I recently was testing different proxies ("vpn"...) extensions on FF, and I realized that sometimes, while launching and just after, the browser was able to perform some direct internet conections, bypassing the proxy extension in use.

This is quite bad, because this allows some kind of correlation attack defeating the privacy/anonymity purpose of proxy usage.


This behavior is linked to a 4 year old FF bug (https://bugzilla.mozilla.org/show_bug.cgi?id=1501159).



But there is a workaround to this issue, consisting in setting up a "proxy kill switch": Settings -> Network settings and here, define a fake local proxy (such as 127.0.0.1: <random non used port>).

So, before the proxy extension kicks in, all internet connection will be blocked and no leak bypassing the proxy will happen.


I have not tested whether the same issue appears on Chrome.

Nice catch. Did you try passing -offline to firefox.exe? This sets offline mode very early on startup, so it should also work and would be a cleaner solution if it does. Also, 0.0.0.0 is a better choice for the fake proxy on Windows as it will always fail immediately. (And this method can also be used to dupe a lot of software into not verifying your clandestine unauthorized pirate illegal registration data :shifty:)

Chrome has no offline mode, except for individual tabs and if the developer console is open. Adding one or more of these to the command line may be equivalent in this scenario.


--disable-background-networking
--host-resolver-rules="MAP * ~NOTFOUND, EXCLUDE 127.0.0.1"
--proxy-server="socks5://0.0.0.0:1080"


Note I haven't used Chrome in two years :wtinfoil: Its network stack was moved to a separate process at some point, so the parameters above may have changed names or no longer exist. You may have to experiment and check for side effects...

Nice catch. Did you try passing -offline to firefox.exe? This sets offline mode very early on startup, so it should also work and would be a cleaner solution if it does. Also, 0.0.0.0 is a better choice for the fake proxy on Windows as it will always fail immediately. (And this method can also be used to dupe a lot of software into not verifying your clandestine unauthorized pirate illegal registration data :shifty:)

Chrome has no offline mode, except for individual tabs and if the developer console is open. Adding one or more of these to the command line may be equivalent in this scenario.


--disable-background-networking
--host-resolver-rules="MAP * ~NOTFOUND, EXCLUDE 127.0.0.1"
--proxy-server="socks5://0.0.0.0:1080"


Note I haven't used Chrome in two years :wtinfoil: Its network stack was moved to a separate process at some point, so the parameters above may have changed names or no longer exist. You may have to experiment and check for side effects...

how the heck do you know all these small stuff anon.... did you read all the source code or something?

Not all of it, just the relevant parts. For Chromium in particular, command line switches are neatly listed and explained in just a few files dedicated exclusively to that... and documentation exists, too.

https://www.chromium.org/developers/design-documents/network-stack/socks-proxy/
https://chromium.googlesource.com/chromium/src/+/refs/heads/main/net/dns/README.md

Nice catch. Did you try passing -offline to firefox?exe? This sets offline mode very early on startup, so it should also work and would be a cleaner solution if it does.
I tested that too. It's indeed a cleaner solution, but less convenient for me: I always have after aunch to click <File> then to uncheck <work offline> to be able to browse the web. The "proxy" solution doesn't need this 2 click.

But what made me I definitely prefered the "proxy" solution is that this solution protects me throughout the whote session. In particular, I realized that this method fixes the DnsLeak problem (I previously wrote about here (https://www.sb-innovation.de/showthread.php?35021-Some-FF-Extensions-Leading-to-DnsLeak-When-Using-a-Proxy-Despite-of-WebRTC-Blocking)) encountered when using proxy alongside some extensions or when checking some extension's option, such that canonical names uncloacking in uBlockO.




Also, 0.0.0.0 is a better choice for the fake proxy on Windows as it will always fail immediately. (And this method can also be used to dupe a lot of software into not verifying your clandestine unauthorized pirate illegal registration data :shifty:)

Definitely, and after reading your post I adopted this solution.

(For those still not convinced that using 0.0.0.0 in this context and 127.0.0.1 are very different things, just test it in pinging 127.0.0.1:<fake port> and 0.0.0.0:<fake port>).

It's just I sometimes hesitate to use 0.0.0.0 because of it's polysemia, as it means "nothing" in some contexts, and "every IP" in others....

I tested that too. It's indeed a cleaner solution, but less convenient for me: I always have after aunch to click <File> then to uncheck <work offline> to be able to browse the web. The "proxy" solution doesn't need this 2 click.

Decisions, decisions! :weirdo: Firefox is the only browser that still has a fully functional offline mode, and I thought I'd show some love for it before Mozilla removes it arguing that "according telemetry data only 0.87% of installs used this feature in the last 3 months".


But what made me I definitely prefered the "proxy" solution is that this solution protects me throughout the whote session. In particular, I realized that this method fixes the DnsLeak problem (I previously wrote about here (https://www.sb-innovation.de/showthread.php?35021-Some-FF-Extensions-Leading-to-DnsLeak-When-Using-a-Proxy-Despite-of-WebRTC-Blocking)) encountered when using proxy alongside some extensions or when checking some extension's option, such that canonical names uncloacking in uBlockO.

I wonder if there's a specific reason I didn't recommend network.dns.disabled in that thread... but since the fake proxy catches both startup leaks and this, it would be the better way in any case.


REGEDIT4

; Disable multicast DNS
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows NT\DNSClient]
"EnableMulticast"=dword:00000000

; Disable Smart Multi-Homed Name Resolution (Windows 8.x and above)
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows NT\DNSClient]
"DisableSmartNameResolution"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Dnscache\Parameters]
"DisableParallelAandAAAA"=dword:00000001

; Disable Chromium built-in DNS client
[HKEY_LOCAL_MACHINE\Software\Policies\Chromium]
"BuiltInDnsClientEnabled"=dword:00000000


It's just I sometimes hesitate to use 0.0.0.0 because of it's polysemia, as it means "nothing" in some contexts, and "every IP" in others....

And also "this computer", as far as DHCP and the Unix network stack are concerned.