Unnecessary DNS queries when using NoScript and uBlock Origin together

[vexity]

Before the update that added Contextual Policies, NoScript and uBlock Origin worked seamlessly together. When blocking scripts I blocked in both extensions and there were no problems. It seems there is a conflict between the two and there is a DNS query for blocked connections. I tried allowing scripts in uBlock and only blocking them in NoScript but every script/domain that is blocked by a filter list still has a DNS query.

[guest]

Interesting. I guess it's more likely caused by the new LAN capability, though. Maybe turning it on for the default preset helps?

[Giorgio Maone]

Thanks for reporting.

That's the LAN protection feature, using DNS to prevent DNS cloaking and rebinding attacks against the LAN.

If those queries bother you you can turn it off by enabling the LAN capability in the DEFAULT and the UNTRUSTED preset.

Also, you shouldn't see them if uBlock manages to run before NoScript (which, at least on Chromium, means uBlock being installed first - on Firefox it might be the same but it's not a specified behavior).

In order to mitigate this "problem" a bit, in a next version I could try to move the LAN check after the regular policy checks, so that if something needs to be blocked anyway this will be skipped.

[vexity]

Thank you for the quick response! At least we know the LAN protection feature is working! Glad to know, it was driving me crazy. I use Firefox. Don't go to the trouble of mitigating anything for the next version. I'm a little slow and tired, so I'm trying to figure out what this means especially in conjunction with my router. I'll make the changes you suggested. Carry on and thanks for the new additions to NoScript!

[guest]

If I understand this correctly, this sounds like a massive privacy breach, leaking everything to the DNS servers that we intentionally want to block completely with uBlock Origin.

How does the NoScript LAN protection compare to the uBlock Origin LAN block list? Do they work well together?

How does NoScript react to DNS level blocking, i.e. if it cannot resolve the query?

I enable the LAN capability for now until someone can convince me it's better not to.

[Giorgio Maone]

If I understand this correctly, this sounds like a massive privacy breach, leaking everything to the DNS servers that we intentionally want to block completely with uBlock Origin.

I wouldn't say "massive": if your anonymity needs are such that you're worried about leaking DNS requests (speculative or not) for stuff that is blocked by a content blocker, you should really switch to the Tor Browser (where, incidentally, NoScript performs no DNS resolution).
However in 11.3.3 I'm moving the LAN protection machinery at a later stage (in onBeforeSendHeaders), when stuff that needed to be blocked has already been blocked: this way it will never kick in these circumstances.

[Giorgio Maone]

Please check latest development build, thanks:

v 11.3.3rc1
============================================================
x Prevent LAN protection from performing unnecessary DNS
queries on Firefox (thanks vexity for reporting)
x [L10n] Updated de, es

[vexity]

Everything is back to normal, thank you for the update. Haven't enabled the LAN capability (even for trusted) and so far no websites have complained.