HEADS UP: Be aware of Trusted Recursive Resolver (TRR) in Firefox

yon 0 · Aug 11, 2018, 7:42 PM

@johnpoz
I mean, I can only use my own DNS or VPN.If a website is blocked, TRR may not solve this problem.

johnpoz · Aug 11, 2018, 7:47 PM

TRR is more problems than anything ti could possible solve.. Especially if they turn it on without explicit users acknowledgment.. Problem is even the user agrees to some pop up, vast majority of them not even going to understand what they are agree too.. Typical users - and then wondering why their local resolving of xyz.com broke.

This should require users actually having to do something to enable it, like edit about:config entry and on purpose turn it on.

And you sure and hell could use cloudflare through your vpn... So you still could use trr if you wanted to, even if your isp blocks where its going. I still don't why anyone would want to use this.. Sorry I don't want to send all my dns queries to 1 provider.. I don't want to use you for dns - I will do it myself thank you very much.

johnpoz · Aug 18, 2018, 2:37 PM

Got question about ios version of firefox.. How can you ensure this is never used? about:config is not available in ios version of firefox.

jimp · Aug 18, 2018, 2:45 PM

That's a tough one to answer.

I did see a post on Reddit earlier this week from someone who claimed association with Mozilla that said they no longer plan on ever making this the default, only available as a GUI option. I'm not holding my breath waiting on that to be verified, but it is at least a bit of hope that we won't have to jump through hoops.

johnpoz · Aug 18, 2018, 2:47 PM

Thanks for the info - lets hope they don't try and enable this on the sly in the background ;) Doing such a thing for sure would force me to rethink my browser choice..

bcruze · Nov 29, 2018, 1:06 PM

this is why i use firefox ESR.

the version that would get this automagically would be the standard version of FF

johnpoz · Sep 8, 2019, 4:12 PM

So it looks like mozilla is on course for enabling this by default... UGGHHH!
https://blog.mozilla.org/futurereleases/2019/09/06/whats-next-in-making-dns-over-https-the-default/

And upon checking seems somehow somewhere in some past update my setting of network.trr.mode to 5 got reset to 0..

I am really curious once they start turning this on, if turning it off in the options will be enough.. I do not want this, stay away from my dns.. They should use what the OS uses, if you want to offer doh or dot - great, it should be OPT IN ONLY!!! Turning this on be default is BS plain and simple..

Seems they are using the canary domain use-application-dns.net so if your dns resolves NX their doh should not be used.

you can set that in unbound like this
local-zone: "use-application-dns.net" static

Which I have already done on my network.

I believe you can also set
security.enterprise_roots.enabled

To true, to stop it...

I will be keeping an eye on this.. Stay away from my dns mozilla...

Looks like pihole already has commit to disable it via the canary.. I would hope pfblocker will be doing something similar
https://github.com/pi-hole/pi-hole/pull/2915

I think I will reach out to bbcan177 and ask..

chpalmer · Sep 8, 2019, 7:25 PM

@johnpoz said in HEADS UP: Be aware of Trusted Recursive Resolver (TRR) in Firefox:

And upon checking seems somehow somewhere in some past update my setting of network.trr.mode to 5 got reset to 0..

Just checked and so did mine. Back to Waterfox for me..

kiokoman · Sep 8, 2019, 5:35 PM

good, time to uninstall and change to another browser

Pippin · Sep 8, 2019, 5:44 PM

I'm on latest FF (Linux Mint 18.3), my setting 5 did not get changed.

tman222 · Sep 8, 2019, 6:55 PM

I have a few Linux systems that use the ESR version of Firefox (60.x). On those systems the default setting is 0 and setting it to 5 appears to break DNS altogether. So I'm guessing 5 is not a supported option on the ESR version. Checking out a more recent version of Firefox on a couple Mac's did allow me to set the option to 5 and everything still works.

Some more info about disabling DoH from Mozilla:

https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https

Glad that Pi-hole is already had a PR on this.

@johnpoz - can you explain what "local-zone: "use-application-dns.net" static" does exactly and how in NXDOMAIN being returned? Thanks in advance.

johnpoz · Sep 8, 2019, 7:32 PM

So per their disable article you linked to, if that domain returns a NX vs actual IP then firefox is not suppose to use doh..

So if you set that in your options box.
server:
local-zone: "use-application-dns.net" static

When a query is done for that - it will return NX.

$ dig @192.168.9.253 use-application-dns.net

; <<>> DiG 9.14.4 <<>> @192.168.9.253 use-application-dns.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23041
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;use-application-dns.net.       IN      A

;; Query time: 0 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Sun Sep 08 14:22:35 Central Daylight Time 2019
;; MSG SIZE  rcvd: 52

Notice the
status: NXDOMAIN

I have sent a PM to bbcan177, but haven't heard anything back yet... But yeah would be nice if pfsense works out something - say if pfblocker is being used, unbound will auto return the NX for that, or something..

Or maybe pfsense could put in a check box to have that return NX..

I really don't now what Mozilla is thinking here.. That is great you want to offer this for your clients - but it really should be OPT IN ONLY!!! Run a PR campaign to get your users to set it.. but making it default is WRONG..

I have set the network.trr to 5 again, will keep an eye on that, and have set
security.enterprise_roots.enabled
To true as well.. so will be watching that as well, when the next update comes out.. Running 69.0 currently of firefox.

tman222 · Sep 8, 2019, 7:33 PM

@johnpoz said in HEADS UP: Be aware of Trusted Recursive Resolver (TRR) in Firefox:

local-zone: "use-application-dns.net" static

Thanks @johnpoz - I appreciate the follow up an explanation. I was actually more curious what that configuration line did exactly and why you chose it specifically to solve this issue?

Is the idea just to create a local DNS Zone with this domain, but since no actual (local) records exist for it, it will simple return NXDOMAIN?

Thanks again!

johnpoz · Sep 8, 2019, 7:36 PM

Exactly, when you set the local zone as static, and no local entries - NX gets returned. So when NX gets returned when the browser looks for that, it is suppose to not enable DOH because local filtering is in place and the user has opted to use that vs doh.

edit: I can foresee future posts about why pfblocker is not working because browser is using doh vs asking the local dns which is using pfblocker.

tman222 · Sep 8, 2019, 7:50 PM

Thanks @johnpoz - when entering into Unbound's option box, for multiple configuration options, is the correct syntax:

server:
config line 1
config line 2

OR

server:
config line 1

server:
config line 2

Apologies, I can never quite remember. Thanks again for your help.

kiokoman · Sep 8, 2019, 7:56 PM

bind9 + rpz
cloudflare-dns.com IN CNAME .

johnpoz · Sep 9, 2019, 2:37 AM

You only need 1 server: at the top

For example here are all my entries.
server:
private-domain: "plex.direct"
local-zone: "use-application-dns.net" static
so-reuseport: no
#log-queries: yes
#log-replies: yes
#private-address: ::/0 # filters out all AAAA !

I leave the log entries in there and the private address thing to stop AAAA because I enable them on the fly sometimes for testing.. I just leave them # out normally when I don't need them. I think I can remove that so-reuseport: no since I think that was changed in an update a while back.. Not sure on that one. But yeah you only need the one server: entry.

pfSenseTest · Sep 9, 2019, 11:53 AM

@johnpoz said in HEADS UP: Be aware of Trusted Recursive Resolver (TRR) in Firefox:

I think I can remove that so-reuseport: no since I think that was changed in an update a while back.. Not sure on that one.

I was wondering about this myself and haven't been able to confirm if it is still needed or not.

johnpoz · Sep 9, 2019, 1:08 PM

@johnpoz said in HEADS UP: Be aware of Trusted Recursive Resolver (TRR) in Firefox:

so-reuseport: no

I just commented it out and restarted unbound, and there are still multiple threads.. So its no longer needed..
https://forum.netgate.com/post/809158

JimP goes over in that post

JeGr · