Closed Bug 1580551 Opened 5 years ago Closed 5 years ago

DoH fails over to legacy DNS if DoH response is 0.0.0.0

Categories

(Core :: Networking: DNS, defect)

Product:
Core
Component:
Networking: DNS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1649142
Tracking Flags:
Tracking Status
firefox69 --- affected
firefox70 --- affected
firefox71 --- affected

People

(Reporter: yegors, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36

Steps to reproduce:

  1. Setup a DoH server that filters domains (ads for example) and responds with 0.0.0.0 when those records are resolved
  2. Configure the DoH server with trr.mode = 2
  3. Resolve an ad domain

Actual results:

The DNS query reached the DoH resolver, but the response was ignored. The domain resolved through the OS configured "legacy" resolver instead.

Expected results:

DoH response should have been used, since it was valid. If using trr.mode = 3, no such problem.

Hi Yegor,

Could you share a URL with us so that we may replicate this bug, please?

Thanks in advance, Flor.

Flags: needinfo?(yegors)

I don't have a public endpoint, as it's currently internal only. I'll have something public in a few days.

However, you can reproduce it with any DoH server that blocks ads, for example: https://blahdns.com/

Then go on popads.net or exoclick.com. In trr=3 mode, they don't load. In trr=2 mode, they do.

Flags: needinfo?(yegors)

Hi Yegor,

With the help of this page (https://www.zdnet.com/article/how-to-enable-dns-over-https-doh-in-firefox/) and the ones you gave me I was able to reproduce the bug on Windows 10 on the following versions:

Release 69.0 (64-bit), Nightly 71.0a1 (2019-09-19) (64-bit) and Beta 70.0b3 (64-bit).

I've chosen a component. If you consider that there's another component that's more proper for this case you may change it.

Best regards, Flor.

Status: UNCONFIRMED → NEW
status-firefox69: --- → affected
status-firefox70: --- → affected
status-firefox71: --- → affected
Component: Untriaged → Networking: DNS
Ever confirmed: true
Product: Firefox → Core
See Also: → 1540618
Version: 70 Branch → Trunk

(In reply to Yegor from comment #2)

I don't have a public endpoint, as it's currently internal only. I'll have something public in a few days.

However, you can reproduce it with any DoH server that blocks ads, for example: https://blahdns.com/

Then go on popads.net or exoclick.com. In trr=3 mode, they don't load. In trr=2 mode, they do.

TRR mode 2 intentionally falls back to regular DNS if:

  1. The DoH request failed (or returned NXDOMAIN, SERVFAIL or RFC1918 IPs/etc )
  2. Connecting to that IP fails -> we do another with regular DNS and connect to that one.

There's a certain overlap with bug 1525854 here - I suggest you watch that one, as it will open up the possibility for a DoH server to specify why you shouldn't fall back to DNS.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
See Also: → 1525854

In case of SERVFAIL I can understand this behavior, however NXDOMAIN/RFC1918 doesn't make sense. This is a valid response from the DNS server configured by the user, especially if you're using a filtering/internal DNS server. The failover should only happen if:

DoH server is unreachable OR DoH server is reachable but inoperable. In all other cases it defeats the point of using DoH (in trr mode 2).

(In reply to Yegor from comment #5)

In case of SERVFAIL I can understand this behavior, however NXDOMAIN/RFC1918 doesn't make sense. This is a valid response from the DNS server configured by the user, especially if you're using a filtering/internal DNS server. The failover should only happen if:

DoH server is unreachable OR DoH server is reachable but inoperable. In all other cases it defeats the point of using DoH (in trr mode 2).

There are other cases which the DoH server is incapable of handling, which result in NXDOMAIN, such as a DNS suffix, you adding entries to /etc/hosts and many others.
RFC1918 is currently preffable - network.trr.allow-rfc1918 - a regular user who is using a DoH server outside their network normally would not receive RFC1918 addresses.

(In reply to Yegor from comment #5)

DoH server is unreachable OR DoH server is reachable but inoperable. In all other cases it defeats the point of using DoH (in trr mode 2).

Oh, and there's also the point of split horizon - where an IP you get from a remote resolver is different than the one you get from the local one, in which case the first IP may not work.
As with every engineering topic, there are trade-offs to be made. In this case mode 2 gives you a decent balance between compat and privacy, while mode 3 gives you full privacy but with compat risks.

TRR as a feature will evolve over time, so we'll eventually be able to cut away at those compromises.

It looks like this was fixed in bug 1648142

Duplicate of bug: 1649142
Resolution: WONTFIX → DUPLICATE
See Also: → 1648147
You need to log in before you can comment on or make changes to this bug.