Closed Bug 1993370 Opened 9 months ago Closed 3 months ago

h3 to cloudflare can get blocked if the first access is made with DoH on

Categories

(Core :: Networking: HTTP, defect, P2)

defect

Tracking

()

RESOLVED FIXED

People

(Reporter: jesup, Unassigned, NeedInfo)

References

(Blocks 1 open bug)

Details

(Whiteboard: [necko-triaged])

At least on my network, if I go to https://h3.speed.cloudflare.com for the first time in a profile with DoH on, h3 will be blocked and it gets added to the network:reset-http3-excluded-list. If DoH is off on the first access, h3 won't be blocks and later accesses are fine.

about:networking#dnslookuptool shows:
DoH on:

IPs
2606:4700::6812:826
2606:4700::6812:926
104.18.8.38
104.18.9.38
HTTPS RRs
1 h3.speed.cloudflare.com (alpn="h3,h2" ipv4hint="104.18.8.38, 104.18.9.38" ipv6hint="2606:4700::6812:826, 2606:4700::6812:926" )

DoH off:

IPs
104.18.8.38
104.18.9.38
2606:4700::6812:826
2606:4700::6812:926
HTTPS RRs
1 h3.speed.cloudflare.com (alpn="h3,h2" ipv4hint="104.18.8.38, 104.18.9.38" ipv6hint="2606:4700::6812:826, 2606:4700::6812:926" )

Logs of first access with DoH on: https://share.firefox.dev/42zzzYe with DoH Off: https://share.firefox.dev/4nPCULq

This may be specific to my network setup. Verizon FiOS, ASUS router, wired. DoH host is cloudflare.

I think this is another instance of Firefox trying to use IPv6, failing, and blocklisting the host from h3?
Http3Session::Init origin=h3.speed.cloudflare.com, alpn=h3, selfAddr=::, peerAddr=2606:4700::6812:826, qpack table size=65536, max blocked streams=20 webtransport=0 [this=7f550dd2d900]
https://share.firefox.dev/3J0q4KR
I expect the blocklist is something we'll address in happy eyeballs?

@Randell, just to confirm, you don't have IPv6 connectivity, right? That's my take from the profile.

Flags: needinfo?(kershaw)

Related to bug 1993300, though not the same issue.

See Also: → 1993300

(In reply to Valentin Gosu [:valentin] (he/him) from comment #1)

I think this is another instance of Firefox trying to use IPv6, failing, and blocklisting the host from h3?
Http3Session::Init origin=h3.speed.cloudflare.com, alpn=h3, selfAddr=::, peerAddr=2606:4700::6812:826, qpack table size=65536, max blocked streams=20 webtransport=0 [this=7f550dd2d900]
https://share.firefox.dev/3J0q4KR
I expect the blocklist is something we'll address in happy eyeballs?

yes, this will definitely fixed with HE3 project.

@Randell, just to confirm, you don't have IPv6 connectivity, right? That's my take from the profile.

FWIW, the profile also shows another TCP socket failed to send with an IPV6 address.

2025-10-08 20:13:12.325691162 UTC - [Parent Process 179616: Socket Thread]: D/nsSocketTransport trying address: 2606:4700::6812:826
2025-10-08 20:13:12.325736572 UTC - [Parent Process 179616: Socket Thread]: D/nsSocketTransport ErrorAccordingToNSPR [in=-5980 out=804b000d]
2025-10-08 20:13:12.325740966 UTC - [Parent Process 179616: Socket Thread]: D/nsSocketTransport after event [this=7f550e7ed600 cond=804b000d]
Flags: needinfo?(kershaw)
Severity: -- → S3
Priority: -- → P2
Whiteboard: [necko-triaged]

Correct, while I get an IPV6 address from the router, I don't have IPV6 connectivity (tested with https://test-ipv6.com/)

@Randell this should now be fixed on Firefox Nightly with network.http.happy_eyeballs_enabled set to true. Would you mind trying to reproduce the bug once to confirm?

Flags: needinfo?(rjesup)

Closing here. Please comment in case it still persists on your end.

Status: NEW → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.