Closed Bug 1906239 Opened 3 months ago Closed 3 months ago

Let network.dns.native_https_query ride the trains

Categories

(Core :: Networking: DNS, task, P2)

task

Tracking

()

RESOLVED FIXED
129 Branch
Tracking Status
relnote-firefox --- 129+
firefox129 --- fixed

People

(Reporter: kershaw, Assigned: kershaw)

References

(Blocks 1 open bug)

Details

(Keywords: dev-doc-complete, Whiteboard: [necko-triaged])

Attachments

(1 file)

No description provided.
Assignee: nobody → kershaw
Status: NEW → ASSIGNED
Pushed by kjang@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c48809d5af6a Let network.dns.native_https_query ride the trains, r=sunil
Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → 129 Branch
Blocks: 1852752
Keywords: dev-doc-needed
Depends on: 1890999
Blocks: 1891963

I think this should have a release note. It was nominated in the previous bug when this was planned for Firefox 127. See bug 1890999 comment 13

relnote-firefox: --- → ?
Depends on: 1874464

I have created an MDN release note in https://github.com/mdn/content/pull/35215 - NOTE, this is not the "official FF release note" - don't know who you have to ping for that.

Note, my understanding is that for ECH you need to have an HTTPS DNS record, which normally you can only get by enabling DNS over HTTPS. With that you're making your DNS request over HTTPS so anything between the browser and your DNS server, such as an ISP, can't see your request.

This fix means that you resolve the DNS using OS DNS resolving services. How does that help though? - I mean how does that get you the mapping between the domain name and IP address securely - after all, "somehow" you have to get the mapping. Is it that your OS somehow already has these mappings, so you are using them if they exist? I don't need this for the release note, but I'm curious.

Flags: needinfo?(kershaw)

(In reply to Hamish Willee from comment #5)

I have created an MDN release note in https://github.com/mdn/content/pull/35215 - NOTE, this is not the "official FF release note" - don't know who you have to ping for that.

Thanks fro the release note. It looks good to me.

Note, my understanding is that for ECH you need to have an HTTPS DNS record, which normally you can only get by enabling DNS over HTTPS. With that you're making your DNS request over HTTPS so anything between the browser and your DNS server, such as an ISP, can't see your request.

This fix means that you resolve the DNS using OS DNS resolving services. How does that help though? - I mean how does that get you the mapping between the domain name and IP address securely - after all, "somehow" you have to get the mapping. Is it that your OS somehow already has these mappings, so you are using them if they exist? I don't need this for the release note, but I'm curious.

That's because the OS DNS resolver might also use secure transport methods such as DoH (for example, the secure DNS client supported on Windows Server). This approach allows us to benefit from existing secure mechanisms provided by the OS.

Flags: needinfo?(kershaw)
Regressions: 1910593
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: