#28642 closed defect (wontfix)

Tor browser cannot connect to SOCKS server if it is not specified by IP address

Reported by: wagon Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: gk Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I have tor running at another host with IP 10.0.0.1. It is accessible by tor-browser running on 10.0.0.2 via network connection. In TBB 8.0.3, if I put in /path/to/Browser/TorBrowser/Data/Browser/profile.default/user.js an option

user_pref("network.proxy.socks", "10.0.0.1");

it works fine. However, if I put

user_pref("network.proxy.socks", "myproxy");

where myproxy is added to /etc/hosts as 10.0.0.1 myproxy, tor-browser cannot connect. Original firefox 60.3.0 (8.0.3 is based on this version) works fine if proxy is specified as myproxy. Is it a feature or bug? Do we have some workaround for this?

Child Tickets

Change History (6)

comment:1 Changed 13 months ago by gk

Resolution: wontfix
Status: assignedclosed

I guess it's related to a feature which has prevented numerous proxy bypasses for DNS requests. We do

+    PRNetAddr tempAddr;
+    if (mDisableDNS) {
+        // Allow IP lookups through, but nothing else.
+        if (PR_StringToNetAddr(aHostname.BeginReading(), &tempAddr) != PR_SUCCESS) {
+            return NS_ERROR_UNKNOWN_PROXY_HOST; // XXX: NS_ERROR_NOT_IMPLEMENTED?
+        }
+    }

network.proxy.socks_remote_dns is the preference which might help you. Assuming I am right then this a WONTFIX. Please reopen otherwise.

comment:2 Changed 13 months ago by wagon

I see the same problem with torsocks, but torsocks documented it as not yet implemented (man torsocks.conf):

TorAddress ip_addr

The IP address of the Tor SOCKS server (e.g "server = 10.1.4.253"). Only one server may be specified.
Currently, torsocks does NOT support hostname. (default: 127.0.0.1)

comment:3 Changed 13 months ago by wagon

network.proxy.socks_remote_dns is the preference which might help you.

You are right. If it is false, it works. However, it is strange that value of this option in user.js is ignored. I have to change it from browser in about:config manually. Why? I found that in /path/to/profile.meek-http-helper it is written

// Make sure DNS is also blackholed. network.proxy.socks_remote_dns is
// overridden by meek-http-helper at startup.

but I don't use transports.

From anonymity point of view using tor as DNS service is not good, as different exit nodes will be used for DNS resolving and for data transfer, which makes tor usage pattern unique. For this task, some intermediate local transparent proxy, which maps myproxy to another IP, is probably better.

comment:4 in reply to:  1 Changed 13 months ago by targetSdkVersion

Resolution: wontfix
Status: closedreopened

Replying to gk:

I guess it's related to a feature which has prevented numerous proxy bypasses for DNS requests. We do

+    PRNetAddr tempAddr;
+    if (mDisableDNS) {
+        // Allow IP lookups through, but nothing else.
+        if (PR_StringToNetAddr(aHostname.BeginReading(), &tempAddr) != PR_SUCCESS) {
+            return NS_ERROR_UNKNOWN_PROXY_HOST; // XXX: NS_ERROR_NOT_IMPLEMENTED?
+        }
+    }

network.proxy.socks_remote_dns is the preference which might help you. Assuming I am right then this a WONTFIX. Please reopen otherwise.

No, that's not for the address of SOCKS proxy for Firefox. See #17991, #17953, #17949, #17901 for why you can't use hard-coded 127.0.0.1.

comment:5 Changed 13 months ago by wagon

For this task, some intermediate local transparent proxy, which maps myproxy to another IP, is probably better.

There is a very simple solution which requires neither myproxy nor any additional proxy for this steup. It is enough to specify 127.0.0.1 as SOCKS proxy in tor-browser and then redirect 127.0.0.1:port to Tor's IP:port using only iptables rules. It may be not an accurate solution from viewpoint of standards but it is neat, simple, and works fine.

See #17991, #17953, #17949, #17901 for why you can't use hard-coded 127.0.0.1.

I think it is a different problem. Tor-browser works fine with any IP of SocksPort, it is not needed to be hard-coded. This ticket is about using some hostname instead of IP.

Last edited 13 months ago by wagon (previous) (diff)

comment:6 in reply to:  5 Changed 13 months ago by gk

Resolution: wontfix
Status: reopenedclosed

Replying to wagon:

See #17991, #17953, #17949, #17901 for why you can't use hard-coded 127.0.0.1.

I think it is a different problem. Tor-browser works fine with any IP of SocksPort, it is not needed to be hard-coded. This ticket is about using some hostname instead of IP.

I agree, closing. FWIW: not sure why user.js is ignored. I have not looked that closely at the code.

Note: See TracTickets for help on using tickets.