Closed
Bug 1495126
Opened 6 years ago
Closed 5 years ago
Not showing correct DoH info on Cloudflare security check page
Categories
(Core :: Networking: DNS, enhancement, P3)
Core
Networking: DNS
Tracking
()
RESOLVED
DUPLICATE
of bug 1525854
People
(Reporter: jduell.mcbugs, Unassigned)
References
()
Details
(Whiteboard: [necko-triaged][trr])
When one goes to https://www.cloudflare.com/ssl/encrypted-sni/ if DoH is turned on, we should see green for TLS 1.3, Secure DNS (1.1.1.1), DNSSEC, and sometimes (if esni was used) ENSI. Right now ekr is seeing DNSSEC as red. jduell is seeing red for both 1.1.1.1 and DNSSEC. Bagder can repro different results if he reloads many times. We should coordinate with Cloudflare to figure out what's happening here.
|
||
Comment 1•6 years ago
|
||
¡Hola Jason! With Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0 ID:20180928100051 I get red DNSSEC when 8.8.8.8 is the resolver at the router and 1.1.1.1 is at the device. The first three checks are green for me when 1.1.1.1 is resolver on both the router and the device. Which value of network.trr.mode are you using? I have network.trr.mode set to 2 and network.trr.uri set to https://cloudflare-dns.com/dns-query https://en.internet.nl/connection/ and https://dnssec.vs.uni-due.de/ are good to test if DNSSEC is broken. ESNI won't be green until https://bugzilla.mozilla.org/show_bug.cgi?id=1494901 gets fixed. Hope this helps. ¡Gracias! Alex
|
||
Updated•6 years ago
|
Priority: -- → P3
Whiteboard: [necko-triaged]
|
||
Comment 2•6 years ago
|
||
> I get red DNSSEC when 8.8.8.8 is the resolver at the router and 1.1.1.1 is at the device. That's wonderfully strange since the router's use of DNS is totally independent here and not used by Firefox. I personally use "https://mozilla.cloudflare-dns.com/dns-query" as TRR URI and when in mode 2, I get occasional DNSSEC failures when I rerun these tests multiple times. If I switch to mode 3 and rerun the tests again, I've never seen DNSSEC go red. I got the following initial take from someone who looked at it: This seems to be a problem with trr.mode = 2. How these testers work: they make a fetch() of a domain with intentionally broken DNSSEC. Since the result of the DNS lookup will be SERVFAIL, the fetch() should fail. However the SERVFAIL also means temporary failure in DNS, so in mode 2, Firefox will try to downgrade to system DNS and resolve again (hopefully ending in SERVFAIL). Now when this happens the fetch() doesn't seem to finish (or gets stalled), so the result isn't either positive or negative.
|
|
||
Comment 3•6 years ago
|
||
I ran the test page with "nsHostResolver:5" logging enabled, and it shows that the test resolves a host name in the brokendnssec.net domain. The DoH resolve fails and then it falls back and tries the native resolve, which also fails and the DNS resolver reports that in the callback. I can't spot any errors in the resolver parts of this logic. The log snippet below shows one of these resolves, with some other resolves interleaved, but this is snipped from a real log when I ran my current mozilla-central build with the cloudflare test site. [Parent 15433: Main Thread]: D/nsHostResolver Resolving host [c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.brokendnssec.net] type 0. [this=0x7f05eb4e6820] [Parent 15433: Main Thread]: D/nsHostResolver No usable record in cache for host [c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.brokendnssec.net] type 0. [Parent 15433: Main Thread]: D/nsHostResolver TRR Resolve c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.brokendnssec.net type 1 [Parent 15433: Main Thread]: D/nsHostResolver TRR Resolve c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.brokendnssec.net type 28 [Parent 15433: Main Thread]: D/nsHostResolver DNS lookup for host [c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.brokendnssec.net] blocking pending 'getaddrinfo' or trr query: callback [0x7f05c1118820] [Parent 15433: Socket Thread]: D/nsHostResolver Resolving host [c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.brokendnssec.net] type 0. [this=0x7f05eb4e6820] [Parent 15433: Socket Thread]: D/nsHostResolver Host [c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.brokendnssec.net] is being resolved. Appending callback [0x7f05c1118c10]. [Parent 15433: Main Thread]: D/nsHostResolver TRR::SendHTTPRequest resolve c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.brokendnssec.net type 1 [Parent 15433: Main Thread]: D/nsHostResolver TRR::SendHTTPRequest resolve c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.brokendnssec.net type 28 [Parent 15433: Main Thread]: D/nsHostResolver TRR::OnStartRequest 0x7f05c2bad000 c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.brokendnssec.net 28 [Parent 15433: Main Thread]: D/nsHostResolver TRR:OnDataAvailable 0x7f05c2bad000 c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.brokendnssec.net 28 failed=0 aCount=71 [Parent 15433: Main Thread]: D/nsHostResolver TRR:OnStopRequest 0x7f05c2bad000 c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.brokendnssec.net 28 failed=0 code=0 [Parent 15433: Main Thread]: D/nsHostResolver doh decode c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.brokendnssec.net 71 bytes [Parent 15433: Main Thread]: D/nsHostResolver TRR Decode c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.brokendnssec.net RCODE 2 [Parent 15433: Main Thread]: D/nsHostResolver TRR::On200Response DohDecode 80004005 [Parent 15433: Main Thread]: D/nsHostResolver TRR:OnStopRequest 0x7f05c2bad000 status 0 mFailed 0 [Parent 15433: Main Thread]: D/nsHostResolver nsHostResolver::CompleteLookup c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.brokendnssec.net 0x7f05c270d920 804B001E trr=28 stillResolving=1 [Parent 15433: Main Thread]: D/nsHostResolver TRR lookup Complete (28) c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.brokendnssec.net FAILED [Parent 15433: Main Thread]: D/nsHostResolver TRR::OnStartRequest 0x7f05c2b21000 c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.brokendnssec.net 1 [Parent 15433: Main Thread]: D/nsHostResolver TRR:OnDataAvailable 0x7f05c2b21000 c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.brokendnssec.net 1 failed=0 aCount=71 [Parent 15433: Main Thread]: D/nsHostResolver TRR:OnStopRequest 0x7f05c2b21000 c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.brokendnssec.net 1 failed=0 code=0 [Parent 15433: Main Thread]: D/nsHostResolver doh decode c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.brokendnssec.net 71 bytes [Parent 15433: Main Thread]: D/nsHostResolver TRR Decode c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.brokendnssec.net RCODE 2 [Parent 15433: Main Thread]: D/nsHostResolver TRR::On200Response DohDecode 80004005 [Parent 15433: Main Thread]: D/nsHostResolver TRR:OnStopRequest 0x7f05c2b21000 status 0 mFailed 0 [Parent 15433: Main Thread]: D/nsHostResolver nsHostResolver::CompleteLookup c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.brokendnssec.net 0x7f05c270d920 804B001E trr=1 stillResolving=0 [Parent 15433: Main Thread]: D/nsHostResolver TRR lookup Complete (1) c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.brokendnssec.net FAILED [Parent 15433: Main Thread]: D/nsHostResolver DNS thread counters: total=3 any-live=0 idle=3 pending=1 [Parent 15433: DNS Resolver #2]: D/nsHostResolver DNS lookup thread - Calling getaddrinfo for host [c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.brokendnssec.net]. [Parent 15433: Main Thread]: D/nsHostResolver Resolving host [www.cloudflare.com] type 0. [this=0x7f05eb4e6820] [Parent 15433: Main Thread]: D/nsHostResolver Using cached record for host [www.cloudflare.com]. [Parent 15433: Main Thread]: D/nsHostResolver Resolving host [www.cloudflare.com] type 0. [this=0x7f05eb4e6820] [Parent 15433: Main Thread]: D/nsHostResolver Using cached record for host [www.cloudflare.com]. [Parent 15433: Main Thread]: D/nsHostResolver TRR::OnStartRequest 0x7f05c2712000 c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com 28 [Parent 15433: Main Thread]: D/nsHostResolver TRR:OnDataAvailable 0x7f05c2712000 c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com 28 failed=0 aCount=145 [Parent 15433: Main Thread]: D/nsHostResolver TRR:OnStopRequest 0x7f05c2712000 c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com 28 failed=0 code=0 [Parent 15433: Main Thread]: D/nsHostResolver doh decode c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com 145 bytes [Parent 15433: Main Thread]: D/nsHostResolver TRR Decode: 0 answer records (145 bytes body) c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com index=83 [Parent 15433: Main Thread]: D/nsHostResolver TRR Decode: 1 ns records (145 bytes body) [Parent 15433: Main Thread]: D/nsHostResolver done with nsRecord now 134 of 145 [Parent 15433: Main Thread]: D/nsHostResolver TRR Decode: 1 additional resource records (145 bytes body) [Parent 15433: Main Thread]: D/nsHostResolver done with additional rr now 145 of 145 [Parent 15433: Main Thread]: D/nsHostResolver TRR: No entries were stored! [Parent 15433: Main Thread]: D/nsHostResolver TRR::On200Response DohDecode 80004005 [Parent 15433: Main Thread]: D/nsHostResolver TRR:OnStopRequest 0x7f05c2712000 status 0 mFailed 0 [Parent 15433: Main Thread]: D/nsHostResolver nsHostResolver::CompleteLookup c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com 0x7f05ce2bd510 804B001E trr=28 stillResolving=1 [Parent 15433: Main Thread]: D/nsHostResolver TRR lookup Complete (28) c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com FAILED [Parent 15433: Main Thread]: D/nsHostResolver TRR::OnStartRequest 0x7f05c25bc000 c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com 1 [Parent 15433: Main Thread]: D/nsHostResolver TRR:OnDataAvailable 0x7f05c25bc000 c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com 1 failed=0 aCount=145 [Parent 15433: Main Thread]: D/nsHostResolver TRR:OnStopRequest 0x7f05c25bc000 c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com 1 failed=0 code=0 [Parent 15433: Main Thread]: D/nsHostResolver doh decode c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com 145 bytes [Parent 15433: Main Thread]: D/nsHostResolver TRR Decode: 0 answer records (145 bytes body) c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com index=83 [Parent 15433: Main Thread]: D/nsHostResolver TRR Decode: 1 ns records (145 bytes body) [Parent 15433: Main Thread]: D/nsHostResolver done with nsRecord now 134 of 145 [Parent 15433: Main Thread]: D/nsHostResolver TRR Decode: 1 additional resource records (145 bytes body) [Parent 15433: Main Thread]: D/nsHostResolver done with additional rr now 145 of 145 [Parent 15433: Main Thread]: D/nsHostResolver TRR: No entries were stored! [Parent 15433: Main Thread]: D/nsHostResolver TRR::On200Response DohDecode 80004005 [Parent 15433: Main Thread]: D/nsHostResolver TRR:OnStopRequest 0x7f05c25bc000 status 0 mFailed 0 [Parent 15433: Main Thread]: D/nsHostResolver nsHostResolver::CompleteLookup c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com 0x7f05cef85970 804B001E trr=1 stillResolving=0 [Parent 15433: Main Thread]: D/nsHostResolver TRR lookup Complete (1) c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com FAILED [Parent 15433: Main Thread]: D/nsHostResolver DNS thread counters: total=3 any-live=0 idle=2 pending=1 [Parent 15433: DNS Resolver #1]: D/nsHostResolver DNS lookup thread - Calling getaddrinfo for host [c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com]. [Parent 15433: DNS Resolver #1]: D/nsHostResolver Calling 'res_ninit'. [Parent 15433: DNS Resolver #1]: D/nsHostResolver DNS lookup thread - lookup completed for host [c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com]: failure: unknown host. [Parent 15433: DNS Resolver #1]: D/nsHostResolver nsHostResolver::CompleteLookup c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com (nil) 804B001E trr=0 stillResolving=0 [Parent 15433: DNS Resolver #1]: D/nsHostResolver nsHostResolver record 0x7f05bf48a7a0 new gencnt [Parent 15433: DNS Resolver #1]: D/nsHostResolver Caching host [c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com] negative record for 60 seconds. [Parent 15433: DNS Resolver #1]: D/nsHostResolver CompleteLookup: c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com has NO address [Parent 15433: DNS Resolver #1]: D/nsHostResolver nsHostResolver record 0x7f05bf48a7a0 calling back dns users [Parent 15433: Socket Thread]: D/nsHostResolver Resolving host [c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com] type 0. [this=0x7f05eb4e6820] [Parent 15433: Socket Thread]: D/nsHostResolver No usable record in cache for host [c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com] type 0. [Parent 15433: Socket Thread]: D/nsHostResolver TRR Resolve c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com