Skip to content

GitLab

  • Menu
Projects Groups Snippets
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • briar briar
  • Project information
    • Project information
    • Activity
    • Labels
    • Planning hierarchy
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 788
    • Issues 788
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 6
    • Merge requests 6
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • briar
  • briarbriar
  • Merge requests
  • !488

Merged
Created Mar 23, 2017 by akwizgran@akwizgranOwner

Don't make DNS lookups during RSS import

  • Overview 4
  • Commits 2
  • Changes 2

We use a custom socket factory to work around the lack of proper SOCKS support on Android - the socket factory implements SOCKS, but OkHttp doesn't know that.

When OkHttp doesn't think it's behind a SOCKS proxy it does local name resolution so it can make one connection attempt per address when there are multiple addresses for a name. This leaks the server's identity to the local network and the internet (#908 (closed)).

Fortunately, we can configure OkHttp to use a custom DNS resolver as well as a custom socket factory. This allows us to capture the local name lookup. We return 0.0.0.0 as the address, which OkHttp passes through to the socket factory, where we discard the fake address and pass the hostname to Tor to be resolved remotely.

In case a future version of OkHttp decides to do local name lookups in some other way, we also check that any name/address pairs passed into the socket factory have 0.0.0.0 as the address.

Closes #908 (closed)

Assignee
Assign to
Reviewer
Request review from
Time tracking
Source branch: 908-rss-import-dns-leak