Why doesn't GetAddrInfo work from behind a proxy?


A customer was having a problem with the Get­Addr­Info function when running inside a corporate proxy environment.

We are trying to get the IP address of, say, www.microsoft.com by using the Get­Addr­Info function. This works fine if the computer is not behind a proxy, but if it is run in a corporate proxy environment, the call fails with WSAHOST_NOT_FOUND.

The Get­Addr­Info function operates at a level below proxies. When you have a Web proxy, the computer never actually talks to www.microsoft.com directly. Instead, you connect to the proxy and tell the proxy, "Please contact www.microsoft.com for me, thanks." That's why it's called a "proxy".

You never see the IP address of www.microsoft.com; the only IP address you see is that of the proxy. Besides, since you are inside a corporate proxy environment, even if you had the IP address for www.microsoft.com, it is if no use to you since you cannot connect to it.

There are products that try to smooth over this boundary, so that programs think that they are connected directly to the Internet when in fact they are talking through the proxy.

Comments (25)
  1. Xv8 says:

    >it is if no use to you since you cannot connect to it

    Well, you *might* be able to connect to it, even though the DNS lookup is blocked.

    Although if you can, your network admin is doing something very wrong.

  2. PI says:

    I do not see the connection between the proxy and the DNS (we are talking about HTTP proxy, right?). You should be able to send a DNS request regardless of using a proxy. The proxy is handling only the HTTP traffic. Am I missing something ?

  3. laonianren says:

    @PI The two things are entirely distinct.

    But in a corporate environment you may well find the network configured so that end-user devices (including PCs) can't directly connect to anything outside the corporate network.  In such a configuration the internal DNS servers typically won't forward DNS queries outside the network either.

  4. Medinoc says:

    But how will the proxy server know you're trying to connect to http://www.microsoft.com if all the information the client gives it is its own IP address?

  5. Chris says:

    @Medinoc the proxy server handles the DNS request, as well.  (That's why your system gets the proxy server's IP address; the DNS request goes to the proxy server, which returns its own address.)

    This is just for a complete proxy, however.  There are some proxies that only redirect some traffic(such as HTTP), while leaving the rest alone.

  6. Medinoc says:

    @Chris But clients can cache the DNS results, right?

  7. Tristan Miller says:

    @Medinoc The DNS cache should be flushed on a connection change event for this reason.

  8. Scott Brickey says:

    @Medinoc

    had to reproduce some proxy client code, and I found that HTTP proxies are basically an HTTP server that wraps the request... so basically, I connect (telnet/plaintext) to ProxyServer:80 to do "GET http://www.microsoft.com /url/to/KB/article"

    the proxy server then does the entire request itself.

    I do wonder how many applications properly support proxy servers... since I only learned of this about two weeks ago, yet some of my 10+ old code "supported" proxies.

  9. Tim says:

    @Medinoc: It depends what kind of proxy you're using.

    With an HTTP proxy, you make a normal GET request except you request the full URL instead of just the path, so the proxy will do the DNS request itself and then make the HTTP request.

    With an HTTP CONNECT-capable proxy (for SSL, typically) you send a CONNECT request which again does the DNS for you and opens a transparent connection to the target port.

    With a transparent HTTP proxy, you send a DNS request, which can either be intercepted to return the proxy's IP, or the proxy can intercept your connection to the actual IP and interpret the request itself, which it can do because the browser includes a Host header that specifies the DNS name being requested.

    With a SOCKS proxy, you can either request a connection by IP or DNS name, and in the latter case the proxy will perform the request for you.

  10. Gabe says:

    Scott Brickey: Windows has a standard location for holding the proxy configuration in the registry and WinInet uses it automatically. Since most likely any application you have that attempts to access URLs is using WinInet behind the scenes, proxy support comes along automatically.

  11. gdalsnes says:

    Why does it return WSAHOST_NOT_FOUND? I would assume it returned its own ip. And does this mean that they can't browse http://www.microsoft.com on their corporate network?

  12. Karellen says:

    @Chris, it can't be right that the proxy handles DNS requests as well, because as @arghhhhhhhhh points out, if that were the case, you would not get WSAHOST_NOT_FOUND, you would get a successful reply with the IP of the proxy. Which is not what was observed by the original customer.

