Open Bug 1656714 Opened 10 months ago Updated 10 months ago

net.trr.bootstrapAddress should bootstrap instead of hardcoding

Categories

(Core :: Networking: DNS, enhancement, P3)

enhancement

Tracking

()

UNCONFIRMED

People

(Reporter: mcccs, Unassigned)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [necko-triaged])

Summary: Ideally, bootstrapAddr is used only for the first DNS request, which is to find the other addresses of the TRR resolver. The following requests can be made through IPv6 if available.

Problem:

net.trr.bootstrapAddress should signify the initial TRR IP, not the hardcoded, permanent DoH IP.

In this case, "Bootstrap" means "to make the initial DNS query as a precursor to next DNS queries." The pref name is confusing.

Impact:

Before or after this bug report, net.trr.bootstrapAddress allows DoH to work in DNS poisoned environments (for example cloudflare-dns.com is redirected to invalid IP). It shouldn't be intended to "pin" an address.

On some networks, IPv4 has a higher latency than IPv6. This is expected since IPv6 designed to supersede IPv4. So we should always connect through IPv6 when possible.

Ideally, bootstrapAddr is used only for the first DNS request, which is to find the other addresses of the TRR resolver. The following requests can be made through IPv6 if available.

How I want bootstrapAddr to work EXAMPLE

  • a user connected to an IPv6 network.
  • bootstrapAddr has 1.1.1.1
  • TRR address "cloudflare-dns.com"

A and AAAA requests are made through TRR to 1.1.1.1, cloudflare-dns.com.

cloudflare-dns.com lists 1.1.1.1, 1.0.0.1, 2606:4700:4700::1111, 2606:4700:4700::1001.

We continue with 2606:4700:4700::1111 since IPv6 is available.

Possible solution

A pref that changes the behavior of bootstrapAddr, choosing one of the following:

  • "Pin" the IP for the TRR resolver
  • Use it as a bootstrap address. Make the first TRR request to discover its other IPv6 and IPv4 addresses.
Blocks: IPv6, doh

Only using the IP for the first connection would require:

  1. An extra roundtrip before we are able to use the TRR connection
  2. The ability to pin the IPs for the TRR resolver (which is difficult to do right now)

I'll try to improve this in the future.

Severity: -- → S3
Type: defect → enhancement
Priority: -- → P3
Whiteboard: [necko-triaged]
You need to log in before you can comment on or make changes to this bug.