While making some tests of Firefox proxy/VPN addons recently, it came as a surprise that all of them share a big problem: DNS leaks. At first, it looked like a Firefox bug introduced recently in version 83, but rolling back to older versions like 80, 81 hasn’t fixed it. Making various changes in about:config made no big difference, other than setting network.dns.disabled to true – which has solved the DNS leakage while the proxy/VPN addon was connected, but breaking Firefox’s internet connectivity as soon as disconnecting from proxy/VPN. An expected outcome, since that setting disabled DNS resolution.
The problem was reproduced on a different computer so it became pretty obvious that it isn’t just some isolated issue. Checking carefully what the different Firefox browsers have in common and disabling all add-ons except for the proxy/VPN one, the DNS leak issue disappeared so it became obvious that some of the very few add-ons is to blame for that. Namely, it was uBlock Origin – one of the very best and must-have browser extensions. A quick search has revealed that the issue is caused by its Advanced setting cnameUncloak. To solve it, cnameUncloak must be set to false.
Check if your Firefox is affected
If you see additional DNS servers from your ISP or your static DNS servers set on your machine along with the proxy/VPN DNS servers, then it is leaking.
How does a DNS leak affect you?
Using a proxy/VPN in browser is a convenient way to hide your browsing IP and add an additional security layer even to HTTPS connections. Ideally, both browsing and DNS traffic should go through the proxy. A browser leaking DNS requests would send them outside of proxy tunnel, exposing the sites you visit to your ISP. Also, if you use a proxy/VPN addon to unblock streaming sites, such DNS leaks would most likely interfere with the proxy unblocking capabilities.
How to solve it
Open uBlock Origin’s settings, enable the option “I am an advanced user” then click on the wheels icon to open its advanced settings. Find the parameter called cnameUncloak, set it to false and apply the settings to take effect.
After you applied the change, run the DNS leak tests again to confirm that it is working as intended.
Hopefully, a fix will be available in uBlock Origin so that it won’t require any user interaction.
More info via Reddit: