Skip to content

fix(connlib): answer use-application-dns.net with NXDOMAIN #6831

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
thomaseizinger merged 4 commits into from
Sep 26, 2024
Merged

fix(connlib): answer use-application-dns.net with NXDOMAIN #6831

thomaseizinger merged 4 commits into from
Sep 26, 2024

Conversation

@thomaseizinger
Copy link
Member

@thomaseizinger thomaseizinger commented Sep 26, 2024

Firefox uses this so-called canary domain use-application-dns.net to detect, whether it should use DoH for its DNS queries. If answered with a server error or without records, Firefox disables DoH as long as it only its "Default protection" is enabled. If a user forces DoH, this hint from the network is ignored.

See https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet for details.

I tested this on MacOS and Firefox does indeed instantly disable DoH. A default installation of Chrome doesn't use DoH for me.

Related: #6375.

@vercel
Copy link

vercel bot commented Sep 26, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
firezone ✅ Ready (Inspect) Visit Preview 💬 Add feedback Sep 26, 2024 9:56pm

@thomaseizinger thomaseizinger mentioned this pull request Sep 26, 2024
Closed
@jamilbk
Copy link
Member

jamilbk commented Sep 26, 2024

Good find! I stumbled on that this morning and forgot to update the issue. Relevant reading: https://www.chromium.org/developers/dns-over-https/#faq

jamilbk
jamilbk approved these changes Sep 26, 2024
View reviewed changes
@thomaseizinger @jamilbk
Update rust/connlib/tunnel/src/dns.rs
fac6220 
Co-authored-by: Jamil <jamilbk@users.noreply.github.com>
Signed-off-by: Thomas Eizinger <thomas@eizinger.io>
conectado
conectado approved these changes Sep 26, 2024
View reviewed changes
Copy link
Contributor

@conectado conectado left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice!

thomaseizinger
thomaseizinger commented Sep 26, 2024
View reviewed changes
@thomaseizinger
Update rust/connlib/tunnel/src/dns.rs
0f39ca8 
Signed-off-by: Thomas Eizinger <thomas@eizinger.io>
@thomaseizinger thomaseizinger added this pull request to the merge queue Sep 26, 2024
Merged via the queue into main with commit 81564e2 Sep 26, 2024
@thomaseizinger thomaseizinger deleted the fix/disable-doh-firefox branch September 26, 2024 22:21
@thomaseizinger
Copy link
Member Author

thomaseizinger commented Sep 26, 2024

This should probably have a changelog entry.

github-merge-queue bot pushed a commit that referenced this pull request Sep 27, 2024
@thomaseizinger
docs: add changelog entry for #6831 (#6843)
20cea88
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jamilbk jamilbk jamilbk approved these changes

+1 more reviewer

@conectado conectado conectado approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@thomaseizinger @jamilbk @conectado