Confirmed users
92
edits
Security/DNS Over HTTPS: Difference between revisions
Minor change clarifying that doh.test must include an A or AAAA record in the response.
(undo align cfr screenshot on the right) |
(Minor change clarifying that doh.test must include an A or AAAA record in the response.) |
||
| (19 intermediate revisions by 4 users not shown) | |||
| Line 1: | Line 1: | ||
This article | This article describes the various mechanics of Firefox's DNS over HTTPS (DoH) frontend. See [[Trusted Recursive Resolver]] for details on TRR implementation in necko. | ||
'''Implementation:''' https://searchfox.org/mozilla-central/source/browser/components/doh | '''Implementation:''' https://searchfox.org/mozilla-central/source/browser/components/doh | ||
== Flow Diagram == | |||
[[File:DoH Controller Flow Diagram.png|750px|frameless|DoH Frontend Flow Diagram]] | |||
== Rollout == | == Rollout == | ||
| Line 36: | Line 40: | ||
* A network-provided endpoint, if detected, will take precedence over the default provider when on that network. (See Provider Steering below) | * A network-provided endpoint, if detected, will take precedence over the default provider when on that network. (See Provider Steering below) | ||
* This feature is controlled by the prefs `doh-rollout.trr-selection.enabled`. | * This feature is controlled by the prefs `doh-rollout.trr-selection.enabled`. | ||
* | * Choice of provider is made by using each available provider to do lookup several popular domains as well as random subdomains of `firefox-dns-perf-test.net`. | ||
See also: | |||
# https://searchfox.org/mozilla-central/source/browser/components/doh/TRRPerformance.jsm | |||
==== Dry-Run Mechanism ==== | |||
* Default provider selection is done in two phases: a dry-run followed by committing the result. | |||
* By default, this feature is dry-run-only, and records the result in a pref `doh-rollout.trr-selection.dry-run-result`. | |||
* Committing the result is enabled by another pref `doh-rollout.trr-selection.commit-result`. If this is true, then after the dry-run step, the `dry-run-result` will be copied into `doh-rollout.uri`. | |||
[[File:DoH automatic provider selection flow.png|600px|frameless|DoH automatic provider selection flow]] | |||
== Provider Steering == | == Provider Steering == | ||
| Line 45: | Line 60: | ||
* A DoH endpoint discovered in this manner takes precedence over the automatically chosen default provider (see Default Provider Selection above). | * A DoH endpoint discovered in this manner takes precedence over the automatically chosen default provider (see Default Provider Selection above). | ||
* A provider (endpoint + expected CNAME for discovery) must be explicitly supported for this mechanism to work. | * A provider (endpoint + expected CNAME for discovery) must be explicitly supported for this mechanism to work. | ||
* Currently, Comcast | * The CNAME record must point to a domain that has an A or AAAA record, otherwise getaddrinfo will return NXDOMAIN. | ||
* Currently, Comcast (US) and Shaw (CA) are our only supported providers. | |||
* This feature is controlled by the pref `doh-rollout.provider-steering.enabled`. | * This feature is controlled by the pref `doh-rollout.provider-steering.enabled`. | ||
[[File:DoH provider steering flow.png|700px|frameless|DoH Provider Steering Flow]] | |||
See also: | |||
# https://datatracker.ietf.org/doc/draft-rescorla-doh-cdisco/ | |||
== Opt-out Infobar == | |||
* When the client is first enrolled in the rollout, we show | [[File:DoH_Infobar.png|frameless|DoH Infobar screenshot]] | ||
* This | * When the client is first enrolled in the rollout, we show an infobar popup to let the user know that DoH is available. | ||
* The | * This infobar offers an option to opt-out, which results in permanently disabling heuristics and other mechanisms. | ||
* The | * The infobar is shown only if the rollout is "successful" - i.e. the user did not already have custom DoH preferences or active enterprise policy. | ||
* The infobar is implemented as a CFR message, gated behind the relevant prefs. | |||
See also: | See also: | ||
# https://bugzilla.mozilla.org/show_bug.cgi?id=1643651 | # https://bugzilla.mozilla.org/show_bug.cgi?id=1643651 | ||
Want to see this in action for yourself? | |||
# On a new profile, navigate to about:config | |||
# Set `doh-rollout.enabled` to true | |||
# Close about:config | |||
# Load/reload any website | |||
You'll need to do this in an environment that doesn't trip our heurisitics, i.e. no Canary and no enterprise config. | |||
== Telemetry == | == Telemetry == | ||
| Line 75: | Line 102: | ||
* Two of the migrations work on the format of stored state (local storage and prefs) | * Two of the migrations work on the format of stored state (local storage and prefs) | ||
* During a dry-run-only test of Default Provider Selection, an underlying bug was triggered that caused clients to effectively DDoS NextDNS's endpoint. In the aftermath, a new endpoint was set up and we have a migration to convert occurrences of the old endpoint in stored URI values to the new one. | * During a dry-run-only test of Default Provider Selection, an underlying bug was triggered that caused clients to effectively DDoS NextDNS's endpoint. In the aftermath, a new endpoint was set up and we have a migration to convert occurrences of the old endpoint in stored URI values to the new one. | ||
== Prefs == | == Prefs == | ||
* TODO: | * doh-rollout.enabled - Turns on heuristics. Prerequisite for enabling sub-features. | ||
* doh-rollout.provider-steering.enabled - Turns on automatic provider steering. | |||
* doh-rollout.provider-steering.provider-list - Provider data for automatic steering (name, CNAME for discovery, and DoH endpoint) | |||
* doh-rollout.trr-selection.enabled - Turns on automatic performance-based default-TRR selection. Dry-run by default. | |||
* doh-rollout.trr-selection.commit-result - Commits and persists TRR selection dry-run result. | |||
TODO: other state prefs | |||