Fix Tor dns leak #7769
Fix Tor dns leak #7769
Conversation
darkdh
requested review from
fmarier,
diracdeltas,
bbondy,
iefremov and
antonok-edm
| @@ -148,13 +161,35 @@ class AdblockCnameResolveHostClient : public network::mojom::ResolveHostClient { | |||
| // See https://crbug.com/872665 | |||
| optional_parameters->source = net::HostResolverSource::DNS; | |||
There was a problem hiding this comment.
ResolveHostParameters::secure_dns_mode_override for SECURE mode is useless without specifying doh_server.
So we have to do it through DnsConfigOverrides
| // Enforce DoH for Tor | ||
| // TODO(darkdh): we can consider implementing | ||
| // "Proxy DNS when using SOCKS v5" (network.proxy.socks_remote_dns) | ||
| // like Firefox has so that we don't have to enforce DoH |
There was a problem hiding this comment.
Just a heads up about brave/brave-browser#13414 - we should be able to remove most of this machinery once we rebase onto CR89, so I'd recommend keeping the fixes here as minimal as possible!
There was a problem hiding this comment.
It seems like we should be setting this stuff when the Tor connection is created because presumably we need to always use it? Not just for this?
There was a problem hiding this comment.
Normally, when we are in Tor window, we don't need to send ANY dns queries. We route all the HTTP/HTTPS traffic to tor proxy without knowing the IP, that means we just send hostname to proxy and the Tor exit node will do the resolving.
There was a problem hiding this comment.
this is great but i don't think we should enable DoH for users who haven't picked a DoH provider, because IIUC they need to consent to the provider's terms of service. for users who haven't picked a DoH provider, can we just disable cname adblocking for them in Tor mode?
| request_->SetExtraRequestHeaders(extra_request_headers); | ||
| // Disable secure DNS for any DoH server hostname lookups to avoid deadlock. | ||
| request_->SetDisableSecureDns(true); | ||
| - request_->SetLoadFlags(request_->load_flags() | LOAD_DISABLE_CACHE | |
There was a problem hiding this comment.
I think you can avoid this patch by defining LOAD_BYPASS_PROXY as LOAD_DISABLE_CACHE. If that doesn't work for some reason you should use a define/chromium_src override after the original call instead of changing it to minimize the patch
| auto request_info = std::make_shared<brave::BraveRequestInfo>(GURL()); | ||
| int rc = | ||
| OnBeforeURLRequest_AdBlockTPPreWork(ResponseCallback(), request_info); | ||
| EXPECT_TRUE(request_info->new_url_spec.empty()); | ||
| EXPECT_EQ(rc, net::OK); | ||
| } | ||
|
|
||
| TEST_F(BraveAdBlockTPNetworkDelegateHelperTest, ByassTor) { |
There was a problem hiding this comment.
actually I think this is a bad name because it makes it sound like it should be bypassing Tor and that's exactly the opposite of what we are doing. Maybe something like DisableInsecureRequestsOverTor
| }; | ||
| } // namespace | ||
|
|
||
| class BraveAdBlockTPNetworkDelegateHelperTest : public testing::Test { |
There was a problem hiding this comment.
this fixture is not related to existing tests, so you could leave them as is and give the test class more relevant name
|
|
||
| #include "net/base/load_flags.h" | ||
|
|
||
| #define LOAD_BYPASS_PROXY LOAD_DISABLE_CACHE |
There was a problem hiding this comment.
I really don't think we should do this for all requests. I checked git history around this code (https://chromium-review.googlesource.com/c/chromium/src/+/1843334/10/net/dns/dns_transaction.cc), and the authors say LOAD_BYPASS_PROXY is here to prevent deadlocks.
So we should either try upstreaming this or limit to tor-related requests
There was a problem hiding this comment.
That is for SetDisableSecureDns (https://chromium-review.googlesource.com/c/chromium/src/+/1843332/5/net/dns/dns_transaction.cc)
It's been there since the first DoH commit
https://chromium-review.googlesource.com/c/chromium/src/+/710554/40/net/dns/dns_transaction.cc#431
There was a problem hiding this comment.
yea, I actually can't really imagine why we'd ever want to bypass the proxy for DoH requests. That seems like it would actually prevent requests from working at all if the proxy was required for access and non-proxy requests are blocked by firewall
There was a problem hiding this comment.
There is a discussion with upstream net dev
https://groups.google.com/u/1/a/chromium.org/g/net-dev/c/GI4E9ERwPgw
darkdh
force-pushed
the
tor-dns-leak
branch
2 times, most recently
from
dbb13b2 to
689261a
Compare
|
per discussion on slack with @bridiver and @iefremov, we came to a conclusion that disabling CNAME adblock for Tor would be best option now. Considering in order to make DoH route through Tor, we need to remove |
Sounds like a good compromise to me. |
| // DoH or standard DNS quries won't be routed through Tor, so we need to skip | ||
| // it. | ||
| if (ctx->browser_context->IsTor()) { | ||
| return net::OK; |
There was a problem hiding this comment.
This is going to disable adblocker in tor windows. What we need to do here is an adblocking pass without CNAME resolving, e.g. we can directly call ShouldBlockAdWithOptionalCname with empty CNAME
Tested on Firefox: When DoH is enabled, the requests will route through proxy
because we currently have no better way to route insecure DNS query through proxy like "Proxy DNS when using SOCKS v5" (network.proxy.socks_remote_dns) that Firefox has
Resolves brave/brave-browser#13527
This PR
Disable CNAME adblock for Tor to prevent it from sending DoH or standard DNS query which will not be routed through Tor
1. Fixes DoH requests should respect proxy config, matching the behavior as Firefox, so that DoH requests will route through Tor2. Enforce DoH for DNS queries sent by CNAME adblock because users can turn DoH off and we currently don't have a way to route insecure DNS lookup through Tor(proxy config). We can consider implementing
Proxy DNS when using SOCKS v5(network.proxy.socks_remote_dns) that Firefox has so we don't have to enforce DoH for this3. Skip CNAME adblock DNS lookup if DoH mode is not secure or DoH server list is empty
Submitter Checklist:
QA/YesorQA/No;release-notes/includeorrelease-notes/exclude;OS/...) to the associated issuenpm run test -- brave_browser_tests,npm run test -- brave_unit_tests,npm run lint,npm run gn_check,npm run tslintgit rebase master(if needed).Reviewer Checklist:
gnAfter-merge Checklist:
changes has landed on.
Test Plan:
DoH off
Using the (Pre)-Master-Secretto setupSSLKEYLOGFILEhttps://wiki.wireshark.org/TLS
dnsfilterUse secure DNStools.ietf.orgDoH enabled
Using the (Pre)-Master-Secretto setupSSLKEYLOGFILEhttps://wiki.wireshark.org/TLS
dnsfilterUse secure DNSis on and use custom Cloudflare resolvertools.ietf.org