Open Bug 1852904 Opened 1 year ago Updated 1 year ago

nsHostRecord should record if it was resolved using a secure DNS resolver

Categories

(Core :: Networking: DNS, enhancement, P2)

Product:
Core
Component:
Networking: DNS
Type:
enhancement

Tracking

()

People

(Reporter: valentin, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [necko-triaged])

Goal: Prevent the use of HTTPS record fetched over unencrypted connections for certain features.

  • Determine if OS resolver is using a secure transport. This will be essential in determining if the HTTPS record can be used for ECH or not.
  • Expose secure transport on DNS record. Modify existing code to account for changes.

https://learn.microsoft.com/en-us/windows/win32/api/netioapi/ns-netioapi-dns_doh_server_settings
https://developer.apple.com/documentation/networkextension/dns_settings

When DoH was the only way to resolve HTTPS records all HTTPS records were secure. However, if we allow resolving HTTPS records using the native resolver, we should check if the OS is using a secure resolver (DoH, DoT) and provide this info to consumers.

See Also: → 1801530

Just to clarify: We're fine to use HTTPS records for ECH for as well. There's no downside, it's just has a limited benefit compared to using encrypted DNS.

It would still be great to expose this information, but I stress that we don't need it for deciding whether to use ECH. We should always do ECH if a HTTPS RR is available.

You need to log in before you can comment on or make changes to this bug.