Closed Bug 1606558 Opened 5 years ago Closed 5 years ago

DoH leak in firefox

Categories

(Core :: Networking: DNS, defect)

Product:
Core
Component:
Networking: DNS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1453207

People

(Reporter: hackurx, Unassigned)

Details

(Keywords: reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

I just found out that DoH activation leaks requests that should have stayed in the local network and never passed through the internet router.

It's easy to see this with about:networking#dnslookuptool

Test one domaine name present from your /etc/hosts with/without DoH enable.

Imagine in the same network:
_1 trusted client (with the local ip address and domain name of the web server given in the hosts file)
_1 trusted web server
_1 suspicious internet router

Without DoH, the client's request will be transmitted directly to the web server.
With DoH, the client's requests will be forwarded by the router to the web server if there is a public registration of the domain name! The DoH server and the internet router got requests they should never have gotten. The system administrator will be fooled because for him the hosts file always has priority...

Conclusion, the activation of DoH in firefox leaks requests from the local network.
Solution: The hosts file must read and be prioritized even if DoH is enabled.

Tested with firefox 68.3.0.esr (64bits) in debian 10.
The "Security" mailing list has been informed.

Thanks.

Flags: sec-bounty?
Group: firefox-core-security → network-core-security
Type: task → defect
Component: Security → Networking: DNS
Product: Firefox → Core

We know about this issue and have an (open) bug for this already on file. As a workaround you can add exceptions for hosts that in the hosts file in about:config with network.trr.excluded-domains pref.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE

Can't you link to this preference and the hosts file? (So that would be the default behavior.)

The security teams recommand to use of http://use-application-dns.net/ but does not work because
the file browser/extensions/doh-rollout/heuristics.js is not present in firefox ESR.

(In reply to hackurx from comment #2)

Can't you link to this preference and the hosts file? (So that would be the default behavior.)

We will work on automatically exluding domains from a hosts file, but that will take some time (each OS is different and the work beed to be schedule first)

You could fill the pref with the conetn of the hosts file your self.

The security teams recommand to use of http://use-application-dns.net/ but does not work because
the file browser/extensions/doh-rollout/heuristics.js is not present in firefox ESR.

you do not need to change firefox for this. you will need to configure your local DNS to return NXDOMAIN or just empty response for http://use-application-dns.net/. If we do not receive an IP address for http://use-application-dns.net/ DoH will be automatically disabled.

you do not need to change firefox for this. you will need to configure your local DNS to return NXDOMAIN or just empty response for http://use->application-dns.net/. If we do not receive an IP address for http://use-application-dns.net/ DoH will be automatically disabled.

The control of the canary domain - use-application-dns.net does not exist in firefox 68 (make a "grep -r use-application-dns.net" in the source code you will understand that it doesn't exist). Because the file browser/extensions/doh-rollout/heuristics.js is not present in firefox ESR.

What bothers me is that DoH is present in version 68 ESR despite the fact that it's still an experimental feature with a lot of security unresolved issues.

thank you

Flags: sec-bounty? → sec-bounty-
Group: network-core-security
You need to log in before you can comment on or make changes to this bug.