Hidden DNS Requests

[DrBombay]

Operating system: Zorin OS Linux v17
Browser version: 33.0.2
32-bit or 64-bit browser?: 64-bit
Problem URL: Phantom DNS being accessed.
Browser theme (if not default):
Installed add-ons: URL Rewriter
Installed plugins: (about:plugins):

Problem: Pale Moon is able to resolve all valid addresses despite custom DNS settings that should prevent that. Pale Moon appears to be using a different nameserver under the covers. Despite the OS being unable to find valid addresses except those for whitelisted sites AND the proxy gateway ONLY knowing those whitelisted addresses, Pale Moon can still find other sites. I suspect that there's the IP address for a nameserver somewhere within the Pale Moon code. Google had done such a thing with Chrome, having it look to their quad-8 DNS for sites it can't resolve through normal means. I consider this egregious behavior on the part of Google. I would hope that the developers of Pale Moon haven't been following their lead, but in this instance, that seems to be the case.

So... if this is indeed the case, how do we turn off this unwanted, miserable behavior?

If possible, please include the output of help->troubleshooting information (as text):

Application Basics
Name Pale Moon
Version 33.0.2 (64-bit)
Build ID 20240323205758
Update History
Update Channel release
User Agent Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Goanna/6.6 Firefox/102.0 PaleMoon/33.0.2
OS Linux 5.15.0-97-generic
Application Binary /home/spock/Downloads/palemoon/palemoon

Extensions
Name Version Enabled ID
About:config button 1.0 true aboutconfigbutton@wolfbeast.com
Fierr (Customized for OPAConFierr) 33.0 true {AF1AD85E-20B4-517C-9A93-B3E51B6EB86F}
Pale Moon Commander 3.0.1 true commander@palemoon.org
URL Rewriter 2.8.4 true url-rewriter@papush

Important Modified Preferences
Name Value browser.cache.disk.capacity 358400
browser.cache.disk.smart_size.first_run false
browser.cache.disk.smart_size.use_old_max false
browser.download.importedFromSqlite true
browser.places.smartBookmarksVersion 4
browser.startup.homepage_override.buildID 20240323205758
browser.startup.homepage_override.mstone 6.6.0
browser.tabs.loadInBackground false
browser.tabs.warnOnClose false
browser.tabs.warnOnCloseOtherTabs false
extensions.lastAppVersion 33.0.2
font.name.serif.x-western sans-serif
font.size.variable.x-western 14
general.useragent.updates.lastupdated 1711567331558
network.cookie.prefsMigrated true
places.database.lastMaintenance 1711567900
places.history.expiration.transient_current_max_pages 122334
privacy.GPCheader.enabled true
privacy.sanitize.migrateFx3Prefs true
services.sync.declinedEngines
storage.vacuum.last.index 0
storage.vacuum.last.places.sqlite 1711567900

[Moonchild]

Pale Moon uses system resolvers. There is no internal "hard-coded" DNS or DoH/TRR, so this simply should not happen. Please double-check your proxy setup to make sure DNS resolution is handed off to it (i.e. using SOCKS5).

[Pentium4User]

How is your proxy setting in PM?
How does nsswitch.conf and resolv.conf look like?

[DrBombay]

For the proxy setting in PM, I have 172.16.2.2:8080 for all protocols. It's the pfSense Squid gateway that has for its DNS 127.0.0.53. It has whitelisted sites in its hosts file, so it can only find those. In addition, the only nameserver in resolv.conf on the local system is 127.0.0.53, so the local OS shouldn't even look beyond itself (done for best performance). It too has whitelisted sites in hosts. It's a tad redundant to have both the gateway proxy and local OS hobbled with their DNS, I know, but it was part of troubleshooting. I can confirm that DNS isn't working for other valid sites, as they can't be resolved at the command line on the local computer.

In PM, I've gone over every setting, including the advanced ones with PM Commander. I've gone through all the tabs and sub-tabs, including those I wouldn't expect to be related. Anything having to do with DNS over HTTPS, malicious site checking, custom DNS, etc, I've disabled. Ditto for Firefox which exhibits the same DNS behavior (hmmm... maybe I should check their forum, too).

Believe me, I check and double check before I post anything. It's possible though that I may have missed something in Important Modified Preferences (see my original post). For now, I'm completely flummoxed.

[Moonchild]

Your setup does sound a little complicated. I'm not sure why you'd be redirecting DNS to 127.0.0.53 and at the same time also tell it to proxy everything. Is the local DNS set up correctly, i.e. set to not be a recursive resolver if you don't want it to be? Personally, if I would have a pfsense/squid box on the lan I would just make that the DNS resolver and gateway, and you'd have a single unambiguous node that would do lookups - as you have it now I'm really not sure what the network stack of your OS will do...

One thing you could do is use tcpdump or wireshark or similar to check the DNS lookups Pale Moon performs (which servers it contacts and what the requests are). That should at least show you the traffic from the browser - to the best of my knowledge all lookups are simply offloaded by NSPR to the system resolvers but I haven't audited NSPR before updating the lib the last few times, and I'd like to know if there would be unexpected/undesired behaviour.

[Pentium4User]

127.0.0.53 sounds like systemd-resolve. Is that active on your system?

[frostknight]

127.0.0.53 sounds like systemd-resolve. Is that active on your system?

Given ZorinOS is derivative of Ubuntu, this is a good guess probably.

It could indeed be one of those bloated framework functions like systemd.

Ubuntu uses systemd primarily I think doesn't it? Unless this changed since debian re-added init back.

ZorinOS is a good beginner distro, so if the op wanted to escape windows, its wise the op picked this

[Pentium4User]

127.0.0.53 sounds like systemd-resolve. Is that active on your system?

Given ZorinOS is derivative of Ubuntu, this is a good guess probably.

It could indeed be one of those bloated framework functions like systemd.

Ubuntu uses systemd primarily I think doesn't it? Unless this changed since debian re-added init back.

Ubuntu uses it by default and it also has an nsswitch.conf lib, so it can be used even when it is not listed in resolv.conf.

[frostknight]

Ubuntu uses it by default and it also has an nsswitch.conf lib, so it can be used even when it is not listed in resolv.conf.

Eh, Checkmate then!

[DrBombay]

I've gone through all the relevant conf files, and I can find nothing that would allow DNS to be accessed beyond the local system. Hosts, resolv.conf, systemd.conf, etc., they are what they should be. Plus, as I mentioned, the OS can't find any sites but the whitelisted ones. I'm afraid that I'm going to have to start sniffing packets to really get to the bottom of this, something I just don't have time for right now. I'm wondering at this point about code from Chrome that may be in all browsers. After all, it's been confirmed that Google has been quietly pulling this miserable crap. It just further validates my decision to keep Chrome off all computers here where I work.

[RealityRipple]

Just to rule it out, I didn't see any disabled DNS caching in your about:config, are you making sure the sites you're trying haven't been cached in about:networking?

[DrBombay]

I don't believe that caching was to blame; otherwise, it still would have found a cached site after I blocked DNS traffic to and from the system. Once I did that, only whitelisted sites in the hosts file could be found.

[RealityRipple]

I don't mean the system cache; Firefox (and by relation, Pale Moon) has its own short-term DNS caching. By default, I think it only caches for a minute, but if the DNS sends a Time To Live value, it uses that, and those can be longer... either an hour or a day, I forget which.