[GH-ISSUE #84] "DNS leak" bug in http proxy mode #44

New issue

Closed

opened 2026-02-27 23:15:11 +03:00 by kerem · 12 comments

kerem commented 2026-02-27 23:15:11 +03:00

Owner

Copy link

Originally created by @saturn99 on GitHub (May 22, 2018).
Original GitHub issue: https://github.com/snail007/goproxy/issues/84

blow commands initiation http(s) proxy

#client#  proxy http -t tcp -p ":5656" -T tls -P "SERVER_IP:10801" -C p.crt -K p.key -Z "S" 
#server# proxy http -t tls -p ":10801"  -C p.crt -K p.key --forever --daemon  -z "S"

all is good,,
but client listener have "DNS leak" bug,, for example if we request :
curl -x "127.0.0.1:5656" "https://abc.def/"
we can see "adc.def" host name resolve in client side!!!

this line have problem(maybe):
github.com/snail007/goproxy@482977a4ac/services/http.go (L101)

Originally created by @saturn99 on GitHub (May 22, 2018). Original GitHub issue: https://github.com/snail007/goproxy/issues/84 blow commands initiation http(s) proxy ``` #client# proxy http -t tcp -p ":5656" -T tls -P "SERVER_IP:10801" -C p.crt -K p.key -Z "S" #server# proxy http -t tls -p ":10801" -C p.crt -K p.key --forever --daemon -z "S" ``` all is good,, but client listener have "DNS leak" bug,, for example if we request : ` curl -x "127.0.0.1:5656" "https://abc.def/" ` we can see "adc.def" host name resolve in client side!!! this line have problem(maybe): https://github.com/snail007/goproxy/blob/482977a4ac855320cce70289019e2d209b68a12f/services/http.go#L101

kerem closed this issue 2026-02-27 23:15:11 +03:00

kerem commented 2026-02-27 23:15:12 +03:00

Author

Owner

Copy link

@snail007 commented on GitHub (May 22, 2018):

default mode proxy will try access domain directly, if failed then access it through parent , you can prevent it by two ways,1:add
that domain in blocked file . 2:add argument --always in client arguments.

<!-- gh-comment-id:390844500 --> @snail007 commented on GitHub (May 22, 2018): default mode proxy will try access domain directly, if failed then access it through parent , you can prevent it by two ways,1:add that domain in blocked file . 2:add argument --always in client arguments.

kerem commented 2026-02-27 23:15:12 +03:00

Author

Owner

Copy link

@saturn99 commented on GitHub (May 22, 2018):

this is very bad idea for default mode,, 👎
in http(s) proxy all domain must be resolve on server side proxy server!
the clinet must be only rely traffic to server, and not solve any domain name with DNS

The execute of the client with the argument ‍−−always‍ has the same problem :(

<!-- gh-comment-id:390985880 --> @saturn99 commented on GitHub (May 22, 2018): this is very bad idea for default mode,, :-1: in http(s) proxy all domain must be resolve on server side proxy server! the clinet must be only rely traffic to server, and not solve any domain name with DNS The execute of the client with the argument ‍`−−always‍` has the same problem :(

kerem commented 2026-02-27 23:15:12 +03:00

Author

Owner

Copy link

@snail007 commented on GitHub (May 22, 2018):

--always means client forward all raw request to parent with no resolve in client , you may have some mistake

<!-- gh-comment-id:391005050 --> @snail007 commented on GitHub (May 22, 2018): --always means client forward all raw request to parent with no resolve in client , you may have some mistake

kerem commented 2026-02-27 23:15:12 +03:00

Author

Owner

Copy link

@saturn99 commented on GitHub (May 22, 2018):

this is my server on remote computer in another country:
proxy http -t tls -p ":10801" -C p.crt -K p.key --forever --daemon -z "S"

this is my client in my personal computer:
proxy http --always -t tcp -p ":5656" -T tls -P "SERVER_IP:10801" -C p.crt -K p.key -Z "S"

i run this command on my oersonal computer:
curl -x "127.0.0.1:5656" "http://abc.efg/"

and this is my sniff date on personal computer:
https://screenshots.firefox.com/zUOV7DKQVI4M0SQ1/null

client side proxy (with --always argument) send dns packet for solving domain name

where is my mistake? :(
thank you

<!-- gh-comment-id:391113060 --> @saturn99 commented on GitHub (May 22, 2018): this is my server on remote computer in another country: `proxy http -t tls -p ":10801" -C p.crt -K p.key --forever --daemon -z "S"` this is my client in my personal computer: `proxy http --always -t tcp -p ":5656" -T tls -P "SERVER_IP:10801" -C p.crt -K p.key -Z "S"` i run this command on my oersonal computer: `curl -x "127.0.0.1:5656" "http://abc.efg/"` and this is my sniff date on personal computer: https://screenshots.firefox.com/zUOV7DKQVI4M0SQ1/null client side proxy (with --always argument) send dns packet for solving domain name where is my mistake? :( thank you

