Open Bug 1540584 Opened 6 years ago Updated 3 months ago

"Proxy DNS when using SOCKS v5" should be greyed out when "Enable DNS over HTTPS" is enabled

Categories

(Firefox :: Settings UI, defect, P3)

Product:
Firefox
Component:
Settings UI
Version:
66 Branch
Type:
defect

Tracking

()

People

(Reporter: razvan.ragazan, Unassigned)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [trr])

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0

Steps to reproduce:

Fresh installation of latest Firefox 66.0.2 on both Linux and Windows. No other changes are made.

  1. Firefox is configured to use a remote SOCKS v5 proxy on the same LAN via the "Manual proxy configuration" Network Settings option
  2. "Proxy DNS when using SOCKS v5" is ticked and enabled
  3. "Enable DNS over HTTPS" is also ticked and enabled

Actual results:

I was hoping that combining these two options would mean that DNS requests are sent through to the remote SOCKS proxy and then are carried out using DNS over HTTPS from there, if such a thing is even possible technically speaking.

However, it seems (have confirmed this through looking at about:networking) that instead the DNS request is made via both the remote SOCKS proxy in a traditional manner (i.e. no DNS over HTTPS is used at all) and also via Cloudflare's DNS over HTTPS from Firefox's inbuilt TRR.

I'm presuming that since the remote SOCKS proxy on the same LAN returns a result faster than Cloudflare, the response from it is used rather than the response from Firefox's TRR. Alternatively, it might be that the underlying code ensures the SOCKS proxy DNS response takes precedence over the TRR.

Expected results:

Either:

*implement functionality so that if both "Proxy DNS when using SOCKS v5" and "Enable DNS over HTTPS" options are ticked then the remote SOCKS proxy is forced to process queries remotely through DNS over HTTPS although I'm not sure whether this is technically feasible

OR, the preferred solution in order to avoid giving people a false sense of security otherwise

*grey out the "Proxy DNS when using SOCKS v5" option once the "Enable DNS over HTTPS" option is selected to ensure the user isn't misled about this and made to believe that he is using DNS over HTTPS through the SOCKS proxy when, in reality, the SOCKS proxy is carrying out normal DNS requests which override the TRR responses

Component: Untriaged → Networking: DNS
Product: Firefox → Core
Blocks: 1434852
Component: Networking: DNS → Preferences
Product: Core → Firefox
Whiteboard: [trr]

Is this something [trr] will triage? Otherwise, what is the intended outcome here?

Flags: needinfo?(valentin.gosu)

(In reply to (behind on needinfos) Jared Wein [:jaws] (please needinfo? me) from comment #1)

Is this something [trr] will triage? Otherwise, what is the intended outcome here?

[trr] is for bugs related to TRR.
This bug seems to require front-end work in about:preferences

Flags: needinfo?(valentin.gosu)

As someone who works on TRR, do you know what the intended outcome here is? (see the second part of comment 1). Comment 0 proposes two different solutions.

Flags: needinfo?(valentin.gosu)

The second option:

grey out the "Proxy DNS when using SOCKS v5" option once the "Enable DNS over HTTPS" option is selected to ensure the user isn't misled about this and made to believe that he is using DNS over HTTPS through the SOCKS proxy when, in reality, the SOCKS proxy is carrying out normal DNS requests which override the TRR responses

Or maybe checking the Proxy DNS when using SOCKS v5 option should disable Enable DNS over HTTPS? I think we need some product/UX input here as to the desired behaviour.

Flags: needinfo?(valentin.gosu)

(In reply to Valentin Gosu [:valentin] from comment #4)

The second option:

grey out the "Proxy DNS when using SOCKS v5" option once the "Enable DNS over HTTPS" option is selected to ensure the user isn't misled about this and made to believe that he is using DNS over HTTPS through the SOCKS proxy when, in reality, the SOCKS proxy is carrying out normal DNS requests which override the TRR responses

Or maybe checking the Proxy DNS when using SOCKS v5 option should disable Enable DNS over HTTPS? I think we need some product/UX input here as to the desired behaviour.

Thanks, after chatting with Valentin we decided to change these to radio buttons. We will add a new radio button for the default case. It should now look like:

(.) Use system DNS
( ) Proxy DNS when using SOCKS v5
( ) Enable DNS over HTTPS

Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3

Maybe keep both for the case where a fall-back is needed ?
I mean if dns over https fails, keep the old dns over socks.

By the way, in the mean time https over socks is not working at all. Just filed a new bug.

Severity: normal → S3

(I was about to file a new bug, but found this one.)
I agree, Proxy DNS when using SOCKS v5 effectively disabling DoH is unexpected. But in my opinion, the fix should be different:

  • Use DNS over HTTPS for most queries. Either "DNS over HTTPS over SOCKS" or "DNS over HTTPS over direct connection" - both options seem secure enough, but the first is kinda more logical, since we're already sending all traffic through a proxy.
  • Use DNS over SOCKS for the rest (e.g. resolution of the DoH host itself or fallback when DoH fails (if enabled)).
  • Use system DNS for queries that can't be executed over SOCKS/HTTPS by definition (e.g. resolution of the SOCKS host itself). And don't silently fallback to system DNS if SOCKS fails.

The general intent here is to minimize cleartext queries, especially through system DNS.

(In reply to Jared Wein [:jaws] (please needinfo? me) from comment #5)

Thanks, after chatting with Valentin we decided to change these to radio buttons. We will add a new radio button for the default case. It should now look like:

(.) Use system DNS
( ) Proxy DNS when using SOCKS v5
( ) Enable DNS over HTTPS

DNS over HTTPS is already set on its own section in Privacy tab

You need to log in before you can comment on or make changes to this bug.