expand DoH

[Thorin-Oakenpants]

          > I'm open to a little more DoH stuff being added now

FWIW https://codeberg.org/rusty-snake/firefox-config/src/commit/fa47a46877db42af83bd91d52aa57301a793af4c/assets/user-overrides.js#L51-L56

user_pref("network.trr.mode", 3);
user_pref("network.trr.uri", "https://dns.digitale-gesellschaft.ch/dns-query");
user_pref("network.trr.bootstrapAddr", "185.95.218.43"); // [HIDDEN PREF]
user_pref("network.dns.skipTRR-when-parental-control-enabled", false);
// TODO: user_pref("network.trr.confirmationNS", "skip");

Originally posted by @rusty-snake in #1688 (comment)

[Thorin-Oakenpants]

note: network.trr_ui.show_fallback_warning_option FF115+ exposes a warning checkbox UI in modes 0 + 2, which maps to network.trr.display_fallback_warning

We should add network.trr.display_fallback_warning as fallback for those not using mode 3. Also note https://bugzilla.mozilla.org/show_bug.cgi?id=1833828

see #1688 (comment) for more

@rusty-snake sorry for being lazy (and ignorant and I lack time) .. does that bug only relate to mode 0/2 ?

[rusty-snake]

Yes.
Mode 3 has a error/warning page with a button to add proper site-exceptions that show-up on about:preferences.
Mode 2 with warning page has buttons to add exceptions IDK where are they stored and can be reset.

[Thorin-Oakenpants]

thanks, that makes it easier to explain

[opusforlife2]

I also have network.trr.custom_uri, with the same value as uri, so that it shows up in the settings GUI menu. It's then trivial to switch if one provider faces temporary issues.

[MagicalDrizzle]

Might it be a good idea to warn users on setting network.trr.bootstrapAddr and network.trr.uri to different providers? bug 1700378
I believe this was the reason Mozilla changed network.trr.bootstrapAddress to network.trr.bootstrapAddr, and removed the pref from all.js to discourage users from tinkering with it

[rusty-snake]

I believe this was the reason Mozilla changed network.trr.bootstrapAddress to network.trr.bootstrapAddr, and removed the pref from all.js to discourage users from tinkering with it

Yes, they got multiple times report from users about broken Doh where the cause was that the use set the bootstrap Pref sometime ago, then change the provider in the UI and broke DoH.

On the other hand you should not report anything to mozilla if use AF and can reproduce it only by setting >100 prefs.

[MagicalDrizzle]

user_pref("network.trr.mode", 3);
user_pref("network.dns.skipTRR-when-parental-control-enabled", false);
user_pref("network.trr.uri", "https://firefox.dns.nextdns.io/");
user_pref("network.trr.custom_uri", "https://firefox.dns.nextdns.io/");
// bootstrap DNS *must* be from the same provider as your DoH service, else DoH WILL break.
// https://bugzilla.mozilla.org/show_bug.cgi?id=1700378#c11
// ignore this pref, or set this at your own risk.
// user_pref("network.trr.bootstrapAddr", "45.90.28.0"); // NextDNS's plain DNS resolver

I think something like this would be nice ^^

[Thorin-Oakenpants]

why do we need to add network.trr.bootstrapAddr at all?

[Thorin-Oakenpants]

and can someone explain

• network.trr.uri only allows the two presets or can we set it to anything
• network.trr.custom_uri why do we even need this - just so it shows in the drop down if custom?

/* 0712: set DoH provider
 * [SETTING] Privacy & Security>DNS over HTTPS>Increased/Max>Choose provider ***/
   // user_pref("network.trr.uri", "https://firefox.dns.nextdns.io/");

like does it need to be more like

/* 0712: set DoH provider
 * setting a custom uri .. blah blah
 * [SETTING] Privacy & Security>DNS over HTTPS>Increased/Max>Choose provider ***/
   // user_pref("network.trr.uri", "https://firefox.dns.nextdns.io/");
   // user_pref("network.trr.custom.uri", "adding this adds an entry to your drop down in settings");

do both need to be the same?

[rusty-snake]

• network.trr.custom_uri is cosmetic, right. It is the URL shown below the drop-down on about:preferences#privacy if you select "custom" (translate it as you need).
• network.trr.uri is the one technically used by firefox. about:preferences#privacy sets both uri prefs if you select "custom". If you select a default (e.g. NextDNS) only this pref is set and the custom_uri is not changed.

do both need to be the same?

Yes. Otherwise you mess up the UI on about:preferences#privacy and who knowns what users will report.

• network.trr.bootstrapAddr -> 5500 OPTIONAL HARDENING
  • Normally Firefox uses the system DNS to initially resolve the address of your DoH server.
  • If it is set to a correct value, Firefox does never use/need system DNS (ignoring local domains).
  • If it is set to a incorrect value (e.g. you changed your trr.uri in the UI), nothing works.
  • Why would you want this?
    • You have no (working) system DNS ... you have a working one.
    • You do not trust your system DNS ... you trust your system DNS.
    • Testing, Experimenting, Nerding.

[Thorin-Oakenpants]

ok, so custom presets the value in the text field if you select custom

[Thorin-Oakenpants]

ooh, you replied .. I was doing some testing - you need to reload settings for the the custom change to get picked up, maybe even a new tab - seemed a bit iffy the first time

[rusty-snake]

So you don't have superpowers and can read and reply in 10 seconds 🦸 ?

[Thorin-Oakenpants]

yeah, I get there are default uri, custom uri and uri - and the uri is the one set and used via the preferences UI, so it's fine to have different ones - personally, even though I trust my ISP you know not being in a shitty country like the USA .. I just use mode 3 with cloudflare

[Thorin-Oakenpants]

i was in a different browser, it was only when I posed (do I pose?) posted that I saw yours above mine .. besides, 10 seconds is overrated

[Thorin-Oakenpants]

how's it looking now? @rusty-snake

[rusty-snake]

Good.

[Thorin-Oakenpants]

hows this

/* 5511: set DoH bootstrap address
 * Firefox uses the system DNS to initially resolve the IP address of your DoH server. When set to
 * a valid, working value that matches your "network.trr.uri" (0712) Firefox won't use the system
 * DNS (ignoring local domains). If the IP doesn't match then DoH won't work ***/
   // user_pref("network.trr.bootstrapAddr", "10.0.0.1") // [HIDDEN PREF]

[rusty-snake]

• local domains, need to check the behavior here. Above I only meant to ignore that behaviour in my post. Maybe FF still uses system DNS for them (if it can detect that it is local) or can not resolve them (the error page allows to set an exception IIRC).

[Thorin-Oakenpants]

so you're saying to remove the (ignoring local domains) bit .. or should this be changed to localhost? or do you want me to go get some sleep and you test things and we finish this tomorrow?

[rusty-snake]

I think it's fine to just remove it. If the users add an exceptions or tries to access localhost, local, etc-hosts defined, ... it is expected that FF bypasses DoH.

[Thorin-Oakenpants]

done .. v117 ready for review .. see you tomorrow

PS: thanks for your help .. have some 🍰

[Thorin-Oakenpants]

jesus fuck ... https://bugzilla.mozilla.org/show_bug.cgi?id=1586941 .. typical .. i wait 42 years before adding DoH stuff, and this happens

[opusforlife2]

Maybe this is a sign that 42 isn't the answer to life, the universe, and everything.

[Thorin-Oakenpants]

i guess it's mostly harmless