MozillaWiki

Trusted Recursive Resolver: Difference between revisions

Page Discussion

Trusted Recursive Resolver (view source)

Revision as of 21:02, 24 September 2020

225 bytes added ,  24 September 2020
m
Fixes in the spirit of https://bugzilla.mozilla.org/show_bug.cgi?id=1571734
m (Change the presentation format of the prefs)
m (Fixes in the spirit of https://bugzilla.mozilla.org/show_bug.cgi?id=1571734)
 
(4 intermediate revisions by 2 users not shown)
Line 5: Line 5:


For more information, we've created [https://support.mozilla.org/en-US/kb/firefox-dns-over-https documentation about DoH and our plans for deployment]. We also have an [https://support.mozilla.org/en-US/kb/dns-over-https-doh-faqs FAQ], and instructions for [https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https network operators who wish to disable DoH on their networks].  
For more information, we've created [https://support.mozilla.org/en-US/kb/firefox-dns-over-https documentation about DoH and our plans for deployment]. We also have an [https://support.mozilla.org/en-US/kb/dns-over-https-doh-faqs FAQ], and instructions for [https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https network operators who wish to disable DoH on their networks].  
== DNS-over-HTTPS Rollout ==
Main article: [[Security/DNS Over HTTPS]]


== DNS-over-HTTPS Prefs in Firefox ==
== DNS-over-HTTPS Prefs in Firefox ==
Line 66: Line 70:
; network.trr.blacklist-duration :
; network.trr.blacklist-duration :


(default: 60) is the number of seconds a name will be kept in the TRR blacklist until it expires and then will be tried with TRR again. The default duration is one minute.
(default: 60) is the number of seconds a name will be kept in the TRR blocklist until it expires and then will be tried with TRR again. The default duration is one minute.


Entries are added to the TRR blacklist when the resolution fails with TRR but works with the native resolver, or if the subsequent connection with a TRR resolved host name fails but works with a retry that is resolved natively. When a hostname is added to the TRR, its domain gets checked in the background to see if the whole domain should be blacklisted to ensure a smoother ride going forward.
Entries are added to the TRR blocklist when the resolution fails with TRR but works with the native resolver, or if the subsequent connection with a TRR resolved host name fails but works with a retry that is resolved natively. When a hostname is added to the TRR, its domain gets checked in the background to see if the whole domain should be blocklisted to ensure a smoother ride going forward.


; network.trr.request_timeout_ms :
; network.trr.request_timeout_ms :
Line 110: Line 114:
; network.trr.enable_when_vpn_detected :
; network.trr.enable_when_vpn_detected :


(default: false) When false if a Windows VPN is detected on the system then TRR will be disabled. If true, VPN status will be ignored when deciding if to enable TRR.
(default: false) When false if a '''Windows VPN''' is detected on the system then TRR will be disabled. If true, VPN status will be ignored when deciding if to enable TRR.


; network.trr.enable_when_proxy_detected :
; network.trr.enable_when_proxy_detected :


(default: false) When false if a Windows Proxy is detected on the system then TRR will be disabled. If true, proxy status will be ignored when deciding if to enable TRR.
(default: false) When false if a '''Windows System Proxy''' is detected on the system then TRR will be disabled. If true, proxy status will be ignored when deciding if to enable TRR. The proxy is detected by checking the related Windows Registry keys.


; network.trr.enable_when_nrpt_detected :
; network.trr.enable_when_nrpt_detected :


(default: false) When false on Windows if NRPT is detected on the system then TRR will be disabled. If true, NRPT status will be ignored when deciding if to enable TRR.
(default: false) When false on Windows if '''NRPT is detected''' on the system then TRR will be disabled. If true, NRPT status will be ignored when deciding if to enable TRR. NRPT is detected by checking the related Windows Registry keys.


; network.trr.send_user-agent_headers :
; network.trr.send_user-agent_headers :
Line 132: Line 136:
(default: true) When true, the DNS+TRR cache will be cleared when a relevant TRR pref changes. (uri, bootstrapAddress, excluded-domains)
(default: true) When true, the DNS+TRR cache will be cleared when a relevant TRR pref changes. (uri, bootstrapAddress, excluded-domains)


== Dynamic Blacklist ==
== Dynamic Blocklist ==


To keep the failure rate at a minimum, the TRR system manages a dynamic
To keep the failure rate at a minimum, the TRR system manages a dynamic
persistent blacklist for host names that can't be resolved with DOH but works
persistent blocklist for host names that can't be resolved with DOH but works
with the native resolver. Blacklisted entries will not be retried over DOH for
with the native resolver. Blocklisted entries will not be retried over DOH for one minute.
a couple of days. "localhost" and names in the ".local" TLD will never be
"localhost" and names in the ".local" TLD will never be
resolved via DOH.
resolved via DOH.


AdamRoach
Confirmed users
632

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1228456...1231062"