Let network.dns.native_https_query ride the trains
Categories
(Core :: Networking: DNS, task, P2)
Tracking
()
People
(Reporter: kershaw, Assigned: kershaw)
References
(Blocks 1 open bug)
Details
(Keywords: dev-doc-complete, Whiteboard: [necko-triaged])
Attachments
(1 file)
Assignee | ||
Comment 1•3 months ago
|
||
Updated•3 months ago
|
Comment 3•3 months ago
|
||
bugherder |
Updated•3 months ago
|
Comment 4•3 months ago
|
||
I think this should have a release note. It was nominated in the previous bug when this was planned for Firefox 127. See bug 1890999 comment 13
Comment 5•2 months ago
|
||
I have created an MDN release note in https://github.com/mdn/content/pull/35215 - NOTE, this is not the "official FF release note" - don't know who you have to ping for that.
Note, my understanding is that for ECH you need to have an HTTPS DNS record, which normally you can only get by enabling DNS over HTTPS. With that you're making your DNS request over HTTPS so anything between the browser and your DNS server, such as an ISP, can't see your request.
This fix means that you resolve the DNS using OS DNS resolving services. How does that help though? - I mean how does that get you the mapping between the domain name and IP address securely - after all, "somehow" you have to get the mapping. Is it that your OS somehow already has these mappings, so you are using them if they exist? I don't need this for the release note, but I'm curious.
Assignee | ||
Comment 6•2 months ago
|
||
(In reply to Hamish Willee from comment #5)
I have created an MDN release note in https://github.com/mdn/content/pull/35215 - NOTE, this is not the "official FF release note" - don't know who you have to ping for that.
Thanks fro the release note. It looks good to me.
Note, my understanding is that for ECH you need to have an HTTPS DNS record, which normally you can only get by enabling DNS over HTTPS. With that you're making your DNS request over HTTPS so anything between the browser and your DNS server, such as an ISP, can't see your request.
This fix means that you resolve the DNS using OS DNS resolving services. How does that help though? - I mean how does that get you the mapping between the domain name and IP address securely - after all, "somehow" you have to get the mapping. Is it that your OS somehow already has these mappings, so you are using them if they exist? I don't need this for the release note, but I'm curious.
That's because the OS DNS resolver might also use secure transport methods such as DoH (for example, the secure DNS client supported on Windows Server). This approach allows us to benefit from existing secure mechanisms provided by the OS.
Updated•2 months ago
|
Description
•