Closed Bug 1623588 Opened 5 years ago Closed 5 years ago

Firefox bypasses network google URL blocking

Categories

(Core :: Networking: DNS, defect, P2)

Product:
Core
Component:
Networking: DNS
Version:
73 Branch
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: hobshobson, Unassigned)

Details

(Whiteboard: [necko-triaged])

Attachments

(3 files)

firefox logs.zip
932.17 KB, application/x-zip-compressed
Details
Firefox1.zip
1.21 MB, application/x-zip-compressed
Details
Firefox2.zip
959.11 KB, application/x-zip-compressed
Details

User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0

Steps to reproduce:

  1. Block google and associated domains in the router
  2. enter google.com in another browser (i used Safari). Router message returned saying the site is blocked (expected behaviour)
  3. enter google.com in firefox. google page returned

Actual results:

  1. enter google.com in firefox. google page returned

Expected results:

Router message returned saying the site is blocked

Hello,
This is an expected behavior with the new DoH feature: https://support.mozilla.org/en-US/kb/firefox-dns-over-https

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Component: Untriaged → Networking: DNS
Product: Firefox → Core
Resolution: --- → INVALID
Status: RESOLVED → UNCONFIRMED
Component: Networking: DNS → Untriaged
Product: Core → Firefox
Resolution: INVALID → ---

problem still exists after trying to block google.

following the instructions on https://bugzilla.mozilla.org/show_bug.cgi?id=1623588

  1. changed tick box to "Enable DNS over https:" in Network Settings
  2. for info, network.trr.mode = 2. no setting changed by me
  3. network.trr.excluded-domains = google.com, google.co.uk, facebook.com
  4. www.google.com is still being returned

Hi,

Unfortunately we cannot reproduce this issue due to our environment. Anyway I'm setting component to Core - Networking: DNS for someone to take a look at this.

Meanwhile @hobshobson@tiscali.co.uk could you please try on our latest Nightly build? You can download it from here nightly.mozilla.org, Also could you try in SAFE MODE?

Thanks.

Component: Untriaged → Networking: DNS
Flags: needinfo?(hobshobson)
Product: Firefox → Core

Same behaviour when i start Firefox in Safe Mode

Flags: needinfo?(hobshobson)

Using Nightly:

  1. entering google.com in address bar returns router message saying site is unavailable. Expected behaviour
  2. changing address bar from http://google.com to https://google.com, google is returned. As I am in nightly, my blocked sites have not been imported
  3. entering http://google.com changes the address bar to https://google.com, and google.com is returned
  4. follow instructions support.mozilla.org/en-US/kb/firefox-dns-over-https#w_excluding-specific-domains
    network.trr.excluded-domains = google.com
    re-start nightly
  5. enter google.com in address bar; https://www.google.com/ returned
  6. change address bar to http://www.google.com/ https://www.google.com/ returned

Hello Reporter,
Could you help us to gather logs to see why the excluded-domains pref doesn't work?
https://developer.mozilla.org/en-US/docs/Mozilla/Debugging/HTTP_logging

Thanks.

Flags: needinfo?(hobshobson)
Attached file firefox logs.zip
Flags: needinfo?(hobshobson)

We already has a SPDY connection before we resolve DNS from TRR (excluded-domain works well, but it's too late).
Could you take a look, Valentin?

Flags: needinfo?(valentin.gosu)
Priority: -- → P2
Whiteboard: [necko-triaged]

I've looked at the logs, and by the time they start we already appear to have loaded the www.google.com
Dick, could you try getting the logs again from the console, without the rotate parameter?

set MOZ_LOG=timestamp,nsHttp:5,cache2:5,nsSocketTransport:5,nsHostResolver:5,cookie:5
set MOZ_LOG_FILE=%TEMP%\log.txt
"c:\Program Files\Mozilla Firefox\firefox.exe"

Flags: needinfo?(valentin.gosu) → needinfo?(hobshobson)

Entered changes through a command box
Restarted Firefox by shortcut – that path (and no path) didn’t work. Address bar drop down matched google to a previous entry
Cleared check box Options/Privacy & Security/Address bar/browsing history
Closed & Restarted Firefox
New tab, entered google.com; site opened

Identified Firefox path
Closed Firefox

Command window:
cd "c:\Program Files (x86)\Mozilla Firefox"
Firefox. Firefox starts
Try google.com in search bar. Dropdown shows duckduckgo suggestion for google.com. google site loads
Close firefox
Save log files to Firefox1.zip

Restart Firefox
About:networking#logging start logging
New tab
Enter google.com; Duckduckgo finds google for the dropdown while I am typing; google site opens
Switch back a tab and stop logging

Save log files to Firefox2.zip

Flags: needinfo?(hobshobson)
Attached file Firefox1.zip
Attached file Firefox2.zip

(In reply to Valentin Gosu [:valentin] (he/him) from comment #9)

I've looked at the logs, and by the time they start we already appear to have loaded the www.google.com
Dick, could you try getting the logs again from the console, without the rotate parameter?

set MOZ_LOG=timestamp,nsHttp:5,cache2:5,nsSocketTransport:5,nsHostResolver:5,cookie:5
set MOZ_LOG_FILE=%TEMP%\log.txt
"c:\Program Files\Mozilla Firefox\firefox.exe"

MOrning valentin

I did attach the log files some time ago. You may not have received a notification

regards

Hi Dick, thanks for the ping. I hadn't noticed.

