[DNS Attack!] 要是网站自己有域名解析到127.0.0.1，是不是firefox扩展就不能实现屏蔽了？

[yilksd]

trafficstars

比如腾讯就有

[garywill]

I checked MDN https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest

Not until onHeadersReceived addon can see IP. Before it addon can only see URL. So, if addon built only with current webRequest API, it can't.

Conlusion: When addon see a domain URL web subresource http://evil.url:<you-LAN-port> is resolved to 127.0.0.1, the 127.0.0.1:<my-LAN-port> request has already been done by browser.

(I think we can talk to Mozilla about that)

Before them implement a proper API, there may be a workaround: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/dns/resolve We could combine our current method with dns.resolve() with offline flag. (not sure, maybe. Need more research and tests.)

比如腾讯就有

有具体的吗？现在腾讯用它来干什么？

[yilksd]

看来如果想堵住这个漏洞，用浏览器扩展来实现不太合适。本地的dns 服务器软件可能更合适些，就是把除了localhost等已知 合理的可以解析到127.0.0.0/24, 169.254.0.0/16,100.64.0.0/16,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16的域名之外的域名都禁止解析到这些ip 。

有具体的吗？现在腾讯用它来干什么？ https://www.zhihu.com/question/34568587/answer/2008749222