Open Bug 1540584 Opened 5 years ago Updated 2 months ago

"Proxy DNS when using SOCKS v5" should be greyed out when "Enable DNS over HTTPS" is enabled

Categories

(Firefox :: Settings UI, defect, P3)

Product:
Firefox
Component:
Settings UI
Version:
66 Branch
Type:
defect

Tracking

()

People

(Reporter: razvan.ragazan, Unassigned)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [trr])

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0

Steps to reproduce:

Fresh installation of latest Firefox 66.0.2 on both Linux and Windows. No other changes are made.

  1. Firefox is configured to use a remote SOCKS v5 proxy on the same LAN via the "Manual proxy configuration" Network Settings option
  2. "Proxy DNS when using SOCKS v5" is ticked and enabled
  3. "Enable DNS over HTTPS" is also ticked and enabled

Actual results:

I was hoping that combining these two options would mean that DNS requests are sent through to the remote SOCKS proxy and then are carried out using DNS over HTTPS from there, if such a thing is even possible technically speaking.

However, it seems (have confirmed this through looking at about:networking) that instead the DNS request is made via both the remote SOCKS proxy in a traditional manner (i.e. no DNS over HTTPS is used at all) and also via Cloudflare's DNS over HTTPS from Firefox's inbuilt TRR.

I'm presuming that since the remote SOCKS proxy on the same LAN returns a result faster than Cloudflare, the response from it is used rather than the response from Firefox's TRR. Alternatively, it might be that the underlying code ensures the SOCKS proxy DNS response takes precedence over the TRR.

Expected results:

Either:

*implement functionality so that if both "Proxy DNS when using SOCKS v5" and "Enable DNS over HTTPS" options are ticked then the remote SOCKS proxy is forced to process queries remotely through DNS over HTTPS although I'm not sure whether this is technically feasible

OR, the preferred solution in order to avoid giving people a false sense of security otherwise

*grey out the "Proxy DNS when using SOCKS v5" option once the "Enable DNS over HTTPS" option is selected to ensure the user isn't misled about this and made to believe that he is using DNS over HTTPS through the SOCKS proxy when, in reality, the SOCKS proxy is carrying out normal DNS requests which override the TRR responses

Component: Untriaged → Networking: DNS
Product: Firefox → Core
Blocks: 1434852
Component: Networking: DNS → Preferences
Product: Core → Firefox
Whiteboard: [trr]

Is this something [trr] will triage? Otherwise, what is the intended outcome here?

Flags: needinfo?(valentin.gosu)

(In reply to (behind on needinfos) Jared Wein [:jaws] (please needinfo? me) from comment #1)

Is this something [trr] will triage? Otherwise, what is the intended outcome here?

[trr] is for bugs related to TRR.
This bug seems to require front-end work in about:preferences

Flags: needinfo?(valentin.gosu)

As someone who works on TRR, do you know what the intended outcome here is? (see the second part of comment 1). Comment 0 proposes two different solutions.

Flags: needinfo?(valentin.gosu)

The second option:

grey out the "Proxy DNS when using SOCKS v5" option once the "Enable DNS over HTTPS" option is selected to ensure the user isn't misled about this and made to believe that he is using DNS over HTTPS through the SOCKS proxy when, in reality, the SOCKS proxy is carrying out normal DNS requests which override the TRR responses

Or maybe checking the Proxy DNS when using SOCKS v5 option should disable Enable DNS over HTTPS? I think we need some product/UX input here as to the desired behaviour.

Flags: needinfo?(valentin.gosu)

(In reply to Valentin Gosu [:valentin] from comment #4)

The second option:

grey out the "Proxy DNS when using SOCKS v5" option once the "Enable DNS over HTTPS" option is selected to ensure the user isn't misled about this and made to believe that he is using DNS over HTTPS through the SOCKS proxy when, in reality, the SOCKS proxy is carrying out normal DNS requests which override the TRR responses

Or maybe checking the Proxy DNS when using SOCKS v5 option should disable Enable DNS over HTTPS? I think we need some product/UX input here as to the desired behaviour.

Thanks, after chatting with Valentin we decided to change these to radio buttons. We will add a new radio button for the default case. It should now look like:

(.) Use system DNS
( ) Proxy DNS when using SOCKS v5
( ) Enable DNS over HTTPS

Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3

Maybe keep both for the case where a fall-back is needed ?
I mean if dns over https fails, keep the old dns over socks.

By the way, in the mean time https over socks is not working at all. Just filed a new bug.

Severity: normal → S3
Blocks: 1882276
You need to log in before you can comment on or make changes to this bug.