1 |
On Monday, 6 March 2023 12:05:40 GMT Wols Lists wrote: |
2 |
> On 06/03/2023 11:08, Peter Humphrey wrote: |
3 |
> > On Monday, 6 March 2023 10:56:37 GMT Wols Lists wrote: |
4 |
> >> On 06/03/2023 10:06, Michael wrote: |
5 |
> >>> I suspect the behaviour you noticed is related to FF functionality like |
6 |
> >>> TRR |
7 |
> >>> (Trusted Recursive Resolver) farming all your DNS queries over to the |
8 |
> >>> cloudfarce honeypot. |
9 |
> >>> |
10 |
> >>> Have a look here if you want to disable it: |
11 |
> >>> |
12 |
> >>> https://wiki.archlinux.org/title/Firefox/Privacy#Disable/ |
13 |
> >>> enforce_'Trusted_Recursive_Resolver' |
14 |
> >> |
15 |
> >> Thanks. That led me to network.trr.allow-rfc1918, which provided your |
16 |
> >> name has a dot in it ! appears to resolve addresses from /etc/hosts. I |
17 |
> >> guess that actually means firefox uses your local resolver first, and if |
18 |
> >> it returns an rfc1918 address, will use it. |
19 |
> >> |
20 |
> >> Surely that should be the default! It shouldn't break a PRIVATE network |
21 |
> >> in the name of security !!! |
22 |
> > |
23 |
> > It is the default here, in www-client/firefox-110.0.1 . |
24 |
> |
25 |
> I'm running amd not ~amd, and I've got FF 102esr. As soon as I changed |
26 |
> it to allow rfc1918, it started working ... |
27 |
> |
28 |
> Cheers, |
29 |
> Wol |
30 |
|
31 |
As I understand it the purpose of this setting is to avoid web attacks being |
32 |
able to redirect to local private addresses, which may be hosting vulnerable |
33 |
services - a.k.a. 'DNS-rebinding'. The default setting is 'false' in FF |
34 |
102.8.0, but if you have disabled TRR it appears the effects of |
35 |
network.trr.allow-rfc1918 are disabled too. |