Closed Bug 1511643 Opened 11 months ago Closed 11 months ago
H enabled ignores local dns overrides
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0 Steps to reproduce: Configured a DNS override for a DNS record on the system DNS server and set network.trr.mode to mode 2. Actual results: The override is ignored Expected results: The override should be respected. Some more information, obviously this is because DoH bypasses the configured system DNS servers. However before DoH is enabled by default this needs to be addressed somehow. A lot of networks use DNS overides in some way, these would stop working in FF with DoH enabled.
Component: Untriaged → Networking: DNS
Product: Firefox → Core
Priority: -- → P3
Probably dupe of 1453207.
Similar but not the same imo, with the hosts file the computer administrator (user or other) would have actively set the entries. With DNS the computer administrator might not be aware of DoH or DNS overrides on a network. The computer administrator (i.e. user) lacking this knowledge would get undesired results when contacting a address overridden in the local DNS server.
The way I see it, /etc/hosts is more indicative of user choice than local DNS overrides, and we still WONTFIXED bug 1453207. Moreover, it seems impossible to detect "DNS overrides" without actually performing the DNS resolution, which kinda defeats the purpose of DoH/TRR. For enterprise networks, TRR can be disabled via an enterprise policy (bug 1484843), or even better, it could be used to point to a local DoH server. For regular users, bug 1450893 might improve user experience.
Status: UNCONFIRMED → RESOLVED
Closed: 11 months ago
Resolution: --- → WONTFIX
See Also: → 1453207
Does this mean if/when FF adopts DoH enabled by default, support for split-horizon DNS is explicitly dropped?
another disappointing decision from the Mozilla networking team. The purpose of DOH/TRR is flawed from then beginning and you continue to drive this feature which _breaks_ the users privacy and the well working DNS system into a Firefox release as default.
(In reply to Machiel from comment #4) > Does this mean if/when FF adopts DoH enabled by default, support for > split-horizon DNS is explicitly dropped? Not necessarily. Split-horizon is most common in enterprise environments, which may be addressed with enterprise policies. For regular users split-horizon is more of vulnerability than it is a feature. I would personally expect to be able to access the same pages as someone from another country, without my ISP interfering or tracking what I visit. (In reply to Matthias Versen [:Matti] from comment #5) > another disappointing decision from the Mozilla networking team. We're open to technical feedback here, and we'd like to provide a decent alternative to split horizon cases. But as the issue stands, that is very difficult to do automatically without compromising the privacy properties of DoH. > The purpose of DOH/TRR is flawed from then beginning and you continue to > drive this feature which _breaks_ the users privacy User privacy is very important to us, which is why we are trying to improve it as much as possible. I'm not interested in starting a debate in this bug regarding the pros and cons, but I'm open to discussing it over email if you wish. I'm assuming you're already aware of the pro arguments: https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/ http://bitsup.blogspot.com/2018/05/the-benefits-of-https-for-dns.html
You need to log in before you can comment on or make changes to this bug.