kerem commented 2026-02-27 23:15:12 +03:00

Author

Owner

Copy link

@snail007 commented on GitHub (May 22, 2018):

the client and server log is？

<!-- gh-comment-id:391168756 --> @snail007 commented on GitHub (May 22, 2018): the client and server log is？

kerem commented 2026-02-27 23:15:12 +03:00

Author

Owner

Copy link

@snail007 commented on GitHub (May 23, 2018):

it is firefox useing proxy problem，see：https://www.reddit.com/r/linuxquestions/comments/7slstp/proxy_dns_when_using_socks5_not_adhered_to_when/ , if you can find which program send A query ，it wiil be firefox not proxy. you can fix that by above link page.

Only Socks v5 (not v4) supports DNS proxy on Firefox and you must also tick the checkbox "Proxy DNS when using SOCKS v5" at the bottom of the network settings screen.

<!-- gh-comment-id:391192910 --> @snail007 commented on GitHub (May 23, 2018): it is firefox useing proxy problem，see：https://www.reddit.com/r/linuxquestions/comments/7slstp/proxy_dns_when_using_socks5_not_adhered_to_when/ , if you can find which program send A query ，it wiil be firefox not proxy. you can fix that by above link page. > Only Socks v5 (not v4) supports DNS proxy on Firefox and you must also tick the checkbox "Proxy DNS when using SOCKS v5" at the bottom of the network settings screen. >

kerem commented 2026-02-27 23:15:12 +03:00

Author

Owner

Copy link

@saturn99 commented on GitHub (May 23, 2018):

:|||
I use curl for test, not firefox

I have not any problem with another http(s) proxy

<!-- gh-comment-id:391274385 --> @saturn99 commented on GitHub (May 23, 2018): :||| I use curl for test, not firefox I have not any problem with another http(s) proxy

kerem commented 2026-02-27 23:15:12 +03:00

Author

Owner

Copy link

@snail007 commented on GitHub (May 23, 2018):

show the server log output,when exec curl.

<!-- gh-comment-id:391301545 --> @snail007 commented on GitHub (May 23, 2018): show the server log output,when exec curl.

kerem commented 2026-02-27 23:15:12 +03:00

Author

Owner

Copy link

@saturn99 commented on GitHub (May 23, 2018):

my client:
proxy http --always -t tcp -p ":5656" -T tls -P "SERVER_IP:10801" -C proxy.crt -K proxy.key -Z "S"

curl command when open abc.efg and google.com:

$curl -x "127.0.0.1:5656" "http://abc.efg/"
curl: (52) Empty reply from server

$curl -x "127.0.0.1:5656" "https://google.com"
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>

My clinet Logs:

	########  ########   #######  ##     ## ##    ## 
	##     ## ##     ## ##     ##  ##   ##   ##  ##  
	##     ## ##     ## ##     ##   ## ##     ####   
	########  ########  ##     ##    ###       ##    
	##        ##   ##   ##     ##   ## ##      ##    
	##        ##    ##  ##     ##  ##   ##     ##    
	##        ##     ##  #######  ##     ##    ##    
	
	v4.7 by snail , blog : http://www.host900.com/

2018/05/23 16:35:25 use tls parent SERVER_IP:10801
2018/05/23 16:35:25 tcp http(s) proxy on [::]:5656
2018/05/23 16:35:27 GET:http://abc.efg/
2018/05/23 16:35:27 use proxy : true, abc.efg:80
2018/05/23 16:35:29 conn 127.0.0.1:49334 - SERVER_IP:10801 connected [abc.efg:80]
2018/05/23 16:35:39 conn 127.0.0.1:49334 - SERVER_IP:10801 released [abc.efg:80]
2018/05/23 16:40:46 CONNECT:google.com:443
2018/05/23 16:40:46 use proxy : true, google.com:443
2018/05/23 16:40:46 conn 127.0.0.1:49468 - SERVER_IP:10801 connected [google.com:443]
2018/05/23 16:40:47 conn 127.0.0.1:49468 - SERVER_IP:10801 released [google.com:443]

SERVER Logs when open abc.efg:

./proxy http -t tls -p ":10801" -C proxy.crt -K proxy.key --forever -z "S"

2018/05/23 12:05:18 worker ./proxy [PID] 10556 running...

	########  ########   #######  ##     ## ##    ## 
	##     ## ##     ## ##     ##  ##   ##   ##  ##  
	##     ## ##     ## ##     ##   ## ##     ####   
	########  ########  ##     ##    ###       ##    
	##        ##   ##   ##     ##   ## ##      ##    
	##        ##    ##  ##     ##  ##   ##     ##    
	##        ##     ##  #######  ##     ##    ##    
	
	v4.7 by snail , blog : http://www.host900.com/

2018/05/23 12:05:18 tls http(s) proxy on [::]:10801
2018/05/23 12:05:27 GET:http://abc.efg/
2018/05/23 12:05:28 use proxy : false, abc.efg:80
2018/05/23 12:05:28 connect to , err:dial tcp: lookup abc.efg on 213.133.98.98:53: no such host,retrying...
2018/05/23 12:05:30 connect to , err:dial tcp: lookup abc.efg on 213.133.98.98:53: no such host,retrying...
2018/05/23 12:05:32 connect to , err:dial tcp: lookup abc.efg on 213.133.98.98:53: no such host,retrying...
2018/05/23 12:05:34 connect to , err:dial tcp: lookup abc.efg on 213.133.98.98:53: no such host,retrying...
2018/05/23 12:05:36 connect to , err:dial tcp: lookup abc.efg on 213.133.98.98:53: no such host,retrying...
2018/05/23 12:05:38 connect to , err:dial tcp: lookup abc.efg on 213.133.98.98:53: no such host
2018/05/23 12:05:38 connect to abc.efg:80 fail, ERR:dial tcp: lookup abc.efg on 213.133.98.98:53: no such host

SERVER Logs when open google.com:

./proxy http -t tls -p ":10801" -C proxy.crt -K proxy.key --forever -z "S"

2018/05/23 12:10:32 worker ./proxy [PID] 10586 running...
2018/05/23 12:10:32 tls http(s) proxy on [::]:10801

	########  ########   #######  ##     ## ##    ## 
	##     ## ##     ## ##     ##  ##   ##   ##  ##  
	##     ## ##     ## ##     ##   ## ##     ####   
	########  ########  ##     ##    ###       ##    
	##        ##   ##   ##     ##   ## ##      ##    
	##        ##    ##  ##     ##  ##   ##     ##    
	##        ##     ##  #######  ##     ##    ##    
	
	v4.7 by snail , blog : http://www.host900.com/

2018/05/23 12:10:45 CONNECT:google.com:443
2018/05/23 12:10:45 use proxy : false, google.com:443
2018/05/23 12:10:45 conn 31.56.172.109:32994 - 216.58.208.46:443 connected [google.com:443]
2018/05/23 12:10:46 conn 31.56.172.109:32994 - 216.58.208.46:443 released [google.com:443]

and i sniff two DNS request on my client side for resolving doman name

thank you

<!-- gh-comment-id:391325588 --> @saturn99 commented on GitHub (May 23, 2018): my client: `proxy http --always -t tcp -p ":5656" -T tls -P "SERVER_IP:10801" -C proxy.crt -K proxy.key -Z "S"` curl command when open `abc.efg` and `google.com`: ``` $curl -x "127.0.0.1:5656" "http://abc.efg/" curl: (52) Empty reply from server $curl -x "127.0.0.1:5656" "https://google.com" <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>301 Moved</TITLE></HEAD><BODY> <H1>301 Moved</H1> The document has moved <A HREF="https://www.google.com/">here</A>. </BODY></HTML> ``` <details><summary><b>My clinet Logs</b>:</summary> ######## ######## ####### ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## #### ######## ######## ## ## ### ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ####### ## ## ## v4.7 by snail , blog : http://www.host900.com/ 2018/05/23 16:35:25 use tls parent SERVER_IP:10801 2018/05/23 16:35:25 tcp http(s) proxy on [::]:5656 2018/05/23 16:35:27 GET:http://abc.efg/ 2018/05/23 16:35:27 use proxy : true, abc.efg:80 2018/05/23 16:35:29 conn 127.0.0.1:49334 - SERVER_IP:10801 connected [abc.efg:80] 2018/05/23 16:35:39 conn 127.0.0.1:49334 - SERVER_IP:10801 released [abc.efg:80] 2018/05/23 16:40:46 CONNECT:google.com:443 2018/05/23 16:40:46 use proxy : true, google.com:443 2018/05/23 16:40:46 conn 127.0.0.1:49468 - SERVER_IP:10801 connected [google.com:443] 2018/05/23 16:40:47 conn 127.0.0.1:49468 - SERVER_IP:10801 released [google.com:443] </details> <details><summary><b>SERVER Logs when open abc.efg</b>:</summary> ./proxy http -t tls -p ":10801" -C proxy.crt -K proxy.key --forever -z "S" 2018/05/23 12:05:18 worker ./proxy [PID] 10556 running... ######## ######## ####### ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## #### ######## ######## ## ## ### ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ####### ## ## ## v4.7 by snail , blog : http://www.host900.com/ 2018/05/23 12:05:18 tls http(s) proxy on [::]:10801 2018/05/23 12:05:27 GET:http://abc.efg/ 2018/05/23 12:05:28 use proxy : false, abc.efg:80 2018/05/23 12:05:28 connect to , err:dial tcp: lookup abc.efg on 213.133.98.98:53: no such host,retrying... 2018/05/23 12:05:30 connect to , err:dial tcp: lookup abc.efg on 213.133.98.98:53: no such host,retrying... 2018/05/23 12:05:32 connect to , err:dial tcp: lookup abc.efg on 213.133.98.98:53: no such host,retrying... 2018/05/23 12:05:34 connect to , err:dial tcp: lookup abc.efg on 213.133.98.98:53: no such host,retrying... 2018/05/23 12:05:36 connect to , err:dial tcp: lookup abc.efg on 213.133.98.98:53: no such host,retrying... 2018/05/23 12:05:38 connect to , err:dial tcp: lookup abc.efg on 213.133.98.98:53: no such host 2018/05/23 12:05:38 connect to abc.efg:80 fail, ERR:dial tcp: lookup abc.efg on 213.133.98.98:53: no such host </details> <details><summary><b>SERVER Logs when open google.com</b>:</summary> ./proxy http -t tls -p ":10801" -C proxy.crt -K proxy.key --forever -z "S" 2018/05/23 12:10:32 worker ./proxy [PID] 10586 running... 2018/05/23 12:10:32 tls http(s) proxy on [::]:10801 ######## ######## ####### ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## #### ######## ######## ## ## ### ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ####### ## ## ## v4.7 by snail , blog : http://www.host900.com/ 2018/05/23 12:10:45 CONNECT:google.com:443 2018/05/23 12:10:45 use proxy : false, google.com:443 2018/05/23 12:10:45 conn 31.56.172.109:32994 - 216.58.208.46:443 connected [google.com:443] 2018/05/23 12:10:46 conn 31.56.172.109:32994 - 216.58.208.46:443 released [google.com:443] </details> and i sniff two DNS request on my client side for resolving doman name thank you

kerem commented 2026-02-27 23:15:12 +03:00

Author

Owner

Copy link

@snail007 commented on GitHub (May 23, 2018):

no matter what ever,the server log means that the abc.efg requested by server and dns also
in server ,but dns lookup fail.

<!-- gh-comment-id:391382470 --> @snail007 commented on GitHub (May 23, 2018): no matter what ever,the server log means that the abc.efg requested by server and dns also in server ,but dns lookup fail.

kerem commented 2026-02-27 23:15:12 +03:00

Author

Owner

Copy link

@saturn99 commented on GitHub (May 30, 2018):

i found line of this bug:

github.com/snail007/goproxy@bfcc27e70f/services/http.go (L232)

this line execute before check --always argument!!!!!!!!
inside this function, we see net.LookupIP(domainOrIP) and this method use DNS for resolving domain name

LookupIP looks up host using the local resolver. It returns a slice of that host's IPv4 and IPv6 addresses.

source

---

then:
if we use http mode, proxy in client side send DNS request!!! and this is e bug!

---

solation:

check *s.cfg.Always before use IsIternalIP

thank you

<!-- gh-comment-id:392988012 --> @saturn99 commented on GitHub (May 30, 2018): i found line of this bug: https://github.com/snail007/goproxy/blob/bfcc27e70f11f40a12e2d90b7cb2b4ef50da7d99/services/http.go#L232 this line execute before check `--always` argument!!!!!!!! inside this function, we see `net.LookupIP(domainOrIP)` and this method use DNS for resolving domain name > LookupIP looks up host using the local resolver. It returns a slice of that host's IPv4 and IPv6 addresses. [source](https://golang.org/pkg/net/?m=all#LookupIP) ---- then: if we use `http` mode, proxy in client side send DNS request!!! and this is e bug! --- solation: check `*s.cfg.Always` before use `IsIternalIP` thank you

kerem commented 2026-02-27 23:15:12 +03:00

Author

Owner

Copy link

@saturn99 commented on GitHub (May 31, 2018):

This problem solved at commit 5c9fc850d8 on dev branch

<!-- gh-comment-id:393565998 --> @saturn99 commented on GitHub (May 31, 2018): This problem solved at commit 5c9fc850d858d3016b56fe2cd44597ddf2e24d2b on `dev` branch

kerem referenced this issue 2026-02-27 23:17:13 +03:00

[PR #44] [MERGED] Update README_ZH.md #499

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

v15.2

v15.1

v15.0

Labels

Clear labels   

TODO

  

bug

  

duplicate

  

enhancement

  

good first issue

  

help wanted

  

helpful

  

invalid

  

need-confirm

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

wontfix

No labels

TODO

bug

duplicate

enhancement

good first issue

help wanted

helpful

invalid

need-confirm

pull-request

question

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/goproxy#44

No description provided.