WebRTC DNS queries bypass DoH mode 2
Categories
(Core :: Networking: DNS, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox96 | --- | fixed |
People
(Reporter: drno, Assigned: valentin)
References
(Blocks 1 open bug)
Details
(Whiteboard: [trr][secure-proxy][necko-triaged])
Attachments
(10 files)
545.40 KB,
image/png
|
Details | |
908.91 KB,
application/octet-stream
|
Details | |
974.34 KB,
application/octet-stream
|
Details | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review | |
48 bytes,
text/x-phabricator-request
|
Details | Review |
It appears that DNS queries from Firefox WebRTC bypass DNS-over-HTTPS.
Steps to reproduce:
- set TRR mode 2 in about:config
- open on a second device or browser a room on appear.in for example https://appear.in/firefox-doh
- start you preferred network sniffer
- join the same room with you TRR enabled Firefox
- once the call gets established stop you network sniffer and search for DNS queries
Result:
I see in wireshark DNS queries for turnserver.appearin.net
Expected result:
I should NOT see any DNS queries in clear on the wire as they should go over DoH.
This is where the WebRTC searches for the DNS service: https://searchfox.org/mozilla-central/rev/4fbcfe6fecf75d7b828fbebda79a31385f7eab5f/media/mtransport/nriceresolver.cpp#94
Updated•5 years ago
|
Reporter | ||
Comment 1•5 years ago
|
||
Testing in TRR mode 3 shows no DNS queries for turnserver.appearin.net on the wire. Instead I can see it on the about:networking DNS page as a TRR queried entry.
Reporter | ||
Updated•5 years ago
|
Reporter | ||
Comment 2•5 years ago
|
||
Log file from TRR mode 3
Reporter | ||
Comment 3•5 years ago
|
||
Log from running in TRR mode 2.
Strangely the logs suggests that turnserver.appearin.net gets resolved via TRR. And about:networking#dns claims the same. But tcpdump shows DNS queries in the clear on the wire at the same time.
Notably the only query in clear on the wire is for turnserver.appearin.net, which is the only DNS entry which gets resolved from the WebRTC code (other entries like signal.appear.in etc don't get resolved by WebRTC, but by DOM).
Updated•5 years ago
|
Reporter | ||
Comment 4•5 years ago
|
||
WebRTC uses Necko to resolve DNS, see description for a link where it looks up the DNS resolver service via XPcom. Thus I don't think this a WebRTC issue, but a Necko issue.
Updated•5 years ago
|
Comment 5•5 years ago
|
||
So DoH mode 2 means that we're supposed to try DoH, and if that fails, fall back to DNS in the clear. I'm guessing that means that DoH is failing on turnserver.appearin.net for some reason?
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 6•3 years ago
|
||
Unsure why we haven't looked at the logs until now.
What seems to be happening is:
We do separate A and AAAA resolutions for turnserver.appearin.net
.
TRR for A succeeds, but TRR for AAAA fails, so we fallback to native DNS. Native DNS for AAAA also fails (afaict from the log).
Not sure exactly why wireshark shows both A and AAAA requests. We shouldn't be leaking the A at all. Maybe it's a quirk of getaddrinfo.
Assignee | ||
Comment 7•3 years ago
|
||
Assignee | ||
Comment 8•3 years ago
|
||
It's nicer to destructure the response using
let {inRecord, inStatus} = await new TRRDNSListener(...)
instead of
let [,inRecord,inStatus] = await new TRRDNSListener(...)
Depends on D129507
Assignee | ||
Comment 9•3 years ago
|
||
The order in which we send A/AAAA requests is unspecified.
This test assumed the A request is always first. If we change that logic,
then the variable ends up != 0 on the second request, so we don't get the
proper response anymore.
This patch changes the server handler so it returns the proper response
after decoding the request packet.
Depends on D130042
Assignee | ||
Comment 10•3 years ago
|
||
Depends on D130043
Assignee | ||
Comment 11•3 years ago
|
||
Depends on D130044
Assignee | ||
Comment 12•3 years ago
|
||
Because trr_test_setup() sets network.dns.native-is-localhost
to true and
the test expects donotexist.example.com
to fail to resolve, the test
seems to always fail.