So, looking at the logs from firefox1 I see the following:

2020-04-21 14:08:24.689000 UTC - [Parent 6008: Socket Thread]: D/nsHostResolver Resolving host [www.google.com] type 0. [this=0000002A4E96F430]
2020-04-21 14:08:24.689000 UTC - [Parent 6008: Socket Thread]: D/nsHostResolver Subdomain [google.com] of host [www.google.com] Is Excluded From TRR via pref
2020-04-21 14:08:24.689000 UTC - [Parent 6008: Socket Thread]: D/nsHostResolver   No usable record in cache for host [www.google.com] type 0.
2020-04-21 14:08:24.689000 UTC - [Parent 6008: Socket Thread]: D/nsHostResolver Subdomain [google.com] of host [www.google.com] Is Excluded From TRR via pref
2020-04-21 14:08:24.689000 UTC - [Parent 6008: Socket Thread]: D/nsHostResolver NameLookup: www.google.com effectiveTRRmode: 1
2020-04-21 14:08:24.689000 UTC - [Parent 6008: Socket Thread]: D/nsHostResolver   DNS thread counters: total=4 any-live=0 idle=4 pending=1
2020-04-21 14:08:24.689000 UTC - [Parent 6008: Socket Thread]: D/nsHostResolver   DNS lookup for host [www.google.com] blocking pending 'getaddrinfo' or trr query: callback [0000002A6393F030]
2020-04-21 14:08:24.689000 UTC - [Parent 6008: Socket Thread]: D/nsSocketTransport   advancing to STATE_RESOLVING
2020-04-21 14:08:24.689000 UTC - [Parent 6008: DNS Resolver #3]: E/nsHostResolver DNS lookup thread - Calling getaddrinfo for host [www.google.com].

Here we just called getaddrinfo for www.google.com because the host was in excluded-domains

2020-04-21 14:08:24.712000 UTC - [Parent 6008: DNS Resolver #3]: D/nsHostResolver nsHostResolver::CompleteLookup www.google.com 0000002A6433D100 0 trr=0 stillResolving=0
2020-04-21 14:08:24.712000 UTC - [Parent 6008: DNS Resolver #3]: D/nsHostResolver nsHostResolver record 0000002A6A99D3C0 new gencnt
2020-04-21 14:08:24.712000 UTC - [Parent 6008: DNS Resolver #3]: D/nsHostResolver Caching host [www.google.com] record for 60 seconds (grace 0).
2020-04-21 14:08:24.712000 UTC - [Parent 6008: DNS Resolver #3]: D/nsHostResolver CompleteLookup: www.google.com has 216.58.206.100

And here we got back the IP from the system resolver.
Same story for firefox2.zip

Are you sure the blocking works?

Flags: needinfo?(hobshobson)

Hi Valentin

You may not be surprised to hear that i don't follow all the technology in this log file, but thanks anyway :)

So .......

  1. Tried internet explorer to access google from this device (samsung laptop running Win 8.1; the only other browser i have available). Result: Site blocked by wireless router

  2. Tried Safari on my mobile to access google using the same wireless router. Result: Site blocked by wireless router

  3. Tried Firefox to access google from this device. Result: google.com and .co.uk both returned

  4. Cleared all browsing history, etc. in Firefox. Restart. Result: google.com and .co.uk both returned

  5. Disabled DNS over HTTPS (as i thought this may have been the change which bypassed my router). Result: google.com and .co.uk both returned

  6. Tried ping google in DOS box. Result: ping returned successfully

  7. Tried ping criteo.net in DOS box. Result: ping returned successfully (criteo.net is also blocked in my router)

  8. tried criteo.net in Firefox. Result: Site blocked by wireless router

so it seems to be something that is unique to Firefox, but if you want me to try anything else please let me know

Flags: needinfo?(hobshobson)

I assume the problem is that this is a HTTP block at the router level, not a DNS block.
Otherwise a ping wouldn't succeed.
The difference between browsers might be that Firefox attempts to use HTTPS instead of HTTP?

my router points to OpenDNS for address resolution, and I have also blocked google in that!!

but yes, in Safari if i enter https:// in the address bar, then google is returned

but shouldn't the "DNS over https" blocking in Safari still stop me getting through to google, either by http or https ?

It's hard to tell without investigating more in depth and having a way to reproduce.
In any case, thanks for reporting the potential problem and for confirming that it's not caused by Firefox.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago5 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: