Closed Bug 1582745 Opened 5 years ago Closed 5 years ago

TRR: Canary domain not respected

Categories

(Core :: Networking: DNS, defect)

Product:
Core
Component:
Networking: DNS
Version:
69 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: machiel.van.veen, Unassigned)

References

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0

Steps to reproduce:

The domain use-application-dns.net has been configured on our internal dns server to return the NXDOMAIN status.

---dig use-application-dns.net

; <<>> DiG 9.10.3-P4-Ubuntu <<>> use-application-dns.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57263----

The network.trr.mode in FF is 2. I ran a tcpdump to capture the queries, Firefox does not seem to attempt to resolve use-application-dns.net nor does it respect it and uses DoH anyway.

Actual results:

Our spit horizon DNS configuration breaks in Firefox, local subdomains do not resolve or to the wrong ip address in FF and requests are leaked to Cloudflare by FF.

Expected results:

Firefox should check for use-application-dns.net and disable DoH when the DNS server returns the NXDOMAIN status as documented.

https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet

Component: Untriaged → Networking: DNS
Product: Firefox → Core

Please REOPEN if it's not respected after roll out

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID

I've tested with the addon installed, it still does not check for the canary domain. We need to test before the roll out, it is documented as implemented. If I'm correct roll out for the test was announced to start this week.

DoH is a breaking feature for FF browsers on our network, our users won't be able to access their email, files and other applications. We cannot afford to wait and see if it works after roll out if or when that happens.

Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---

Machiel, could you describe the reproduction steps with the add-on? Which version of the addon did you use?

Note that the purpose of the add-on is to enable DoH for users who satisfy both of the following conditions:

  1. are in the US
  2. have not make a choice to enable/disable DoH by themselves.

(2) means the addon only affects users with network.trr.mode == 0. If you set it to anything other than 0 before the addon is installed, it will not change your setting, because we respect users' choice. That means if you don't want DoH on your network, you can set network.trr.mode = 5 and the rollout will not affect you at all.

Flags: needinfo?(machiel.van.veen)

The addon version is 0.7, I did not test from the US

  • Reset the browser user profile and launch Firefox
  • Download and install the doh-rollout addon https://bugzilla.mozilla.org/show_bug.cgi?id=1573840
  • Close FIrefox
  • Capture all DNS traffic
  • Open Firefox and a website
  • Check the captured DNS traffic for the resolution attempt of use-application-dns.net
  • Check the bind logs for use-application-dns.net

(2) We do not control all devices on our networks (byod), our users do expect all browsers to work within reason. We recommend FF to our users as it is the best option so it is mainly used. However because of split-horizon DNS using DoH breaks local web services on our network. For this we need to make sure FF is working as documented regarding the canary domain use-application-dns.net on our network.

Flags: needinfo?(machiel.van.veen)

Do you have users in the US?

Flags: needinfo?(machiel.van.veen)

Right now we don't have users in the US permanently right now.

Flags: needinfo?(machiel.van.veen)
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago5 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.