Trusted Recursive Resolver: Difference between revisions

← Older edit

Trusted Recursive Resolver (view source)

Revision as of 21:02, 24 September 2020

707 bytes removed , 24 September 2020

m

Fixes in the spirit of https://bugzilla.mozilla.org/show_bug.cgi?id=1571734

AdamRoach

Confirmed users

632

edits

@@ Line 6: / Line 6: @@
 For more information, we've created [https://support.mozilla.org/en-US/kb/firefox-dns-over-https documentation about DoH and our plans for deployment]. We also have an [https://support.mozilla.org/en-US/kb/dns-over-https-doh-faqs FAQ], and instructions for [https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https network operators who wish to disable DoH on their networks].
-== DNS-over-HTTP Rollout ==
+== DNS-over-HTTPS Rollout ==
-Enabling DoH on users' computers is done using a separate module called 'doh-rollout'
+Main article: [[Security/DNS Over HTTPS]]
-This code is only enabled in specific regions of the world (currently only USA).
-Before DoH is enabled we perform certain heuristics to determine if this poses any risk to the user experience:
-* We check safe-search is enabled
-* We check the zscaler canary
-* We check the `use-application-dns.net` canary
-* We check if `security.enterprise_roots.enabled` pref is set
-* We check if any third party root certificates are installed
-* We check if any enterprise policies are set
-* We check if parental controls are enabled
-* We check if the user has made any changes to DoH/TRR settings
-If none of these heuristics is triggered then we proceed to enable the feature.
 == DNS-over-HTTPS Prefs in Firefox ==
@@ Line 82: / Line 70: @@
 ; network.trr.blacklist-duration :
-(default: 60) is the number of seconds a name will be kept in the TRR blacklist until it expires and then will be tried with TRR again. The default duration is one minute.
+(default: 60) is the number of seconds a name will be kept in the TRR blocklist until it expires and then will be tried with TRR again. The default duration is one minute.
-Entries are added to the TRR blacklist when the resolution fails with TRR but works with the native resolver, or if the subsequent connection with a TRR resolved host name fails but works with a retry that is resolved natively. When a hostname is added to the TRR, its domain gets checked in the background to see if the whole domain should be blacklisted to ensure a smoother ride going forward.
+Entries are added to the TRR blocklist when the resolution fails with TRR but works with the native resolver, or if the subsequent connection with a TRR resolved host name fails but works with a retry that is resolved natively. When a hostname is added to the TRR, its domain gets checked in the background to see if the whole domain should be blocklisted to ensure a smoother ride going forward.
 ; network.trr.request_timeout_ms :
@@ Line 148: / Line 136: @@
 (default: true) When true, the DNS+TRR cache will be cleared when a relevant TRR pref changes. (uri, bootstrapAddress, excluded-domains)
-== Dynamic Blacklist ==
+== Dynamic Blocklist ==
 To keep the failure rate at a minimum, the TRR system manages a dynamic
-persistent blacklist for host names that can't be resolved with DOH but works
+persistent blocklist for host names that can't be resolved with DOH but works
-with the native resolver. Blacklisted entries will not be retried over DOH for one minute.
+with the native resolver. Blocklisted entries will not be retried over DOH for one minute.
 "localhost" and names in the ".local" TLD will never be
 resolved via DOH.