SOCKS Proxies in Internet Explorer

We recently had a report over on the IEBlog that SOCKS proxies are not supported by IE9 Beta. That observation is correct, and a regression from prior versions of Internet Explorer; IE9 Beta simply ignores the SOCKS proxy if one is specified in the Internet Control panel.

Update: This regression, introduced in IE9 Beta, was fixed in the IE9 Release Candidate.

Outside of this regression, WinINET (and thus IE) only supports sending traffic to a SOCKS proxy via the v4 protocol. One major shortcoming of v4 of the protocol (remediated in version 4a, not supported in any version of IE) is that the v4 protocol requires that the client send the target IP address of the remote site in its request to the proxy. That limitation means that the client computer must have a working DNS resolver. It also means that even if SOCKS is being used to route traffic to the proxy over a secured connection (e.g. SSH), the client will perform DNS requests from its local, unsecured network connection. This may also pose a privacy threat if the client is using SOCKS to connect to the TOR network (since DNS queries will be performed outside of the TOR protocol).

To date, we’ve heard very little feedback about the limited support for SOCKS in IE. Most users are satisfied with the existing CERN-proxy support for HTTP/HTTPS/FTP traffic, and for cases where full socket proxying is required, VPN or RAS software is used instead. Note that it’s also possible to use a proxy like Fiddler as a gateway/bridge to an upstream SOCKSv4a server. See this StackOverflow entry for details.


Comments (9)

  1. why not? says:

    i posted that on IEBlog, Firefox support dns via socks, its  a cool feature that many peaple in cn love it

    ps: to let local pac file work, i get a lot of troubles then  find at last that path syntax must be "file://C:proxy.pac" , "file:///a/b" or "file:\ab" both fail.

  2. Lionel says:

    Well, I use the SOCKS proxy functionality with SSH quite often, although this has not happened since I installed IE9 beta.  This kind of tunneling is a rather common scenario for students at some places, although many SSH users have switched to Firefox.

    If IE could do DNS lookups through the SOCKS proxy, I would be very happy about it.

    Another scenario you might want to keep in mind, is people seeking some degree of privacy on the Internet.  Tor ( uses a SOCKS proxy to anonymize browsing.  (Proxying DNS lookups is also very important in this scenario.)

  3. Peter says:

    How will this affect other programs that use the SOCKs proxy functionality of WinInet? Will they be broken after the user installs IE9?

  4. David says:

    Please support socks5 proxy and remote dns in IE9 final. We really need this to circumvent GFW.

  5. Miked says:

    Simply ignoring the setting in IE because it only supports SOCKS4 is just silly.

    Microsoft really should look at improving this to at least 4a (this is a very small change in the protocol) but if this can't be done why remove a feature that was there just because it only supports an older protocol?

    This is a bug in my opinion especially considering the SOCKS opton is still available in the Internet Settings tab. This feature is used by thousands of people worldwide that I know about (I run an IP changing service) and we have to tell them that they cannot use IE9 because this feature simply does not work.

  6. EricLaw says:

    Peter, yes this will impact any program using WinINET after IE9 beta is installed.

    Miked, yes, of course this is a bug in the beta, hence this blog post.

    Lionel, the Tor scenario is the reason I mentioned the lack of support for remote DNS.

  7. Craig says:

    My only use case for IE is to run OWA. I run OWA through a socks proxy to connect to work. So, yes, this is critical functionality for at least one user.

  8. Joost says:

    For working at home I do need IE over Socks. Only way to test IE websites from our development server (connect to webserver over SSH). Otherwise IE can only be tested at the physical office (or over VPN, which we don't have (only SSH)).

  9. China says:

    Sorry for diggin up an old post and I hope someone in MSFT is still reading it. Please think of the children (in China). If the DNS is resolved in the SOCK server, I could have only used putty to surf with dynamic port redirection (SOCK), and would not have to go through the complicated process of setting up Privoxy.

    I believe you must have heard of the GFW?