DoH does not disable if just DNS servers are changed to a resolver that NXDOMAINs Canary

[kontrolldkaos]

I am able to get DoH disabled if I turn off and turn back on my network. A change of the DNS servers is not being treated as a network change event. This allows for traffic to go through DoH server and if it's a "parental control" DNS server, go to that server for a DNS response, but only for pages that are blocked. All other DNS traffic goes through DoH server, until network is restarted or Firefox is completely closed and opened back up.

Originally posted by @kontrolldkaos in https://github.com/mozilla/doh-rollout/issues/112#issuecomment-535095303

[kontrolldkaos]

I'd like to add that when going from an "enabled_doh" state using DNS servers that do not NXDOMAIN the canary domain and then connecting to a VPN that NXDOMAINs the canary domain, DoH is still enabled until a restart of Firefox. Though when I do disconnect from VPN, I do see the change back to an enable_doh state.

[nhi-nguyen]

@kontrolldkaos Changing DNS servers is not considered changing the network, so the detection will not rerun in that case.

However, in this comment in the (now closed) issue, you mentioned that changing the DNS servers between browser restarts didn't re-evaluate the canary domain. This sounds like a bug, that we're caching the DNS response. @maxxcrawford could you look into this?

[nhi-nguyen]

@kontrolldkaos could you help us debugging the VPN problem by enabling networking and try to reproduce? Please see this page on how to set up network logs. The log modules should be set to timestamp,nsHostResolver:5,nsIOService:5

[kontrolldkaos]

@kontrolldkaos Changing DNS servers is considered changing the network, so the detection will not rerun in that case.

However, in this comment in the (now closed) issue, you mentioned that changing the DNS servers between browser restarts didn't re-evaluate the canary domain. This sounds like a bug, that we're caching the DNS response. @maxxcrawford could you look into this?

That's what I am trying to mention here. When just changing the DNS servers in my network settings, I am not seeing the doh enable/disable happening..depending on the resolver being set.

[kontrolldkaos]

@kontrolldkaos could you help us debugging the VPN problem by enabling networking and try to reproduce? Please see this page on how to set up network logs. The log modules should be set to timestamp,nsHostResolver:5,nsIOService:5

Yes I can help. I will gather this information for you tomorrow, 9/26.

[kontrolldkaos]

@kontrolldkaos could you help us debugging the VPN problem by enabling networking and try to reproduce? Please see this page on how to set up network logs. The log modules should be set to timestamp,nsHostResolver:5,nsIOService:5

Yes I can help. I will gather this information for you tomorrow, 9/26.

Please see attached. I have turned on/off VPN various times in this test. Only once did I see doh disable when watching the about:config , network.trr.mode

doh-rollout-vpn.log-main.75460.zip

[kontrolldkaos]

I'd like to add another use case to this.

• I have Xfinity and I am not using Parental Controls/Protected Browsing.
• DoH is Enabled due to above
• I decide to turn ON Protected browsing - Canary domain is set to NXDOMAIN
• DoH is still enabled until a complete shut down of FF and restart. (On Macs, hitting the 'x' doesn't really close FF completely and seems to still hold previous DoH settings.)

[kontrolldkaos]

@kontrolldkaos Changing DNS servers is considered changing the network, so the detection will not rerun in that case. However, in this comment in the (now closed) issue, you mentioned that changing the DNS servers between browser restarts didn't re-evaluate the canary domain. This sounds like a bug, that we're caching the DNS response. @maxxcrawford could you look into this?

That's what I am trying to mention here. When just changing the DNS servers in my network settings, I am not seeing the doh enable/disable happening..depending on the resolver being set.

I did the same log settings for DNS changes only and not seeing anything happening within the logs.

[kontrolldkaos]

I'd like to add another use case to this.

• I have Xfinity and I am not using Parental Controls/Protected Browsing.
• DoH is Enabled due to above
• I decide to turn ON Protected browsing - Canary domain is set to NXDOMAIN
• DoH is still enabled until a complete shut down of FF and restart. (On Macs, hitting the 'x' doesn't really close FF completely and seems to still hold previous DoH settings.)

Should I open a separate issue for this?

[wthayer]

@nhi-nguyen did you mean to say "Changing DNS servers is NOT considered changing the network, so the detection will not rerun in that case."?

[kontrolldkaos]

@nhi-nguyen did you mean to say "Changing DNS servers is NOT considered changing the network, so the detection will not rerun in that case."?

It should be considered a network change, especially if it's changed via a network management tool.

Is there any thought of running the canary/protected check every X seconds/minutes/hours tied with a network restart or browser restart?

[nhi-nguyen]

@wthayer yes, that's what I meant. I've fixed the typo.

@kontrolldkaos it's an edge case and workaround is to restart the network after changing the DNS servers. We are not considering running detection periodically due to the performance implication.

[kontrolldkaos]

@nhi-nguyen I would hope that this edge case would be looked into and be corrected, because not every end user is going to always restart their network settings after a DNS change nor will they force quit FF and restart it. After a DNS change one would expect that DoH is enabled/disabled based off of what DNS server is being used (canary vs no canary) and that is not really the case in my testing.

[ekr]

It's not clear to me that this is a defect.

At the end of the day, this heuristic is intended to balance two objectives: avoiding breaking parental controls for those who already have them versus getting maximum DoH deployment in as secure a way as possible. However, people who are freshly configuring parental controls are in a different position in that they can restart their computers/browsers, etc. This would, of course, require new instructions from wherever they were told about parental controls, but it's not clear to me that that's not the right balance of priorities, especially given that even if we were to check periodically there would still be some latency.