Open Bug 1824414 Opened 2 years ago Updated 2 years ago

Confusing error message displayed when DNS reply has rcode REFUSED

Categories

(Core :: Networking: DNS, enhancement, P3)

Product:
Core
Component:
Networking: DNS
Version:
Firefox 110
Type:
enhancement

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: mozilla, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [necko-triaged])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:110.0) Gecko/20100101 Firefox/110.0
Firefox for Android

Steps to reproduce:

The workstation/phone/tablet is configured to use a DNS server that filters adult content.
For each domainname with adult content the DNS server sends a valid DNS reply with rcode 5 (REFUSED) for blocked/filtered domains.

Actual results:

Enter a URL with adult content (xnxx.com).
Firefox shows an error messages that causes confusion (Hmm. We’re having trouble finding that site ...)

Expected results:

Firefox should give an appropriate clear message about what happened, e.g. "The DNS server refused to answer the query for xnxx.com" or similar.

The Bugbug bot thinks this bug should belong to the 'Core::Networking: DNS' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Networking: DNS
Product: Firefox → Core

Hi Marcus,

Firefox resolves domain names using the getaddrinfo call, so it has no way of distinguishing between NXDOMAIN and (some other error code).
Did you find that other browsers have a better behaviour in this case?

Thanks!

Blocks: dns
Flags: needinfo?(mozilla)

Hi Valentin,
Hmmm, getaddrinfo is indeed not very helpful in propagating a DNS error status.
On ubuntu 22.10 I did a test with strace and getaddrinfo using the filtering DNS server (BIND 9.18.13) where resolv.conf has only one line with "nameserver <IP>"

  • a lookup for a nonexisting domainname: getaddrinfo returns -2 Name or service not known (probably a NXDOMAIN), errno is 22 Invalid argument
  • a lookup for a filtered domain (DNS server sends rcode REFUSED): getaddrinfo times out with 2 DNS lookup attempts and returns -3 Temporary failure in name resolution, errno is 11 Resource temporarily unavailable

It seems reasonable to assume a NXDOMAIN error for the first test.

In the second test getaddrinfo returns -3 Temporary failure which is almost always not a NXDOMAIN.
In this case I suggest to not display the NXDOMAIN error text but something better like "DNS_TEMPORARY_FAILURE - the DNS server(s) were unable to produce the IP address of <domainname>" or something similar.

I have requested the same enhancement for Chrome but have not yet received any feedback from the Chrome developers.

Thanks, Marcus

Flags: needinfo?(mozilla)

Thank you Marcus. We'll keep this one in the backlog for now.

Severity: -- → S3
Priority: -- → P3
Whiteboard: [necko-triaged]
You need to log in before you can comment on or make changes to this bug.