1

If you go to chrome://browser/content/preferences/connection.xul, in the bottom, it says [ ] Use proxy to perform DNS queries (SOCKS v5 only). Unchecked by default. In fact, I have never noticed the existence of this option for all the years I've been using proxies in both (in the past) Firefox and now Pale Moon.

Does this really mean that it has been bypassing my specified proxy for every DNS lookup, instead making those directly with my main connection, just because I did not actively check (or even notice) that box?

And if this is the case, why would it be unchecked by default? And who would ever want to use a proxy but not have DNS queries go through it?

Improve this question
6
  • 1
    @Peregrino69 You are seriously asking why somebody using a proxy would want a crucial part of sensitive information to also travel over the proxy?
    – R. Fellwock
    Commented Sep 12, 2021 at 13:37
  • 1
    Standard web proxies only proxy HTTP(S) traffic, maybe FTP. DNS, NTP and other similar are usually sent directly to the servers. As the option describes, DNS proxying only works with SOCKS v5 -proxies which are less common. Leaving that option enabled by default would cause browsers to send DNS traffic towards the configured proxy server, and if it can't handle the DNS traffic the requests would be dropped, causing loss of internet connectivity. That would inconvenience vast majority of the users.
    – Peregrino69
    Commented Sep 12, 2021 at 13:51
  • @Peregrino69 Surely the SOCKS protocol(s) must be able to communicate which version it runs, though? So that it could auto-enable this crucial privacy "feature" if v5 is detected? If not, SOCKS sucks...
    – R. Fellwock
    Commented Sep 12, 2021 at 14:09
  • 1
    @Peregrino69: That's not exactly how this option works though. It doesn't proxy actual DNS traffic; it makes the proxy perform DNS queries -- which is to say, it causes the browser to send the original domain name in the "Destination" field (as opposed to sending the IP address), and the proxy itself handles DNS lookups.
    – grawity_u1686
    Commented Sep 12, 2021 at 14:26
  • I do believe Autodetection does exactly that - negotiates the required proxy settings with the server, also whether it's HTTP or SOCKS. If you've configured your proxy manually but not as SOCKS v5, then yes, your DNS traffic has not been proxied. If the browser has used the system proxy settings, DNS proxying should also be set there. Why it's unchecked by default is really a question you need to direct to the devs of your chosen browser. Probably because it's not an option that majority of users needs.
    – Peregrino69
    Commented Sep 12, 2021 at 14:35

2 Answers 2

Reset to default
2

Does this really mean that it has been bypassing my specified proxy for every DNS lookup, instead making those directly with my main connection, just because I did not actively check (or even notice) that box?

Yes.

And who would ever want to use a proxy but not have DNS queries go through it?

People who use a proxy for reasons other than privacy, e.g. developers who want to access a remote server according to their local /etc/hosts names, or corporate users who want their locally configured "domain search suffix" to be honored.

In general, just as with VPNs, the original purpose of proxy servers had nothing to do with privacy or information hiding – they were used for authentication and filtering (and in the case of HTTP proxies, caching and more caching), e.g. using a corporate SOCKS gateway to access internal services while working from home, or using a local HTTP caching proxy so that the entire campus wouldn't need to fetch the exact same website assets 100 times through a slow radio link. (With HTTP proxies the domain name is resolved by the proxy but that's not the point I was making.)

Admittedly the Mozilla proxy settings page hasn't been keeping up with the times much, especially when SOCKS usage shifted towards it being primarily an interface to Tor.

(If I remember correctly, Mozilla even had the ability to send hostnames to the SOCKS v5 proxy for a long time before this checkbox got added, but it was only visible through about:config for a long while.)

Surely the SOCKS protocol(s) must be able to communicate which version it runs, though? So that it could auto-enable this crucial privacy "feature" if v5 is detected?

No, that's why the settings page asks you to choose between SOCKS v4 and v5 in the first place. The same server may support both, but it has no way of telling the server which versions are supported.

(There is actually the original SOCKS v4, which strictly dealt with IPv4 addresses, and SOCKS "v4a" which added the capability to use DNS names before version 5 got published. I think Mozilla only supports the former?)

Improve this answer
1

This option was introduced in Pale Moon version 27.6.0 in 2017 (link).

Its purpose is to prevent DNS leaks:

A DNS leak refers to a security flaw that allows DNS requests to be revealed to ISP DNS servers, despite the use of a VPN service to attempt to conceal them.[1] Although primarily of concern to VPN users, it is also possible to prevent it for proxy and direct internet users.

This would only be applicable to a SOCKS v5 proxy. With this option, the browser asks the proxy to connect to the host using the host-name of the host instead of its IP address. It's up to the SOCKS5 proxy then to do the lookup.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .