"DNS leak" bug in http proxy mode

[saturn99]

blow commands initiation http(s) proxy

#client#  proxy http -t tcp -p ":5656" -T tls -P "SERVER_IP:10801" -C p.crt -K p.key -Z "S" 
#server# proxy http -t tls -p ":10801"  -C p.crt -K p.key --forever --daemon  -z "S"

all is good,,
but client listener have "DNS leak" bug,, for example if we request :
curl -x "127.0.0.1:5656" "https://abc.def/"
we can see "adc.def" host name resolve in client side!!!

this line have problem(maybe):

goproxy/services/http.go

Line 101 in 482977a

(*s).domainResolver = utils.NewDomainResolver(*s.cfg.DNSAddress, *s.cfg.DNSTTL)

[snail007]

default mode proxy will try access domain directly, if failed then access it through parent , you can prevent it by two ways,1:add
that domain in blocked file . 2:add argument --always in client arguments.

[saturn99]

this is very bad idea for default mode,, 👎
in http(s) proxy all domain must be resolve on server side proxy server!
the clinet must be only rely traffic to server, and not solve any domain name with DNS

The execute of the client with the argument ‍−−always‍ has the same problem :(

[snail007]

--always means client forward all raw request to parent with no resolve in client , you may have some mistake

[saturn99]

this is my server on remote computer in another country:
proxy http -t tls -p ":10801" -C p.crt -K p.key --forever --daemon -z "S"

this is my client in my personal computer:
proxy http --always -t tcp -p ":5656" -T tls -P "SERVER_IP:10801" -C p.crt -K p.key -Z "S"

i run this command on my oersonal computer:
curl -x "127.0.0.1:5656" "http://abc.efg/"

and this is my sniff date on personal computer:
https://screenshots.firefox.com/zUOV7DKQVI4M0SQ1/null

client side proxy (with --always argument) send dns packet for solving domain name

where is my mistake? :(
thank you

[snail007]

the client and server log is？

[snail007]

it is firefox useing proxy problem，see：https://www.reddit.com/r/linuxquestions/comments/7slstp/proxy_dns_when_using_socks5_not_adhered_to_when/ , if you can find which program send A query ，it wiil be firefox not proxy. you can fix that by above link page.

Only Socks v5 (not v4) supports DNS proxy on Firefox and you must also tick the checkbox "Proxy DNS when using SOCKS v5" at the bottom of the network settings screen.

[saturn99]

:|||
I use curl for test, not firefox

I have not any problem with another http(s) proxy

[snail007]

show the server log output,when exec curl.

[saturn99]

my client:
proxy http --always -t tcp -p ":5656" -T tls -P "SERVER_IP:10801" -C proxy.crt -K proxy.key -Z "S"

curl command when open abc.efg and google.com:

$curl -x "127.0.0.1:5656" "http://abc.efg/"
curl: (52) Empty reply from server

$curl -x "127.0.0.1:5656" "https://google.com"
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>

My clinet Logs:

	########  ########   #######  ##     ## ##    ## 
	##     ## ##     ## ##     ##  ##   ##   ##  ##  
	##     ## ##     ## ##     ##   ## ##     ####   
	########  ########  ##     ##    ###       ##    
	##        ##   ##   ##     ##   ## ##      ##    
	##        ##    ##  ##     ##  ##   ##     ##    
	##        ##     ##  #######  ##     ##    ##    
	
	v4.7 by snail , blog : http://www.host900.com/

2018/05/23 16:35:25 use tls parent SERVER_IP:10801
2018/05/23 16:35:25 tcp http(s) proxy on [::]:5656
2018/05/23 16:35:27 GET:http://abc.efg/
2018/05/23 16:35:27 use proxy : true, abc.efg:80
2018/05/23 16:35:29 conn 127.0.0.1:49334 - SERVER_IP:10801 connected [abc.efg:80]
2018/05/23 16:35:39 conn 127.0.0.1:49334 - SERVER_IP:10801 released [abc.efg:80]
2018/05/23 16:40:46 CONNECT:google.com:443
2018/05/23 16:40:46 use proxy : true, google.com:443
2018/05/23 16:40:46 conn 127.0.0.1:49468 - SERVER_IP:10801 connected [google.com:443]
2018/05/23 16:40:47 conn 127.0.0.1:49468 - SERVER_IP:10801 released [google.com:443]

SERVER Logs when open abc.efg:

./proxy http -t tls -p ":10801" -C proxy.crt -K proxy.key --forever -z "S"

2018/05/23 12:05:18 worker ./proxy [PID] 10556 running...

