Mitmproxy released version 11, introducing some upgrades, including full support for HTTP/3 in both transparent and reverse proxy modes. Alongside the HTTP/3 advancements, this release brings a range of DNS-related improvements, enhanced privacy features, and better handling of modern web protocols.
Alongside the HTTP/3 advancements, mitmproxy 11 brings several DNS-related improvements. In previous versions, mitmproxy’s DNS functionality was limited to A/AAAA queries (for IPv4/IPv6 addresses) using the getaddrinfo API. However, with the introduction of the Rust-based Hickory DNS library, mitmproxy can now support a broader range of query types, including HTTPS records, which signal HTTP/3 support. This upgrade ensures better alignment with modern DNS requirements, making mitmproxy more versatile for network analysis.
Furthermore, the new version supports DNS-over-TCP, a critical enhancement for handling larger DNS responses that cannot fit into a single UDP packet. Mitmproxy also introduces options like dns_name_servers, allowing users to specify custom DNS servers, and dns_use_hosts_file, which enables the bypassing of the system hosts file for better flexibility. These features give users better control over DNS handling, allowing for a variety of use cases.
Another improvement in this release is the handling of Encrypted Client Hello (ECH), a new privacy feature designed to obscure the target domain from passive observers during the TLS handshake. While ECH enhances privacy, it complicates mitmproxy’s ability to generate certificates for intercepted connections. To address this, mitmproxy 11 now strips ECH keys from DNS HTTPS records, allowing the proxy to function while maintaining visibility into the target domain.
The update also sparked community discussion. User Onavo raised the question:
Do HTTP/2 and HTTP/3 offer any benefits if they are only supported by the reverse proxy but not the underlying web server? Most mainstream JS/Python/Ruby frameworks do not support the newer HTTP standards. Will not the web server be a bottleneck for the reverse proxied connection?
AgentME responded by clarifying:
Yes, because HTTP/2 or HTTP/3 will improve the reliability of the connection between the client and the reverse proxy. The connection between the reverse proxy and the underlying web server is usually much faster and more reliable, so that part would benefit much less from being upgraded to HTTP/2 or HTTP/3.
These updates are part of a larger effort supported by the Google Summer of Code under the Honeynet Project. They were developed by Gaurav Jain, a student contributor who worked on them under the mentorship of Maximilian Hils.
The new version can now be downloaded directly from the official Mitmproxy website.