Open Bug 1452599 Opened 8 years ago Updated 3 years ago

DNS-Over-HTTPS mode == 3 bypassed during shutdown

Categories

(Core :: Networking: DNS, defect, P3)

Product:
Core
Component:
Networking: DNS
Version:
61 Branch
Type:
defect

Tracking

()

People

(Reporter: modi.konark, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [necko-triaged][trr][mode 3])

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:59.0) Gecko/20100101 Firefox/59.0 Build ID: 20180329143049 Steps to reproduce: Steps to reproduce: Firefox Nightly Version: 61.0a1 build ID: 20180408220126 Flip prefs to use TRR: 1. network.trr.bootstrapAddress : 1.1.1.1 2. network.trr.mode: 3 3. network.trr.uri: https://mozilla.cloudflare-dns.com/dns-query 4. network.trr.useGET: true 5. Configure proxy settings as System proxy or HTTP proxy. monitoring traffic for UDP port 53: eg `tshark -n -T fields -e dns.qry.name -f 'src port 53'` Actual results: 1. All the DNS requests are now being done over UDP (which is the default DNS settings for system). 2. Irrespective of Proxy settings, there are some internal calls in Firefox on shutdown which send data outside of trr settings. a. incoming.telemetry.mozilla.org b. pipeline-edge-prod-25-561439127.us-west-2.elb.amazonaws.com Expected results: 1. I am not entirely sure of what is the expectation w.r.t DNS-Over-HTTPS resolution when the user is using `Use system proxy settings which is configured to use HTTP Proxy` or `HTTP Proxy` directly in FF. Specially when the setting is `network.trr.mode: 3`. 2. I am only aware of the option from UI in case of SOCKS Proxy: `Proxy DNS when using SOCKS V5`.
Assignee: nobody → daniel
Component: Untriaged → Networking: DNS
Priority: -- → P1
Product: Firefox → Core
Whiteboard: [necko-triaged][trr]
I don't understand how this is a bypass. The Firefox name resolving functions will use DOH when configured so. When you use a HTTP proxy, the performed name resolves are done by the proxy not by Firefox. I suppose you used a local proxy that made name resolves appear?
I configured FF for DOH as in comment0 and default settings for FF is `Use system proxy settings`. Now, because the system settings is using a local proxy it did not use the DOH settings. So, Yes. I guess, it's not a bypass & I was not sure what is the expected behavior when a proxy is configured. But now it makes sense as you mentioned that `When you use a HTTP proxy, the performed name resolves are done by the proxy not by Firefox`. My be then this issue can be closed / marked invalid and open a different issue for: ``` Irrespective of Proxy settings, there are some internal calls in Firefox on shutdown which send data outside of trr settings. a. incoming.telemetry.mozilla.org b. pipeline-edge-prod-25-561439127.us-west-2.elb.amazonaws.com ```
(In reply to Konark Modi from comment #2) > Irrespective of Proxy settings, there are some internal calls in Firefox on > shutdown which send data outside of trr settings. Send data where? You mean those were actual UDP-based DNS resolves issued from Firefox when you used trr mode == 3?
(In reply to Daniel Stenberg [:bagder] from comment #3) > (In reply to Konark Modi from comment #2) > Send data where? You mean those were actual UDP-based DNS resolves issued > from Firefox when you used trr mode == 3? Yes, I meant UDP-based DNS resolves. Sorry about the confusion.
If that's so, then I think this is the real bug here. I suspect it could be due to ordering in the shutdown process or similar.
Summary: DNS-Over-HTTPS bypass when proxy configured. → DNS-Over-HTTPS mode == 3 bypassed during shutdown
See Also: → 1453207
I'm a little confused - DoH should only impact requests that were made via the OS resolver. Are you saying there were requests that previously were not being made (because they were delegated to the proxy) but with DoH they are made with DoH? If so - we should fix that. but maybe I misunderstand.
Moving to p3 because no activity for at least 24 weeks.
Priority: P1 → P3
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Assignee: daniel → nobody
Status: ASSIGNED → NEW
Whiteboard: [necko-triaged][trr] → [necko-triaged][trr][mode 3]

I think I see what's being requested here. Currently, when connecting to (for example) https://en.wikipedia.org/ with an HTTP proxy, it will connect to the proxy and send it "CONNECT en.wikipedia.org:443 HTTP/1.1", letting the proxy do the DNS resolution and basically completely ignoring DoH. This bug is asking for Firefox to instead look up en.wikipedia.org, getting back 208.80.153.224, then connect to the proxy and send it only "CONNECT 208.80.153.224:443 HTTP/1.1". This way, details of the hostname aren't unnecessarily leaked to the proxy server.

Blocks: doh
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.