[clug] firefox checks links?

Eyal Lebedinsky eyal at eyal.emu.id.au
Tue Aug 25 03:57:39 MDT 2009 

Thanks Daniel,

For one, I use the browser as it was delivered, not having turned on any features
in it or in the system in general. this seems to be the default.

My question about dnssec was prompted by my impression that it is only lightly
adopted and at this point may not offer as much benefit as the design suggests.

I will look at the ipv6 issue too, I did not actively select it. So far I failed
to configure the resolver to not use ipv6.

cheers

Daniel Pittman wrote:
> Eyal Lebedinsky <eyal at eyal.emu.id.au> writes:
> 
>> This is ff 3.5.2 on f11.
>>
>> I notice a large number of reports in my log like
>> 	named[3085]: network unreachable resolving 'gallery.orchidspng.com/A/IN': 2001:503:231d::2:30#53
>> and I assume that many more lookups are done that do not fail.
> 
> That seems likely.  FWIW, since you evidently don't have working IPv6 you can
> probably make your life nicer by configuring your resolver to look for IPv4
> addresses only.
> 
>> After some checking I noted that this url is listed in a links page (my
>> local homepage). I did not open any of these links, yet firefox shows some
>> interest.
>>
>> What is firefox doing? I turned off safe-browsing - are there more such
>> safety features in firefox?
> 
> Firefox had a feature to prefetch links from the page, perhaps you have that
> turned on?  Check 'network.prefetch-next'.
> 
> Also, note that Firefox will also prefetch explicitly requested prefetch links
> and all, so you may still see the behaviour.
> 
> (and, kids, *THIS* is why we never, ever use a web application that has a
>  regular GET link that causes destructive changes, right? ;)
> 
>> Is it doing some kind of pre-emptive lookup (how can I disable it then)?
> 
> Possibly.
> 
>> I also notice messages like
>> 	named[3085]: network unreachable resolving
>> 	'storagereview.com.dlv.isc.org/DLV/IN': 2001:500:2c::254#53
>> which I assume are the DNSSEC part of other lookup entries.
> 
> Well, they are part of the DLV check you configured as part of your DNSSEC
> enabled resolver, but are caused by your configuring the resolver to check
> IPv6 despite not having a working IPv6 configuration.
> 
>> Should I leave dnssec enabled?
> 
> I have no idea.  What is your threat model?  Why did you turn it on in the
> first place?  Why do you think you should turn it off?
> 
> We can't tell you what level of security is appropriate to your situation and
> tastes.  Only you can do that.
> 
> Regards,
>         Daniel


-- 
Eyal Lebedinsky	(eyal at eyal.emu.id.au)

More information about the linux mailing list