	########  ########   #######  ##     ## ##    ## 
	##     ## ##     ## ##     ##  ##   ##   ##  ##  
	##     ## ##     ## ##     ##   ## ##     ####   
	########  ########  ##     ##    ###       ##    
	##        ##   ##   ##     ##   ## ##      ##    
	##        ##    ##  ##     ##  ##   ##     ##    
	##        ##     ##  #######  ##     ##    ##    
	
	v4.7 by snail , blog : http://www.host900.com/

2018/05/23 12:05:18 tls http(s) proxy on [::]:10801
2018/05/23 12:05:27 GET:http://abc.efg/
2018/05/23 12:05:28 use proxy : false, abc.efg:80
2018/05/23 12:05:28 connect to , err:dial tcp: lookup abc.efg on 213.133.98.98:53: no such host,retrying...
2018/05/23 12:05:30 connect to , err:dial tcp: lookup abc.efg on 213.133.98.98:53: no such host,retrying...
2018/05/23 12:05:32 connect to , err:dial tcp: lookup abc.efg on 213.133.98.98:53: no such host,retrying...
2018/05/23 12:05:34 connect to , err:dial tcp: lookup abc.efg on 213.133.98.98:53: no such host,retrying...
2018/05/23 12:05:36 connect to , err:dial tcp: lookup abc.efg on 213.133.98.98:53: no such host,retrying...
2018/05/23 12:05:38 connect to , err:dial tcp: lookup abc.efg on 213.133.98.98:53: no such host
2018/05/23 12:05:38 connect to abc.efg:80 fail, ERR:dial tcp: lookup abc.efg on 213.133.98.98:53: no such host

SERVER Logs when open google.com:

./proxy http -t tls -p ":10801" -C proxy.crt -K proxy.key --forever -z "S"

2018/05/23 12:10:32 worker ./proxy [PID] 10586 running...
2018/05/23 12:10:32 tls http(s) proxy on [::]:10801

	########  ########   #######  ##     ## ##    ## 
	##     ## ##     ## ##     ##  ##   ##   ##  ##  
	##     ## ##     ## ##     ##   ## ##     ####   
	########  ########  ##     ##    ###       ##    
	##        ##   ##   ##     ##   ## ##      ##    
	##        ##    ##  ##     ##  ##   ##     ##    
	##        ##     ##  #######  ##     ##    ##    
	
	v4.7 by snail , blog : http://www.host900.com/

2018/05/23 12:10:45 CONNECT:google.com:443
2018/05/23 12:10:45 use proxy : false, google.com:443
2018/05/23 12:10:45 conn 31.56.172.109:32994 - 216.58.208.46:443 connected [google.com:443]
2018/05/23 12:10:46 conn 31.56.172.109:32994 - 216.58.208.46:443 released [google.com:443]

and i sniff two DNS request on my client side for resolving doman name

thank you

[snail007]

no matter what ever,the server log means that the abc.efg requested by server and dns also
in server ,but dns lookup fail.

[saturn99]

i found line of this bug:

goproxy/services/http.go

Line 232 in bfcc27e

if !utils.IsIternalIP(host) {

this line execute before check --always argument!!!!!!!!
inside this function, we see net.LookupIP(domainOrIP) and this method use DNS for resolving domain name

LookupIP looks up host using the local resolver. It returns a slice of that host's IPv4 and IPv6 addresses.

source

---

then:
if we use http mode, proxy in client side send DNS request!!! and this is e bug!

---

solation:

check *s.cfg.Always before use IsIternalIP

thank you

[saturn99]

This problem solved at commit 5c9fc85 on dev branch