type 1 [Parent 15433: Socket Thread]: D/nsHostResolver TRR Resolve c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com type 28 [Parent 15433: Socket Thread]: D/nsHostResolver DNS lookup for host [c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com] blocking pending 'getaddrinfo' or trr query: callback [0x7f05c109bdc0] [Parent 15433: Main Thread]: D/nsHostResolver TRR::SendHTTPRequest resolve c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com type 1 [Parent 15433: Main Thread]: D/nsHostResolver TRR::SendHTTPRequest resolve c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com type 28 [Parent 15433: Main Thread]: D/nsHostResolver TRR::OnStartRequest 0x7f05bff5d000 c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com 1 [Parent 15433: Main Thread]: D/nsHostResolver TRR:OnDataAvailable 0x7f05bff5d000 c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com 1 failed=0 aCount=145 [Parent 15433: Main Thread]: D/nsHostResolver TRR:OnStopRequest 0x7f05bff5d000 c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com 1 failed=0 code=0 [Parent 15433: Main Thread]: D/nsHostResolver doh decode c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com 145 bytes [Parent 15433: Main Thread]: D/nsHostResolver TRR Decode: 0 answer records (145 bytes body) c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com index=83 [Parent 15433: Main Thread]: D/nsHostResolver TRR Decode: 1 ns records (145 bytes body) [Parent 15433: Main Thread]: D/nsHostResolver done with nsRecord now 134 of 145 [Parent 15433: Main Thread]: D/nsHostResolver TRR Decode: 1 additional resource records (145 bytes body) [Parent 15433: Main Thread]: D/nsHostResolver done with additional rr now 145 of 145 [Parent 15433: Main Thread]: D/nsHostResolver TRR: No entries were stored! [Parent 15433: Main Thread]: D/nsHostResolver TRR::On200Response DohDecode 80004005 [Parent 15433: Main Thread]: D/nsHostResolver TRR:OnStopRequest 0x7f05bff5d000 status 0 mFailed 0 [Parent 15433: Main Thread]: D/nsHostResolver nsHostResolver::CompleteLookup c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com 0x7f05c9088920 804B001E trr=1 stillResolving=1 [Parent 15433: Main Thread]: D/nsHostResolver TRR lookup Complete (1) c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com FAILED [Parent 15433: Main Thread]: D/nsHostResolver TRR::OnStartRequest 0x7f05c0d2d000 c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com 28 [Parent 15433: Main Thread]: D/nsHostResolver TRR:OnDataAvailable 0x7f05c0d2d000 c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com 28 failed=0 aCount=145 [Parent 15433: Main Thread]: D/nsHostResolver TRR:OnStopRequest 0x7f05c0d2d000 c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com 28 failed=0 code=0 [Parent 15433: Main Thread]: D/nsHostResolver doh decode c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com 145 bytes [Parent 15433: Main Thread]: D/nsHostResolver TRR Decode: 0 answer records (145 bytes body) c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com index=83 [Parent 15433: Main Thread]: D/nsHostResolver TRR Decode: 1 ns records (145 bytes body) [Parent 15433: Main Thread]: D/nsHostResolver done with nsRecord now 134 of 145 [Parent 15433: Main Thread]: D/nsHostResolver TRR Decode: 1 additional resource records (145 bytes body) [Parent 15433: Main Thread]: D/nsHostResolver done with additional rr now 145 of 145 [Parent 15433: Main Thread]: D/nsHostResolver TRR: No entries were stored! [Parent 15433: Main Thread]: D/nsHostResolver TRR::On200Response DohDecode 80004005 [Parent 15433: Main Thread]: D/nsHostResolver TRR:OnStopRequest 0x7f05c0d2d000 status 0 mFailed 0 [Parent 15433: Main Thread]: D/nsHostResolver nsHostResolver::CompleteLookup c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com 0x7f05bff328d0 804B001E trr=28 stillResolving=0 [Parent 15433: Main Thread]: D/nsHostResolver TRR lookup Complete (28) c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com FAILED [Parent 15433: Main Thread]: D/nsHostResolver DNS thread counters: total=3 any-live=0 idle=2 pending=1 [Parent 15433: DNS Resolver #3]: D/nsHostResolver DNS lookup thread - Calling getaddrinfo for host [c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com]. [Parent 15433: DNS Resolver #3]: D/nsHostResolver