1612584 - Current TRR mode 3 implementation disrespects DNS based content filtering

Status: UNCONFIRMED

(Core :: Networking: DNS, enhancement, P3)

Description

[Sam Hall]

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.131 Safari/537.36

Steps to reproduce:

I'm using CleanBrowsing Family Filter service for blocking adult content. It seems impossible to force-disable DoH support in Firefox now simply via my router. DNS based internet filtering was a very cheap/simple and effective way for parents and schools to protect kids from adult content on the internet. Mozilla's own KB page lists this type of filtering technique as "most reliable", but DoH seems to have defeated this option... http://kb.mozillazine.org/Parental_controls

Actual results:

Due to DoH and the TRR mode 3 implementation in it's current state, it's too easy to bypass such a filter if you can run Firefox on the network. Support documentation from Mozilla recommending for Windows 10 kids to get a Microsoft Account with family features enabled... https://support.mozilla.org/en-US/kb/block-and-unblock-websites-parental-controls-firef

Our kids don't have such Microsoft Accounts and we have no desire to create them, so I can't confirm if TTR mode 3 implementation respects Windows 10 family features. I only know that my local DNS based filter is disrespected by Firefox with just a couple about:config changes in the current version.

Expected results:

Provide a way for the network to well and truly insist that the DNS filter be respected. I don't believe the mode 3 option should have been available in a release yet, even without the GUI it's just too easy to get to.

What's the current recommended solution from Mozilla for schools and parents now? From my point of view, application blacklist for binaries that look like Firefox or any software signed by Mozilla Corporation on all devices on my network seems like the option that would provide the best return on investment for this problem if Mozilla don't take it seriously. It's also such a hassle for families and schools that have very little if any in the way of device management software/skills to manage this kind of solution.

Comment 1

[Valentin Gosu [:valentin] (he/him)]

Thanks for the report. This is of course an issue we are concerned about, and we are actively working to mitigate these concerns.

(In reply to Sam Hall from comment #0)

Expected results:

Provide a way for the network to well and truly insist that the DNS filter be respected. I don't believe the mode 3 option should have been available in a release yet, even without the GUI it's just too easy to get to.

First there is the canary domain - specifying this on your router would prevent Firefox from automatically enabling TRR for computers in your network.

What's the current recommended solution from Mozilla for schools and parents now? From my point of view, application blacklist for binaries that look like Firefox or any software signed by Mozilla Corporation on all devices on my network seems like the option that would provide the best return on investment for this problem if Mozilla don't take it seriously. It's also such a hassle for families and schools that have very little if any in the way of device management software/skills to manage this kind of solution.

If you have control of devices in your network you ought to be able to use the Enterprise policies to specify a custom DoH server or to disable DoH support completely.

Otherwise, you could look into http://kb.mozillazine.org/Locking_preferences in order to lock the network.trr.mode pref to 0 or 5 (5 - off by choice).

Providing a network level override for this feature is tricky, because it might be used in scenarios where you definitely don't want the network to override your preference (such as an open coffeeshop network), but we're always open to discussing technical suggestions.

Comment 2

[Sam Hall]

It's the unmanaged Firefox clients that I'm concerned about. Without much effort an unprivileged user can usually find a way to run a copy of Firefox. From there it's relatively simple to force-enable DoH, bypassing any attempts at setting network or device policies. On the other hand, it's difficult for the owner of both the device and the network from preventing a Firefox client from using DoH.

A responsible implementation may be perhaps to split part of this functionality into a separate product that requires Admin on the device and only then enables/provides DoH to Firefox. That would at least respect the device owners preferences on this matter by default. It could also provide a localhost DNS server. That way all kind of Internet traffic can benefit, not just Firefox.

Comment 3

[Valentin Gosu [:valentin] (he/him)]

(In reply to Sam Hall from comment #2)

It's the unmanaged Firefox clients that I'm concerned about. Without much effort an unprivileged user can usually find a way to run a copy of Firefox. From there it's relatively simple to force-enable DoH, bypassing any attempts at setting network or device policies. On the other hand, it's difficult for the owner of both the device and the network from preventing a Firefox client from using DoH.

It's just as easy now to set up a proxy which is actually more powerful in bypassing filters than DoH only.

A responsible implementation may be perhaps to split part of this functionality into a separate product that requires Admin on the device and only then enables/provides DoH to Firefox. That would at least respect the device owners preferences on this matter by default.

This is a valid suggestion, if your only concern are parental controls. But this feature is supposed to improve privacy in a large number of situations, and restricting it to users with Admin privileges seems like overkill. Not to mention that people should not actually run Firefox with Admin privileges.

It could also provide a localhost DNS server. That way all kind of Internet traffic can benefit, not just Firefox.

Interesting suggestion, but with I don't think we have the resources to make that happen anytime soon. Code contributions are welcome though.