Closed Bug 1630093 Opened 5 years ago Closed 5 years ago

TRR canary check returns "disable_doh" if the DNS request fails

Categories

(Firefox :: Security, defect, P1)

Product:
Firefox
Component:
Security
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Firefox 79
Tracking Flags:
Tracking Status
firefox79 --- fixed

People

(Reporter: tdsmith, Assigned: nhnt11)

References

Details

(Whiteboard: [necko-triaged][trr])

Attachments

(1 file)

Bug 1630093 - Don't run heuristics until internet connectivity has been established. r=valentin!
47 bytes, text/x-phabricator-request
Details | Review

The application DNS canary check in the DoH rollout addon returns disable_doh if the DNS request fails (for example, because the network is disconnected). These are probably inflating our disable rates.

I think the check should only return disable_doh if the check affirmatively fails according to the criteria in https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet.

STR:

  1. Visit about:devtools-toolbox?type=extension&id=doh-rollout@mozilla.org and run await globalCanary() in the console; result should be enable_doh.
  2. Disconnect the network.
  3. Repeat. Expected result to be enable_doh; result was disable_doh.

needinfo Nihanth and cc Dragana and Valentin.

Flags: needinfo?(nhnt11)
Priority: -- → P2
Whiteboard: [necko-triaged]
Whiteboard: [necko-triaged] → [necko-triaged][trr]
Component: Networking → Security
Product: Core → Firefox

Hmm, we aren't running heuristics until the network goes up. Is there any other situation in which this could result in a false-negative?

Flags: needinfo?(nhnt11) → needinfo?(tdsmith)

I'm not sure. My concern is that a consistent baseline of 20-30% of heuristics evaluations on all networks report that the canary is disabling DoH, which seems unlikely to me, and this looked like a potential cause. This could be spurious but I'm suspicious of it.

Flags: needinfo?(tdsmith)

Can you set a severity? Thanks!

Flags: needinfo?(nhnt11)
Severity: -- → S4
Flags: needinfo?(nhnt11)
Assignee: nobody → nhnt11
Status: NEW → ASSIGNED
Priority: P2 → P1
Pushed by nhnt11@gmail.com: https://hg.mozilla.org/integration/autoland/rev/e29a263455f8 Don't run heuristics until internet connectivity has been established. r=valentin

https://hg.mozilla.org/mozilla-central/rev/e29a263455f8

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox79: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 79
Depends on: 1649450
Regressions: 1651682

Hello,

Im trying to verify this bug. On 79.0b9 if I repeat the steps (As i understand the steps I must be disconnected from the network when running await globalCanary() ) if that's the case I can still reproduce this issue.

Flags: needinfo?(nhnt11)

Daniel, if that code is called when network is disconnected, the canary heuristic will still fail.

The patch in this bug simply tries to ensure that we don't call the code when the network is down.

This situation will be further improved in bug 1654520.

Flags: needinfo?(nhnt11)

Hello,

Understood, will remove the qe+ flag from the bug.

Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: