Unable to connect to Quad9 for DNS-over-HTTPS (v116.0, Windows 10)
Categories
(Core :: Security: PSM, defect)
Tracking
()
People
(Reporter: footwear_gesture295, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0
Steps to reproduce:
- Uninstall Mozilla Firefox.
- Remove "%APPDATA%\Mozilla" and "%LOCALAPPDATA%\Mozilla" directories.
- Install Mozilla Firefox.
- In Firefox, go to about:preferences#privacy > DNS over HTTPS.
- Enable secure DNS using: Max Protection
- Choose provider: Custom
- https://dns.quad9.net/dns-query
Instead of step (4), alternatively change the following values in about:config: - network.trr.custom_uri: https://dns.quad9.net/dns-query
- network.trr.mode: 3
- network.trr.uri: https://dns.quad9.net/dns-query
- May or may not add network.trr.bootstrapAddress: 9.9.9.9
- Make a net request (e.g. go to https://www.mozilla.org)
Please note:
- DoH works with the default provider (https://mozilla.cloudflare-dns.com/dns-query).
- Quad9 DoH works in my other browsers.
- Reference: https://www.quad9.net/news/blog/doh-with-quad9-dns-servers
Actual results:
Connection failure page:
Possible security risk looking up this domain
Firefox can’t protect your request for this site’s address through our trusted DNS resolver. Here’s why:
Firefox wasn’t able to connect to dns.quad9.net.
Learn more…
You can continue with your default DNS resolver. However, a third-party might be able to see what websites you visit.
[Try Again] [Change DNS settings]
Expected results:
Firefox makes a connection successfully, as it did in v115.1.0 (Windows 10).
|
||
Comment 1•2 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Networking' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
||
Comment 2•2 years ago
|
||
Hi Reporter,
Could you try to record a http log?
Please try to use the steps below.
- Go to
about:loggingand selectLogging to a file, then start logging. - Change your DoH settings to use
https://dns.quad9.net/dns-query - Visit any web site and see if the warning page shows.
- Stop logging and send the log file to necko@mozilla.com.
Thanks.
|
Reporter | |
Comment 3•2 years ago
|
||
(In reply to Kershaw Chang [:kershaw] from comment #2)
Hi Reporter,
Could you try to record a http log?
Please try to use the steps below.
- Go to
about:loggingand selectLogging to a file, then start logging.- Change your DoH settings to use
https://dns.quad9.net/dns-query- Visit any web site and see if the warning page shows.
- Stop logging and send the log file to necko@mozilla.com.
Thanks.
Log sent.
|
|
||
Comment 4•2 years ago
|
||
Thanks for the log.
It seems we have the following error for the connection to dns.quad9.net.
2023-08-03 15:12:36.170000 UTC - [Parent 8404: Socket Thread]: D/nsSocketTransport nsSocketOutputStream::Write [this=1a5ecc8ced0 count=366]
2023-08-03 15:12:36.170000 UTC - [Parent 8404: Socket Thread]: D/nsSocketTransport calling PR_Write [count=366]
2023-08-03 15:12:36.170000 UTC - [Parent 8404: Socket Thread]: D/nsSocketTransport PR_Write returned [n=-1]
2023-08-03 15:12:36.170000 UTC - [Parent 8404: Socket Thread]: D/nsSocketTransport ErrorAccordingToNSPR [in=-16376 out=805a3ff8]
The error 805a3ff8 is MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING.
So, I'll change the component and ask PSM team to have a look.
|
|
Reporter | |
Comment 5•2 years ago
|
||
Thank you for your time and effort.
I got an error page for MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING when attempting to browse to https://dns.quad9.net/dns-query?name=quad9.net with an unspecified port number (defaulted to 443). I dismissed the error because my firewall blocks most ports (including port 5053) and because of this statement on the aforementioned reference:
An easy way to test without changing anything in your favorite DoH client is to just perform the following query right from your browser:
Updated 7/25/2019 – This is now running on a custom port since this implementation is not inline with the most recent standards based DoH implementation. (see RFC 8484)
I apologize for not even considering to mention it. I look forward to to an updated certificate store in a future release.
|
|
||
Comment 6•2 years ago
|
||
Using https://dns.quad9.net:5053/dns-query works for me, which I think is what you're saying in comment 5?
Description
•