Closed Bug 1630093 Opened 6 months ago Closed 3 months ago

TRR canary check returns "disable_doh" if the DNS request fails

Categories

(Firefox :: Security, defect, P1)

defect

Tracking

()

RESOLVED FIXED
Firefox 79
Tracking Status
firefox79 --- fixed

People

(Reporter: tdsmith, Assigned: nhnt11)

References

Details

(Whiteboard: [necko-triaged][trr])

Attachments

(1 file)

The application DNS canary check in the DoH rollout addon returns disable_doh if the DNS request fails (for example, because the network is disconnected). These are probably inflating our disable rates.

I think the check should only return disable_doh if the check affirmatively fails according to the criteria in https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet.

STR:

  1. Visit about:devtools-toolbox?type=extension&id=doh-rollout@mozilla.org and run await globalCanary() in the console; result should be enable_doh.
  2. Disconnect the network.
  3. Repeat. Expected result to be enable_doh; result was disable_doh.

needinfo Nihanth and cc Dragana and Valentin.

Flags: needinfo?(nhnt11)
Priority: -- → P2
Whiteboard: [necko-triaged]
Whiteboard: [necko-triaged] → [necko-triaged][trr]
Component: Networking → Security
Product: Core → Firefox

Hmm, we aren't running heuristics until the network goes up. Is there any other situation in which this could result in a false-negative?

Flags: needinfo?(nhnt11) → needinfo?(tdsmith)

I'm not sure. My concern is that a consistent baseline of 20-30% of heuristics evaluations on all networks report that the canary is disabling DoH, which seems unlikely to me, and this looked like a potential cause. This could be spurious but I'm suspicious of it.

Flags: needinfo?(tdsmith)

Can you set a severity? Thanks!

Flags: needinfo?(nhnt11)
Severity: -- → S4
Flags: needinfo?(nhnt11)
Assignee: nobody → nhnt11
Status: NEW → ASSIGNED
Priority: P2 → P1
Pushed by nhnt11@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/e29a263455f8
Don't run heuristics until internet connectivity has been established. r=valentin
Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 79
Depends on: 1649450
Flags: qe-verify+
Regressions: 1651682

Hello,

Im trying to verify this bug. On 79.0b9 if I repeat the steps (As i understand the steps I must be disconnected from the network when running await globalCanary() ) if that's the case I can still reproduce this issue.

Flags: needinfo?(nhnt11)

Daniel, if that code is called when network is disconnected, the canary heuristic will still fail.

The patch in this bug simply tries to ensure that we don't call the code when the network is down.

This situation will be further improved in bug 1654520.

Flags: needinfo?(nhnt11)

Hello,

Understood, will remove the qe+ flag from the bug.

Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.