Access to intranet sites no longer work in 5.3

nafmo

After upgrading from 5.2.2623.48-1 to 5.3.2679.38-1 (Debian amd64) I can no longer access intranet sites that also have an external IP address assigned, Vivaldi always picks the IP address from the external DNS.

I found the setting "DNS to help resolve navigation errors", disabled it and restarted Vivaldi, but I still see the same behaviour. If I resolve the IP from the command-line or use Firefox I see the correct page.

DoctorG

@nafmo Do you use the short hostname (f.ex. mytestserver) or the complete domain (mytestserver.domain.tld) to access intranet site?

Do you use a proxy or VPN?

Doe your hostname of intranet site resolve: nslookup mytestserver

Vivaldi picks the IP resolved from your local DNS server.
If your intranet site resolves to a internal and external IP the faster DNS response will win.

Try to clear Vivaldi DNS cache vivaldi://net-internals/#dns

DoctorG

@nafmo said in Access to intranet sites no longer work in 5.3:

intranet sites that also have an external IP address assigned

How this? Set in host file or in local DNA and external DNS?

And which route is active in your LAN?

nafmo

@DoctorG The particular address that fails is on the format name.domain.tld, because it is HTTPS and has a valid certificate. When accessed from the internet-facing IP you get to a different machine which displays an error message, but is used to create the letsencrypt certificate.

I am currently on the intranet, and my DNS server and the internal view of the machine is on the same network, so there are no hops between me and the sever, yet Vivaldi opens the external IP.

I tried vivaldi://net-internals/#dns now, but it made no difference

Command line:

$ host redacted.host.tld
redacted.host.tld has address 10.0.30.10

Developer Tools:

Request URL: https://redacted.host.tld/
...
Remote Address: 185.XXX.108.13:443

Pathduck

@nafmo Are you using DNS-over-HTTPS?

Check chrome://settings/security if "Use Secure DNS" is enabled. Turn it off to use local DNS.

You can also save a network log from:
vivaldi://net-export
And then examine it in Netlog Viewer.

An DNS resolve over DoH event:

92: HOST_RESOLVER_IMPL_JOB
forum.vivaldi.net
Start Time: 2022-06-07 13:16:55.047

t=2190 [st=0] +HOST_RESOLVER_MANAGER_JOB  [dt=6]
               --> dns_query_types = ["A"]
               --> host = "forum.vivaldi.net"
               --> network_isolation_key = "null null"
               --> secure_dns_mode = 1
               --> source_dependency = 90 (NETWORK_SERVICE_HOST_RESOLVER)
t=2190 [st=0]    HOST_RESOLVER_MANAGER_JOB_REQUEST_ATTACH
                 --> priority = "IDLE"
                 --> source_dependency = 90 (NETWORK_SERVICE_HOST_RESOLVER)
t=2190 [st=0]    HOST_RESOLVER_MANAGER_JOB_STARTED
t=2190 [st=0]   +HOST_RESOLVER_MANAGER_DNS_TASK  [dt=6]
                 --> secure = true
                 --> transactions_needed = [{"dns_query_type":1}]
t=2190 [st=0]     +DNS_TRANSACTION  [dt=6]
                   --> hostname = "forum.vivaldi.net"
                   --> query_type = 1
t=2190 [st=0]       +DNS_TRANSACTION_QUERY  [dt=6]
                     --> qname = "forum.vivaldi.net"
t=2195 [st=5]          HOST_RESOLVER_MANAGER_JOB_REQUEST_ATTACH
                       --> priority = "HIGHEST"
                       --> source_dependency = 100 (SSL_CONNECT_JOB)
t=2196 [st=6]          DNS_TRANSACTION_RESPONSE
                       --> additional_answer_count = 1
                       --> answer_count = 3
                       --> rcode = 0
                       --> source_dependency = 93 (URL_REQUEST)
t=2196 [st=6]       -DNS_TRANSACTION_QUERY
t=2196 [st=6]     -DNS_TRANSACTION
t=2196 [st=6]   -HOST_RESOLVER_MANAGER_DNS_TASK
                 --> results = {"aliases":["forum.vivaldi.net"],"expiration":"13299058084929423","ip_endpoints":[{"endpoint_address":"172.67.29.168","endpoint_port":0},{"endpoint_address":"104.22.77.159","endpoint_port":0},{"endpoint_address":"104.22.76.159","endpoint_port":0}]}
t=2196 [st=6] -HOST_RESOLVER_MANAGER_JOB

You can here see:
secure_dns_mode = 1

Under DNS, it will show what DoH server is used:
doh_config {"server_template":"https://chrome.cloudflare-dns.com/dns-query"}

nafmo

@Pathduck Thanks! Apparently it was not enough to disable the DNS override in Vivaldi's settings, I also had to disable it in the hidden Chrome settings.

Stupid idea to hide such a disruptive setting like that. And to default it to on, at that.

Pathduck

@nafmo Great

DNS override

If by that you mean "Use DNS to help resolve..." , this is not DoH but uses also Google DNS servers (8.8.8.8) to resolve. But I think only if local DNS fails first.

Stupid idea to hide such a disruptive setting like that. And to default it to on, at that.

Yes, I don't like it either and keep it off. For most users not in a corporate environment DoH is generally preferred I believe. Although I think DoH is overrated as a privacy feature. I trust my local DNS and ISP more than I trust Cloudflare or other providers.

DoctorG

The default of ON for Secure DNS is a nasty trap, causing bad effects with Chromium browsers.

️ I do not understand why such experimental Chromium thingy "SecureDNS" is on!

Pathduck

@DoctorG Yes, but don't you remember all the

"Vivaldi does not support DNS-over-HTTPS!"

posts when it didn't?

Actually, to be fair, I don't think it it automatically enables DoH, it checks local DNS settings, if it finds you're using one of the supported providers (i.e. 1.1.1.1) it will enable this provider in Secure DNS. It would be really nasty if it just defaulted to say Google DNS. But I wouldn't put it past Google to do so...

guigirl

@Pathduck said in Access to intranet sites no longer work in 5.3:

For most users not in a corporate environment DoH is generally preferred I believe

@Pathduck said in Access to intranet sites no longer work in 5.3:

remember all the
"Vivaldi does not support DNS-over-HTTPS!"
posts

Slightly OT'ish

I might [ ] have been one of those banging on with moans & whines for years in dismay that Nix chromium [ergo, V] missed out on native DoH for a couple of years after windoze got it. Once eventually chromium [ergo, V] got it in Nix, i adopted it immediately & loved it. Ironically [& quite hysterically tbh], soon afterwards for unrelated reasons i chose to change my VPN provider, & discovered that after having lusted after DoH for so long, i then had to abandon it coz it buggered my new VPN's geo-hopping efficacy [it created a DNS leak that allowed various O/S sites to realise what was going on, & block me, until i then forced said VPN's own DNS address in lieu of DoH in my NetworkManager, which then restored my geo-hopping success].