Closed Bug 1817692 Opened 2 years ago Closed 2 years ago

Websites with DNAME records would not be accessed if DoH only mode is enabled

Categories

(Core :: Networking: DNS, defect, P2)

Product:
Core
Component:
Networking: DNS
Version:
Firefox 110
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
112 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox110 --- wontfix
firefox111 --- wontfix
firefox112 --- verified
firefox113 --- verified

People

(Reporter: fantasyfate, Assigned: valentin)

References

(Blocks 1 open bug)

Details

(Whiteboard: [necko-triaged])

Attachments

(4 files, 1 obsolete file)

trrmode_troublefindingthesite_2023-02-22.png
31.28 KB, image/png
Details
trrmode_securityrisk_3options2023-02-22.png
180.52 KB, image/png
Details
trrmode_securityrisk_2options_2023-02-22.png
163.78 KB, image/png
Details
Bug 1817692 - Websites with DNAME records would not be accessed if DoH only mode is enabled r=#necko
48 bytes, text/x-phabricator-request
Details | Review

Steps to reproduce:

  1. Set network.trr.mode to 3
  2. Open https://www3.risc.jku.at/

Actual results:

"Hmm. We’re having trouble finding that site."

Expected results:

This website should be opened.

I speculate that DoH implementation of Firefox might not recognize DNAME records "www3.risc.jku.at" has.

If network.trr.mode is 0 (disabled) or 2 (enabled with fallback), this website would be opened.

The Bugbug bot thinks this bug should belong to the 'Firefox::Security' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Security
Component: Security → Networking: DNS
Product: Firefox → Core
Attachment #9319202 - Attachment filename: trrmode_securityrisk_3options2023-02-22 → trrmode_securityrisk_3options2023-02-22.png
Attachment #9319202 - Attachment description: trrmode_securityrisk_3options2023-02-22 → trrmode_securityrisk_3options2023-02-22.png
Attachment #9319202 - Attachment is obsolete: true

Hello,
I followed the indicated steps on win 11 and macOS 12.5 and found 3 types of results:

  1. with Fx versions 102.8.0esr and 109.0 the issue is reproduced;
  2. with Fx versions 110.0 and Nightly 111.0b3, the issue does not reproduce, instead, we get a "Possible security risk" warning and 3 options: "Try again", "Always continue for this site" (which ensures direct acces to the site in the future) and "Change DNS Settings"
  3. with FX version 111.0b4 and Nighly 112.0a1 (2023-02-22), we get the security warning, but we have only 2 options: "Try again" and "Change DNS Settings" options

I'm not sure if latest versions behaviour is expected or a bug, I'll set it as new and wait for the developer's input.

Status: UNCONFIRMED → NEW
status-thunderbird_esr102: --- → affected
Ever confirmed: true
Assignee: nobody → valentin.gosu
Blocks: doh
Severity: -- → S3
Priority: -- → P2
Whiteboard: [necko-triaged]

When encountering an unknown record type in the answers we should be able to ignore it if we don't know how to parse that type.

Pushed by valentin.gosu@gmail.com: https://hg.mozilla.org/integration/autoland/rev/9d6a3eb520ac Websites with DNAME records would not be accessed if DoH only mode is enabled r=necko-reviewers,jesup

https://hg.mozilla.org/mozilla-central/rev/9d6a3eb520ac

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox112: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 112 Branch
status-firefox110: --- → wontfix
status-firefox111: --- → wontfix
Flags: in-testsuite+

Verified - fixed on MacOs12, Win 11, ubuntu 22 in Fx versions 112.0b8 and latest Nightly 113.0a1 (2023-03-29).

Status: RESOLVED → VERIFIED
status-firefox112: fixedverified
status-firefox113: --- → verified
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: