Don't make DNS lookups during RSS import (!488) · Merge requests · briar / briar

akwizgran requested to merge 908-rss-import-dns-leak into master Mar 23, 2017

We use a custom socket factory to work around the lack of proper SOCKS support on Android - the socket factory implements SOCKS, but OkHttp doesn't know that.

When OkHttp doesn't think it's behind a SOCKS proxy it does local name resolution so it can make one connection attempt per address when there are multiple addresses for a name. This leaks the server's identity to the local network and the internet (#908 (closed)).

Fortunately, we can configure OkHttp to use a custom DNS resolver as well as a custom socket factory. This allows us to capture the local name lookup. We return 0.0.0.0 as the address, which OkHttp passes through to the socket factory, where we discard the fake address and pass the hostname to Tor to be resolved remotely.

In case a future version of OkHttp decides to do local name lookups in some other way, we also check that any name/address pairs passed into the socket factory have 0.0.0.0 as the address.

Closes #908 (closed)

Don't make DNS lookups during RSS import

Merge request reports