We need to clear the pref after calling trr_test_setup.
Depends on D130045
Assignee | ||
Comment 13•3 years ago
|
||
Normally DNS resolutions are AF_UNSPEC - meaning that both A and AAAA
responses are acceptable.
However, some consumers of the DNS API will query A or AAAA separately
(like the WebRTC code), and use the responses independently.
In that case, we want to ensure that for a host that only has a A record,
we don't fallback to Do53 for the AAAA request and leak the hostname to
the system resolver.
To achieve this we change the logic as such:
If the response from DoH was NXDOMAIN we then query the other family.
If the other response was OK, that means we should not fallback to Do53.
If the other family response was also NXDOMAIN, the host is probably not
available to the public internet and falling back is probably fine.
Depends on D130046
Comment 14•3 years ago
|
||
Pushed by valentin.gosu@gmail.com: https://hg.mozilla.org/integration/autoland/rev/d948fe16b8b0 Test r=necko-reviewers,dragana https://hg.mozilla.org/integration/autoland/rev/ecbfa0721168 Improve awaiting new TRRDNSListener by returning an object r=necko-reviewers,kershaw https://hg.mozilla.org/integration/autoland/rev/f392ebf40d2a Make test_trr/test_odoh::test_CNAME not be dependent on A/AAAA order r=necko-reviewers,kershaw https://hg.mozilla.org/integration/autoland/rev/b674d5f15f60 Split DispatchByType into different method r=necko-reviewers,kershaw https://hg.mozilla.org/integration/autoland/rev/24f76460c44b Fix lint warning r=necko-reviewers,kershaw https://hg.mozilla.org/integration/autoland/rev/dc39d8837aae Fix test_dns_retry r=necko-reviewers,kershaw https://hg.mozilla.org/integration/autoland/rev/1d0f667507f4 A or AAAA TRR request should not fallback to Do53 if there is a record for the other family r=nhnt11
Comment 15•3 years ago
|
||
Backed out for causing build bustages at Logging.h.
Backout link: https://hg.mozilla.org/integration/autoland/rev/e7fe2ba2732075fbe0cc00f4c519a3b78bb47547
Failure log: https://treeherder.mozilla.org/logviewer?job_id=357535195&repo=autoland&lineNumber=71995
Comment 16•3 years ago
|
||
Pushed by valentin.gosu@gmail.com: https://hg.mozilla.org/integration/autoland/rev/22c9dea31b17 Test r=necko-reviewers,dragana https://hg.mozilla.org/integration/autoland/rev/6f9ef895fcd5 Improve awaiting new TRRDNSListener by returning an object r=necko-reviewers,kershaw https://hg.mozilla.org/integration/autoland/rev/f7c65c2a3f10 Make test_trr/test_odoh::test_CNAME not be dependent on A/AAAA order r=necko-reviewers,kershaw https://hg.mozilla.org/integration/autoland/rev/bb9308bbc58c Split DispatchByType into different method r=necko-reviewers,kershaw https://hg.mozilla.org/integration/autoland/rev/ecb0bd5abbe2 Fix lint warning r=necko-reviewers,kershaw https://hg.mozilla.org/integration/autoland/rev/77a7ffeccacc Fix test_dns_retry r=necko-reviewers,kershaw https://hg.mozilla.org/integration/autoland/rev/20801f57aea1 A or AAAA TRR request should not fallback to Do53 if there is a record for the other family r=nhnt11
Comment 17•3 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/22c9dea31b17
https://hg.mozilla.org/mozilla-central/rev/6f9ef895fcd5
https://hg.mozilla.org/mozilla-central/rev/f7c65c2a3f10
https://hg.mozilla.org/mozilla-central/rev/bb9308bbc58c
https://hg.mozilla.org/mozilla-central/rev/ecb0bd5abbe2
https://hg.mozilla.org/mozilla-central/rev/77a7ffeccacc
https://hg.mozilla.org/mozilla-central/rev/20801f57aea1
Assignee | ||
Updated•3 years ago
|
Updated•2 years ago
|
Description
•