.1:8082/ (Qubes UpdatesProxy) (tinyproxy) #8279

Closed
adrelanos opened this issue Jun 20, 2023 · 4 comments
Closed

Debian 12 (bookworm) Template has broken DNS resolution when using http_proxy=http://127.0.0.1:8082/ (Qubes UpdatesProxy) (tinyproxy) #8279

adrelanos opened this issue Jun 20, 2023 · 4 comments
Labels
affects-4.1 This issue affects Qubes OS 4.1. C: Debian/Ubuntu C: networking diagnosed Technical diagnosis has been performed (see issue comments). P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists.
Milestone
Release 4.1 updates

Comments

@adrelanos
Copy link
Member

Qubes OS release

4.1

Brief summary

Setting http_proxy=http://127.0.0.1:8082/ is broken in debian-12 (bookworm) Template.

Steps to reproduce

Use debian-12 (bookworm) Template.

http_proxy=http://127.0.0.1:8082/ curl https://check.torproject.org

Expected behavior

Functional DNS.

Actual behavior

Broken DNS.

curl: (6) Could not resolve host: check.torproject.org

Additional information

This is reproducible if sys-net (UpdateVM) is using as Template:

  • debian-11
  • debian-12
  • fedora-38

Template:

  • This did not happen with debian-11 (bullseye) Template.
  • Only debian-12 (bookworm) Template is affected by this bug.

dom0 journalctl qubes qrexec-policy-daemon does not see the request when using DNS. (It does see the request when using IP.)

It could be that curl (and other applications) are using http_proxy=http://127.0.0.1:8082/ for IP but ignore it for DNS resolution.

Impact

Breaks various things, including:

  • curl repository signing key download
  • extrepo: http_proxy=http://127.0.0.1:8082/ sudo extrepo enable kicksecure
  • flatpak: http_proxy=http://127.0.0.1:8082 flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
  • Qubes-Whonix: Tor Browser updates by update-torbrowser running inside Template
@adrelanos adrelanos added P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists. labels Jun 20, 2023
@adrelanos adrelanos mentioned this issue Jun 20, 2023
Closed
@marmarek
Copy link
Member

Have you tried setting https_proxy too?

@andrewdavidwong andrewdavidwong added C: Debian/Ubuntu needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. C: networking labels Jun 20, 2023
@adrelanos
Copy link
Member Author

Setting https_proxy fixes the issue.

Any idea why this is happening? Seems like curl, extrepo, flatpak all use some application / library that now requires https_proxy for https links?

Are any updates in Qubes source code or documentation required?

Should A)

  • http_proxy=http://127.0.0.1:8082/ be changed to
  • https_proxy=http://127.0.0.1:8082/

or B)

  • http_proxy=http://127.0.0.1:8082/ https_proxy="$http_proxy"
  • Seems useful for documentation for compatibly with Debian bullseye and bookworm during the migration period.

or C)

  • ALL_PROXY=http://127.0.0.1:8082/
  • Don't know how widely supported this is.
    • Works with curl.
    • Works with flatpak
    • Fails with extrepo.

?

Btw, there's also NO_PROXY mentioned in the curl man page.

NO_PROXY <comma-separated list of hosts/domains>

@marmarek
Copy link
Member

TBH, I'm not sure why just http_proxy worked for you before, as long as I remember using proxy for HTTPS with curl and others always required setting https_proxy. Maybe previous version had it set somewhere else? Or HTTP (onion?) links were used?

Anyway, option B looks better, especially if onion URLs are used anywhere.

@adrelanos
Copy link
Member Author

Thank you!

This is now functional for Whonix.

Should there be something to do here for Qubes, please re-open.

@andrewdavidwong andrewdavidwong added diagnosed Technical diagnosis has been performed (see issue comments). and removed needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. labels Jun 23, 2023
@andrewdavidwong andrewdavidwong added the affects-4.1 This issue affects Qubes OS 4.1. label Aug 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
affects-4.1 This issue affects Qubes OS 4.1. C: Debian/Ubuntu C: networking diagnosed Technical diagnosis has been performed (see issue comments). P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists.
Projects
None yet
Milestone
Release 4.1 updates
Development

No branches or pull requests
3 participants
@marmarek @adrelanos @andrewdavidwong