Security/DNS Over HTTPS/Heuristics

From MozillaWiki
Jump to: navigation, search

Firefox runs several heuristics on each network to determine whether it's OK to enable DoH on that network. Generally, the heuristics attempt to disable DoH in order to support parental controls and enterprise configurations.

High-level overview: https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https

Implementation: https://searchfox.org/mozilla-central/source/browser/components/doh/DoHHeuristics.sys.mjs
DoHController.jsm is responsible for running them at startup and upon network changes, and taking action to disable or enable DoH based on the outcome.

Global Canary

See https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet

Parental Controls Service

nsIParentalControlsService provides an interface to check whether parental controls are enabled on the user account on the OS. If so, we disable DoH.

See also:

  1. Parental Controls Service component
  2. https://developer.apple.com/documentation/devicemanagement/parentalcontrolscontentfilter
  3. https://docs.microsoft.com/en-us/windows/win32/parcon/using-parental-controls-settings-apis

Forced SafeSearch (DNS-based Parental Controls)

As a way to detect DNS-based content filtering, we perform DNS lookups of filtered and unfiltered domains of popular content platforms. If any of the IPs returned for the filtered domains of a given platform are identical to any of the IPs returned for the unfiltered domains, we disable DoH. Currently, Google and YouTube are supported.

Third-party Root Certificates

We look at all certs in the cert database and check if any of them are not "built-in". If such certs are present, we disable DoH.

See also:

  1. https://searchfox.org/mozilla-central/rev/1b95a0179507a4dc7d4b0c94c2df420dc1a72885/security/manager/ssl/nsIX509CertDB.idl#329
  2. https://searchfox.org/mozilla-central/rev/1b95a0179507a4dc7d4b0c94c2df420dc1a72885/security/manager/ssl/nsIX509Cert.idl#47

Enterprise Policies

If enterprise policies are active, we disable DoH unless it is explicitly enabled by the DNSOverHTTPS policy.

See also:

  1. https://support.mozilla.org/en-US/products/firefox-enterprise/policies-customization-enterprise/policies-overview-enterprise

Enterprise Roots

If enterprise root support has been enabled by setting the pref `security.enterprise_roots.enabled` to true, we disable DoH.

See also:

  1. https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox

ZScaler Canary Domain

Currently, ZScaler has not yet adopted the global canary, and is supported by a separate canary lookup heuristic that operates on `sitereview.zscaler.com`.

VPN or Proxy

If a VPN, proxy or NRPT is detected on Windows, then Firefox will not automatically use DNS over HTTPS.

Retrieved from "https://wiki.mozilla.org/index.php?title=Security/DNS_Over_HTTPS/Heuristics&oldid=1248697"