Support Canary for ZScaler

mozilla / doh-rollout

DEPRECATED - Add on for initial DoH rollout

Mozilla Public License 2.0

7 stars 4 forks source link

Support Canary for ZScaler #120

Closed agrover closed 4 years ago

agrover commented 5 years ago

Manish Jasyal from ZScaler has requested that we support their canary domain, since they won't be able to support use-application-dns.net for a month or two.

The way to detect our service is based on DNS response to 'www.justmalicious.com'.
This is a Canary domain to detect our service.

When this is resolved through and DNS on the Internet, it will resolve to:
52.34.198.92

When it is going through our service, it will be redirected to one of these two IP addresses:
52.10.123.63 and 52.41.181.205

So, the detection logic in pseudocode would be:

Action: RESOLVE ("www.justmalicious.com")

IF 
    resolved_IP = ( '52.10.123.63' OR '52.41.181.205' )
    then 
        Action: Don't use DOH (Shift service is inline)

ELSE
    Action: Use DOH (Shift service is not inline)

agrover commented 5 years ago

@maxxcrawford is this something we could squeeze in?

maxxcrawford commented 5 years ago

@agrover Yes! @nhi-nguyen just added a PR #124 to resolve this. Reviewing now!

nhi-nguyen commented 5 years ago

@SoftVision-CarmenFat @Softvision-PatriciuPop Please test the Zscaler canary domain in the new release.

This is similar to testing the Comcast domains:

put www.justmalicious.com to the hosts file:
- case 1: 52.41.181.205 www.justmalicious.com
- case 2: 52.10.123.63 www.justmalicious.com
when either of the two above lines are in the hosts file, DoH should be disabled, and telemetry events should include "zscalerCanary": "disable_doh"
remove www.justmalicious.com from the hosts file. This should result in DoH being enabled, and telemetry event should include "zscalerCanary": "enable_doh"
Test for network disconnect/reconnect and browser restart.

maxxcrawford commented 5 years ago

@SoftVision-CarmenFat @Softvision-PatriciuPop @nhi-nguyen Note that this is not in a signed release yet. We'll have a new release for your team to test on Thursday, Oct 3.

nhi-nguyen commented 5 years ago

@agrover Could you please reach out to Zscaler to inform them that we have implemented it, so they can do their own testing?

SoftVision-CarmenFat commented 5 years ago

We have tested both cases (1&2) using the latest version of the add-on 0.0.10.
We are able to generate the "zscalerCanary": "enable_doh" and "zscalerCanary": "disable_doh" telemetry events as expected.
The browser restart scenarios are also generating the expected heuristics, but we are blocked from testing the network disconnect/reconnect due to the regression mentioned in bug #72. We will come back and test the network scenarios after a fix is available for the network telemetry issue.

maxxcrawford commented 4 years ago

Opening this back up, as the code was removed for initial v1 release.

maxxcrawford commented 4 years ago

Reopening again for @SoftVision-CarmenFat and team to report back on it. Thanks!