-
Notifications
You must be signed in to change notification settings - Fork 3.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add ability to uncloak CNAME records
Related issue: - uBlockOrigin/uBlock-issues#780 New webext permission added: `dns`, which purpose is to allow an extension to fetch the DNS record of specific hostnames, reference documentation: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/dns The webext API `dns` is available in Firefox 60+ only. The new API will enable uBO to "uncloak" the actual hostname used in network requests. The ability is currently disabled by default for now -- this is only a first commit related to the above issue to allow advanced users to immediately use the new ability. Four advanced settings have been created to control the uncloaking of actual hostnames: cnameAliasList: a space-separated list of hostnames. Default value: unset => empty list. Special value: * => all hostnames. A space-separated list of hostnames => this tells uBO to "uncloak" the hostnames in the list will. cnameIgnoreList: a space-separated list of hostnames. Default value: unset => empty list. Special value: * => all hostnames. A space-separated list of hostnames => this tells uBO to NOT re-run the network request through uBO's filtering engine with the CNAME hostname. This is useful to exclude commonly used actual hostnames from being re-run through uBO's filtering engine, so as to avoid pointless overhead. cnameIgnore1stParty: boolean. Default value: true. Whether uBO should ignore to re-run a network request through the filtering engine when the CNAME hostname is 1st-party to the alias hostname. cnameMaxTTL: number of minutes. Default value: 120. This tells uBO to clear its CNAME cache after the specified time. For efficiency purpose, uBO will cache alias=>CNAME associations for reuse so as to reduce calls to `browser.dns.resolve`. All the associations will be cleared after the specified time to ensure the map does not grow too large and too ensure uBO uses up to date CNAME information.
- Loading branch information
Showing
12 changed files
with
226 additions
and
92 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -75,6 +75,7 @@ | |
"open_in_tab": true | ||
}, | ||
"permissions": [ | ||
"dns", | ||
"menus", | ||
"privacy", | ||
"storage", | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
3a564c1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CNAME'd network request are being shown blue in color, on purpose ?
Edit:
I see it here -- 3a564c1#diff-303102799b6a1f6c9e421aff823cac08R2723a564c1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Highlighting them with a different visual is important, the browser did not really issue these requests, uBO synthesized them using the CNAME and replayed them through the filtering engine.
3a564c1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay but now how do you identify which first party domain amoung all the first-party domains is NOT having the same CNAME as the website we're visiting? I don't see any identification being made there..
3a564c1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Click the entry for details, synthetic requests will have a field "CNAME of".
3a564c1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have a suggestion regarding coloring the
f7ds.liberation.fr
domain in liberation.fr case if you don't mind hearing about it here.3a564c1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You probably want to suggest to rewind the logger to associate already processed rows to newly emitted rows -- I rather not go down that road, so for now this is what works best without ending with a mess of code.
3a564c1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, that's not what I was going for, my suggestion is color all the domains in red that fail CNAME test. For example,
f7ds.liberation.fr
, in the logger and in the popup panel, so I know that there's something suspicious about that domain when I open the popup panel or the logger, and I will start investigating it and add afilter/rule about it. Currently only people who know aboutf7ds.liberation.fr
will do something about it, but users won't be as there's NO indication in the popup and in the logger that anything is wrong withf7ds.liberation.fr
entry, so make identification of such domains easier in the popup panel/logger. Doable ?3a564c1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's what you are going for.
When
f7ds.liberation.fr
entry is emitted to the logger, uBO does not yet know this particular hostname is an alias foratc.eulerian.net
, this knowledge is acquired after.3a564c1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well then the identification of the CNAME hostname who fail the test will remain difficult and troublesome and users will have to be self-aware of this happening to take any action.
3a564c1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I disagree with this assessment. And I don't understand what "fail the test" means, CDNs are often aliased and that is not a failure, it's by design.
3a564c1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
f7ds.liberation.fr
's Reverse DNS resolves toatc.eulerian.net
which shouldn't be the case because it's a first party sub-domain likemedias.liberation.fr
and should matchwww.liberation.fr
, likemedias.liberation.fr
but it doesn't. CDNs are often aliased that is true but on a third-party domain and it's easy to identify that domain even if it's first-party because they have a prefix/suffix in the sub-domain name which helps, this one doesn't, looks morally and ethically wrong and suspicious.This change of IP address/Reverse DNS of one particular sub-domain to another third-party entity is of pure malice and doesn't fall into the category of "by-design".
3a564c1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
uBO is code and the code does not know that
atc.eulerian.net
is bad -- it just relays the information, so uBO's code does not seef7ds.liberation.fr
=>atc.eulerian.net
as a failure, the same way it does not seearstechnicarp.cachefly.net
=>cdn.arstechnica.net
as a failure. Whether the actual hostname of an aliased hostname is undesirable is for filter list maintainers to decide.I just committed a new ability to uncloak aliased hostnames, to assist filter list maintainers in creating filters, the next step will be to give filter list maintainers the ability to specific what hostname should be uncloaked such that filters may act on the actual hostname when filters for the alias are deemed unreliable. Whoever sees a blue entry from
atc.eulerian.net
in the logger can just click for more details and find out that it's aliased tof7ds.liberation.fr
, and thus the next step for me will be to provide filter list maintainers the ability to tell uBO to uncloak network requests toliberation.fr
such thatliberation.fr
attempts at evading filter lists are foiled.It seems your mindset is elsewhere and I can't understand it -- you are literally lecturing me about why
atc.eulerian.net
is undesirable as if I was clueless.3a564c1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I answered the what I meant by "fail the test" as you said you don't understand that part in 3a564c1#commitcomment-36036305 . It's not a lecture. It's the issue of identification of that said sub-domain either via popup-panel or via logger, which is still difficult and not easier in any way for non-filterlist maintainers in the current way, thats all. I'm speaking from a user-centric perspective, not from a filterlist maintainer perspective.
Anyways, since you answered already in 3a564c1#commitcomment-36035885, so I rest my case.
@gorhill I just saw
atc.eulerian.net
appearing in the popup panel which does the job for me , shall I delete all these comments so to remove the unnecessary noise that got added ?