    However, if DNS claims that a domain is not found, then it's surprising that the browser would even bother trying to connect at all.

    The most likely explanation therefore is that, if you have an HTTP(S) proxy configured, your browser doesn't ask your computer to do any DNS lookups at all. If the browser gets given an address that looks anything vaguely like an HTTP(S) request, it presumably just connects directly to the proxy, and asks it to do *all* the work instead.

    [Web browsers consult proxy configuration before going to DNS as a last resort. Read more on Wikipedia. Kids nowadays. When I was your age, we had to configure our proxies manually. Now get off my lawn. -Raymond]
  13. Greg W says:

    @gabe "proxy support comes along automatically"

    With the exception of authenticating proxies.  Then even some very recent MS products with years of complaints still fail miserably at what to do with an auth challenge (VS2010 -> VS2015 I'm looking at you).

  14. Cesar says:

    An interesting juxtaposition of topics between this post and yesterday's post...

    On many Unix systems, you can tell programs to use a proxy by setting a few environment variables ("http_proxy" and others).

    (On Windows, AFAIK you set up the proxy in Internet Explorer's configuration, which can also be reached through the Control Panel, and other programs are supposed to magically pick it up by using wininet.dll. I don't know how it is should be done now that Internet Explorer is going to be discontinued and replaced by Edge. Also, I've never seen anyone use PAC; everywhere I've seen that used proxies, they were always manually configured.)

  15. Harry Johnston says:

    @Cesar: technically, that isn't the "Internet Explorer configuration" - it's the Internet Properties, part of Windows whether IE is present or not.  It's just that IE is the only browser that pays attention to most of the settings.  (Actually I'd guess that Edge uses at least some of them.)

  16. @Greg W: You can also run into problems when using .NET on Windows 7 onwards if you're using NTLM authentication with the proxy.  One of our clients has an older ScanSafe proxy that doesn't support 128-bit encryption of the NTLM challenge-response, which is the default minimum requirement for servers and clients in Windows 7.  You can change it, of course, but a lot of IT departments don't like it when you tell them "turn this security setting off".  Mind you they don't like it when you tell them the alternative is to stop using out of data proxy hardware either.

  17. Medinoc says:

    So, there must always be a modicum of proxy-awareness in the client? (if only to make them pass the full server address instead of just the internal URL) Unless...

    @Tim: Thanks. So if I get it right, only a transparent HTTP proxy can work without the client's knowing, by basically handling router duties (returning its own MAC address to ARP requests, knowing where to connect from the IP address in the IP headers) in addition to proxy duties?

  18. Alex Cohn says:

    But the problem with transparent proxy is that it cannot handle HTTPS traffic.

  19. Anon says:

    There are transparent proxies that handle HTTPS.  To do that, every end-user has to install a new TLS CA certificate in their browser.  The transparent proxy sees a connection to https://example.com, and uses the CA key that is built into the browser to generate a new "fake" TLS certificate for https://example.com.  It then establishes an encrypted TLS connection to the browser using that fake certificate, and establishes its own new encrypted TLS connection to the real web site, and then decrypts, examines, re-encrypts and forwards the data.

    This only works if your organization creates a new CA key/certificate pair and makes all client devices install the certificate.  Or if you persuade one of the trusted global CAs to issue you a sub-root that can be used for this - although if a global CA does that and is caught, they are likely to be blacklisted by browsers (this has happened).

  20. Well, you can do it by essentially staging a man in the middle attack.  Of course that fails if the client is actually doing certificate based authentication rather than just encryption and blindly accepting the remote certificate so long as it's valid.

  21. Anon says:

    @Anon

    Or if you're Lenovo, and install the garbage certs at the factory!

  22. Alex Cohn says:

    @Anon: this is possible, but hardly very transparent

  23. Zan Lynx' says:

    @Alex Cohn: Really most people don't notice the SSL intercept. So it is transparent for them.

    Only paranoid people who use certificate pinning extensions or who open up the SSL information window and look at the signing authority notice.

  24. SoftPCMuseum says:

    Not exactly on-topic, I know, but was http://FTP.MICROSOFT.COM (a.k.a. the "Microsoft FTP Server") finally taken offline for good? I'm asking this because I can't seem to access it anymore, and even many of Google's "cached" pages for the text files have since been removed.

Comments are closed.

Skip to main content