Calling 'res_ninit'. [Parent 15433: DNS Resolver #3]: D/nsHostResolver DNS lookup thread - lookup completed for host [c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com]: failure: unknown host. [Parent 15433: DNS Resolver #3]: D/nsHostResolver nsHostResolver::CompleteLookup c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com (nil) 804B001E trr=0 stillResolving=0 [Parent 15433: DNS Resolver #3]: D/nsHostResolver nsHostResolver record 0x7f05bf48a7a0 new gencnt [Parent 15433: DNS Resolver #3]: D/nsHostResolver Caching host [c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com] negative record for 60 seconds. [Parent 15433: DNS Resolver #3]: D/nsHostResolver CompleteLookup: c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.is-dot.cloudflareresolve.com has NO address [Parent 15433: DNS Resolver #3]: D/nsHostResolver nsHostResolver record 0x7f05bf48a7a0 calling back dns users [Parent 15433: DNS Resolver #2]: D/nsHostResolver Calling 'res_ninit'. [Parent 15433: DNS Resolver #2]: D/nsHostResolver DNS lookup thread - lookup completed for host [c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.brokendnssec.net]: failure: unknown host. [Parent 15433: DNS Resolver #2]: D/nsHostResolver nsHostResolver::CompleteLookup c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.brokendnssec.net (nil) 804B001E trr=0 stillResolving=0 [Parent 15433: DNS Resolver #2]: D/nsHostResolver nsHostResolver record 0x7f05bf48aae0 new gencnt [Parent 15433: DNS Resolver #2]: D/nsHostResolver Caching host [c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.brokendnssec.net] negative record for 60 seconds. [Parent 15433: DNS Resolver #2]: D/nsHostResolver CompleteLookup: c6ff2815-ad6e-4bf9-aa55-cf45d0b9bc36.brokendnssec.net has NO address [Parent 15433: DNS Resolver #2]: D/nsHostResolver nsHostResolver record 0x7f05bf48aae0 calling back dns users
|
|
||
Comment 4•6 years ago
|
||
¡Hola Daniel! FWIW I managed to get all 4 checks to be green with the following in about:config and 1.1.1.1 as DNS resolver in both the device and the router: network.trr.mode;2 network.trr.uri;https://mozilla.cloudflare-dns.com/dns-query network.security.esni.enabled;true ¡Gracias! Alex
|
|
||
Updated•6 years ago
|
Priority: P3 → P1
Whiteboard: [necko-triaged] → [necko-triaged][trr]
|
|
||
Comment 5•6 years ago
|
||
Alex: thanks, sure I can also get it to show green in mode 2 - but it is intermittently failing which I presume is what's happening to other people too. If I rerun the test on the page several times it usually ends up failing eventually, and if I run this with a debug build of Firefox it seems to fail more reliably. In mode 3 I've never seen it fail.
|
|
||
Comment 6•6 years ago
|
||
I could really use someone with much more knowledge and clues about DOM and fetch than I to help out and have to look at this issue. The fetch code on the page seems to detect a problem (times out) for some reason when using TRR mode 2. From my necko perspective, the name resolves all seem to be done and reported back correctly. Also, feel free to pass on the NI if you have a more suitable person for this topic!
Flags: needinfo?(bugs)
|
|
||
Comment 8•6 years ago
|
||
Okay, this might actually typically show the right information and isn't a Firefox issue. (excluding any problems with repeated runs) In mode 2, when checking a bad DNSSEC name TRR will fail (since the DoH server rejects the name) and fall back to resolve with the native resolver. If the native resolver then *accepts* a broken DNSSEC name and resolves it successfully, the check goes red. If the native resolver *doesn't* resolve the broken DNSSSEC name, the check goes green. In that regard the test is accurately stating that the name was not DNSSEC-checked. None of this explains why I can make the test go red after hitting the test button repeatedly though. It should reliably show the same color even on retests...
|
|
||
Comment 9•6 years ago
|
||
This isn't strictly a bug but an unfortunate side-effect. I'm lowering the importance but keeping it open for future pondering on how we can improve this.
Flags: needinfo?(amarchesini)
Priority: P1 → P3
|
|
||
Updated•5 years ago
|
Assignee: daniel → nobody
|
||
Updated•5 years ago
|
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•