On Monday, 6 March 2023 12:05:40 GMT Wols Lists wrote: > On 06/03/2023 11:08, Peter Humphrey wrote: > > On Monday, 6 March 2023 10:56:37 GMT Wols Lists wrote: > >> On 06/03/2023 10:06, Michael wrote: > >>> I suspect the behaviour you noticed is related to FF functionality like > >>> TRR > >>> (Trusted Recursive Resolver) farming all your DNS queries over to the > >>> cloudfarce honeypot. > >>> > >>> Have a look here if you want to disable it: > >>> > >>> https://wiki.archlinux.org/title/Firefox/Privacy#Disable/ > >>> enforce_'Trusted_Recursive_Resolver' > >> > >> Thanks. That led me to network.trr.allow-rfc1918, which provided your > >> name has a dot in it ! appears to resolve addresses from /etc/hosts. I > >> guess that actually means firefox uses your local resolver first, and if > >> it returns an rfc1918 address, will use it. > >> > >> Surely that should be the default! It shouldn't break a PRIVATE network > >> in the name of security !!! > > > > It is the default here, in www-client/firefox-110.0.1 . > > I'm running amd not ~amd, and I've got FF 102esr. As soon as I changed > it to allow rfc1918, it started working ... > > Cheers, > Wol
As I understand it the purpose of this setting is to avoid web attacks being able to redirect to local private addresses, which may be hosting vulnerable services - a.k.a. 'DNS-rebinding'. The default setting is 'false' in FF 102.8.0, but if you have disabled TRR it appears the effects of network.trr.allow-rfc1918 are disabled too.
signature.asc
Description: This is a digitally signed message part.
