Using hosts file even when SOCKS5 is used for DNS

[ghost]

Hi,

Config: I am running on macOS Monterey, with Mullvad 2021.6 and using Mullvad's SOCKS5 proxy in the latest build of Firefox.

I have changed my system's hosts file using an online blocklist in order to block ads and trackers (most likely more so than the "block ads/block trackers" option of the Mullvad VPN app, as well as some specific websites I do not want to open.

This seems to work well system-wide, for instance in Safari. However, this does not work in Firefox when the SOCKS5 proxy's "Proxy DNS queries" option is activated (it does work when the option is deactivated).

Is there any way for the proxy to still block connection as per the hosts file?

Thanks!

Tommie

[pinkisemils]

This behavior is wholly unrelated to any proxy we provide as it's Firefox that is deciding to forward it's DNS requests to the the proxy.

[ghost]

Ok. Can there be DNS leaks or any other issue if one chooses not to activate the option to query DNS via the proxy?

[faern]

The hosts file is only used when the system's DNS lookup function is called. Any process on the machine is free to create sockets and issue DNS requests anywhere manually without respecting the hosts file. In this case, you have told Firefox to explicitly send the DNS request to the proxy and not look it up on your own system. So the behavior you are seeing is expected.

Our VPN app blocks DNS requests going anywhere we don't expect them to go (if you don't use Custom DNS in the app then the expected target for DNS is the VPN server you are currently connected to). This block can be circumvented by programs sending DNS requests in other ways than plain DNS on port 53. For example DNS inside a SOCKS5 proxy can't be detected and blocked by the app, nor can encrypted DNS in TLS/HTTPS be detected and blocked. So if your browser uses any of this the DNS requests will be able to reach wherever they are destined.

Ok. Can there be DNS leaks or any other issue if one chooses not to activate the option to query DNS via the proxy?

No. If you use our app then it takes care of making sure DNS can only be sent in the tunnel where it's supposed to go (except what I explained above). You don't need to set up your browser to use a proxy to avoid DNS leaks.

If you want your hosts file to be respected and allow our app to properly manage DNS then you should configure your programs (browsers) to not use DNS over TLS/HTTPS or proxies. It should be configured to use plain DNS. Then they will in turn ask the system to do DNS lookups. The system will then respect the hosts file and our app will in turn make sure the system is correctly configured and secured.

[ghost]

Thanks for the detailed reply @faern, this is most useful and super clear! So that explains why without the "query DNS through SOCKS5 proxy" option deactivated the sites are blocked as per the hosts file, but not when the option is activated. To be clear, in my case, the SOCKS5 proxy in question is the Mullvad one, used for multi-hop, so, even using the proxy, I am still going through Mullvad servers. But I do lose the hosts file filtering. So I guess the options are 1) keep multi-hop for DNS queries by letting FF DNS queries go through the proxy, and not have my own filtering, or 2) ditch the multi-hop for DNS queries and have my hosts file filtering. I'll think about that; feel free to comment on your preferences. A third option would be, as mentioned in another issue, to give users the possibility to add their own blocklists (specific IP/domains and/or blocklist URLs), although since this would be in the app, I would probably still be circumvented by the use of the proxy in FF settings (so we're back to filtering versus multi-hop).

[faern]

I'll close this as it's not an app issue or feature request, but just a question.

If I were you I would disable the proxy and just use the system DNS (which we control so it should be safe)

[ghost]

Thanks!