DNS anti-tracking/ads options not working on Linux Focal

[data-sync-user]

VPN version:

• 2.5.0 (2.202108262125);

Affected Platforms:

• Linux Focal;

Prerequisites:

• Have one FxA account with subscription for Mozilla VPN;
• Have the VPN installed and opened on your machine;

Steps to reproduce:

1. Sign in with the account from prerequisites;
2. Go to Settings-> Network Settings-> Advanced DNS Settings
3. Click Advanced tab;
4. Enable the DNS anti-tracking option;
5. Turn ON the VPN;
6. Access http://truffle.bid/ domain (https://easylist.to/easylist/easyprivacy.txt)) using a browser;

Expected result:

• The domain is blocked;

Actual result:

• The domain is loaded.

Notes:

• 【 highlighted #ff5630 】This is major issue because it blocks the user of using the DNS feature as intended.【 end highlighted 】
• Reproduced with different domains;
• not reproducing on Win;

┆Issue is synchronized with this Jira Bug ┆Reporter: Valentina Virlics

[data-sync-user]

➤ Owen Kirby commented:

So far I am unable to reproduce this when Firefox DoH is disabled, so I suspect that this is another repercussion of https://mozilla-hub.atlassian.net/browse/VPN-142 ( https://mozilla-hub.atlassian.net/browse/VPN-142|smart-link )

[data-sync-user]

➤ Valentina Virlics commented:

Owen Kirby I did not use Firefox, but Chrome.

[data-sync-user]

➤ Valentina Virlics commented:

Also reproducing while using the anti-tracking custom DNS ip: 100.64.0.2. Owen Kirby

[data-sync-user]

➤ Owen Kirby commented:

With google chrome, I have noticed that the browser seems to keep a DNS cache of its own that’s separate from systemd. And under some conditions Chrome can remember a domain name that has previously been resolved before activating the anti-tracking DNS. To check whether this is a chrome issue, or a VPN issue, we can manually flush the cache after activating the activating the anti-tracking DNS as follows:

1. Navigate to chrome://net-internals/#dns
2. Click on the Clear host cache button to flush the DNS cache.
3. Navigating to http://truffle.bid/ ( http://truffle.bid/|smart-link ) should now result in a DNS resolution failure.

In my tests, manually refreshing the page via the refresh button, or by clicking in the URL bar and hitting enter, also resulted in a DNS resolution failure.

IIRC, Firefox does something similar but its cache can be flushed by either:

• Restarting the browser, or
• Navigating to about:networking#dns and clicking on the Clear DNS Cache button.

[data-sync-user]

➤ Valentina Virlics commented:

Tried your approach, but without success, on VPN 2.5.0 (2.202109080823). I've cleared DNS cache on both browsers with your method, but domains from easylist are still accessible. Same for ads. Used Chrome and private browsing. Attaching logs and video.

[^mozillavpn-2021-9-8.txt]

!Screencast 2021-09-08 13_17_26.mp4|thumbnail!

[data-sync-user]

➤ Valentina Virlics commented:

The interesting thing is that, on another Linux Focal (a laptop, with probably different configuration) both ads and anti tracking DNS work. So, I am not sure what happens on my device. I’ve synced with my colleague, and we do the exact things and settings.

[data-sync-user]

➤ Owen Kirby commented:

Valentina Virlics the next time you get a chance to reproduce this bug, could you try the following commands in a console and report what you get back? This should attempt to dump the system’s DNS configuration, and then perform a couple of test lookups to see if it is due to an error in DNS configuration, or the browser’s failing to use that configuration.

The commands:

1. cat /etc/resolv.conf
2. dbus-send --system --dest=org.freedesktop.resolve1 --print-reply /org/freedesktop/resolve1 org.freedesktop.DBus.Properties.GetAll string:org.freedesktop.resolve1.Manager
3. dig truffle.bid
4. dig truffle.bid @10.64.0.1
5. dig truffle.bid @100.64.0.2
6. dig oxygen.sigsegv.dev
7. dig oxygen.sigsegv.dev @10.64.0.1
8. dig oxygen.sigsegv.dev @100.64.0.2

The use of oxygen.sigsegv.dev here points to one of my personal VPS projects, and simply a domain that is unlikely to be in your DNS cache. You can replace it with any domain you like that you expect to resolve successfully.

[data-sync-user]

➤ Valentina Virlics commented:

Sure! I’ve attached the results. Thanks!

[^VPN913.odt]

[data-sync-user]

➤ Owen Kirby commented:

Thanks Valentina, that is definitely enlightening. It seems that there is something unexpected in how your system has configured its DNS servers. The configuration file at /etc/resolv.conf should normally be a symlink to /run/resolvconf/resolv.conf which is generated dynamically by the systemd resolver (and should contain a bunch of comments that aren’t present on your system). Instead, the contents of this file appear to be hard-coded to an AWS DNS server.

Could you check to see if this file is correctly symlinked by running the command: ls -al /etc/resolv.conf

[data-sync-user]

➤ Valentina Virlics commented:

Happy it clarify things. At least, a bit.

This is what I get after running the command.

!Screenshot from 2021-09-15 08-36-56.png|width=786,height=533!

[data-sync-user]

➤ Santiago Andrigo commented:

Valentina Virlics Is this still happening?

[data-sync-user]

➤ Santiago Andrigo commented:

Current belief is that this is machine-idiosyncratic.

[data-sync-user]

➤ Valentina Virlics commented:

Verified this on a VM with Linux Kinetic, and the ads and anti-tracking DNS feature works as expected.