Closed Bug 1612352 Opened 2 years ago Closed 2 years ago

TRR: Whitelist individual domains via enterprise policy

Categories

(Firefox :: Enterprise Policies, enhancement, P3)

Desktop
All
enhancement

Tracking

()

VERIFIED FIXED
Firefox 75
Tracking Status
relnote-firefox --- 75+
firefox-esr68 --- verified
firefox75 --- verified
firefox76 --- verified

People

(Reporter: valentin, Assigned: mkaply)

References

Details

(Whiteboard: [trr])

Attachments

(1 file)

Type: defect → enhancement
Priority: -- → P3

This is not exposed via Firefox UI, correct?

Is excluded domains actually domains (foo.com) or origins (http://foo.com and https://foo.com)?

Do you think just adding ExcludedDomains to that policy is the right thing to do?

(In reply to Mike Kaply [:mkaply] from comment #1)

This is not exposed via Firefox UI, correct?

That is correct. We expect to have some UI for it in Firefox 75 or 76.

Is excluded domains actually domains (foo.com) or origins (http://foo.com and https://foo.com)?

It's a comma separated list of domains foo.com,sub.example.com

Do you think just adding ExcludedDomains to that policy is the right thing to do?

Are there any arguments against it?

Do you think just adding ExcludedDomains to that policy is the right thing to do?

Are there any arguments against it?

Sorry. I phrased that poorly. It was a naming question. Do you think saying "ExcludedDomains" is clear?

(In reply to Mike Kaply [:mkaply] from comment #3)

Do you think just adding ExcludedDomains to that policy is the right thing to do?

Are there any arguments against it?

Sorry. I phrased that poorly. It was a naming question. Do you think saying "ExcludedDomains" is clear?

I think so. I can't think of another name that would be more explicit.

Assignee: nobody → mozilla
Status: NEW → ASSIGNED
Pushed by mozilla@kaply.com:
https://hg.mozilla.org/integration/autoland/rev/60eec8186c8d
Allow domains to be excluded from DOH via policy. r=valentin
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 75

Release Note Request (optional, but appreciated)
[Why is this notable]: This is a notable feature for enterprise use of TRR.
[Affects Firefox for Android]: No
[Suggested wording]: Enterprise policies may be used to exclude domains from being resolved via TRR (Trusted Recursive Resolver) using DNS over HTTPS
[Links (documentation, blog post, etc)]: https://wiki.mozilla.org/Trusted_Recursive_Resolver#network.trr.excluded-domains

relnote-firefox: --- → ?

I'll be adding this to the policy documentation when it is released.

Thanks Mike!

Comment on attachment 9126893 [details]
Bug 1612352 - Allow domains to be excluded from DOH via policy. r?valentin

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Policy only change
  • User impact if declined: Administrators can't exclude domains from DOH
  • Fix Landed on Version: 75
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Modifies existing policy.
  • String or UUID changes made by this patch:
Attachment #9126893 - Flags: approval-mozilla-esr68?

Comment on attachment 9126893 [details]
Bug 1612352 - Allow domains to be excluded from DOH via policy. r?valentin

doh policy update, approved for 68.7esr

Attachment #9126893 - Flags: approval-mozilla-esr68? → approval-mozilla-esr68+
Flags: qe-verify+
QA Whiteboard: [qa-triaged]

Can you please explain how to verify this bug correctly and completely? Thank you!

Flags: needinfo?(mozilla)

Sure.

Add a new policy via JSON:

{
"policies": {
"DNSOverHTTPS": {
"ExcludedDomains": ["example.com", "example.org"]
}
}
}

After restarting, check in about:preferences and verify the domains in

network.trr.excluded-domains

Flags: needinfo?(mozilla)

You can now be whitelist individual domains via enterprise policy on Nightly v76.0a1, Beta v75.0b4 and ESR V68.7.0esr on Windows 10 and Ubuntu 18.04.

Steps:

  1. Create a folder named "distribution" in the installation folder of the browser.

  2. Inside the "distribution" folder, create a policies.json file with the following data:
    {
    "policies":{

     "DNSOverHTTPS":{
             "Enabled":true,
             "ExcludedDomains":["youtube.com", "reddit.com"]
    

}
}
}
3. Open browser.
Expected:
4. Go to about:policies and check whether "youtube.com" and "reddit.com" are now excluded domains as set in the JSON file.
5. Go to about:config, search for the "network.trr.excluded-domains" and check whether "youtube.com" and "reddit.com" appear as values.
6. Go to about:config, search for the "network.trr.mode has value 2.
7. Go to about:networking#dns and the "youtube.com" and "reddit.com" domains have "false" in the TTR column.

I have also verified that the prefs can be locked with the following JSON:
{
"policies":{

    "DNSOverHTTPS":{
            "Enabled":true,
            "ExcludedDomains":["youtube.com", "reddit.com"],
            "Locked":true

}
}
}

Status: RESOLVED → VERIFIED
Flags: qe-verify+
OS: Unspecified → All
Hardware: Unspecified → Desktop
You need to log in before you can comment on or make changes to this bug.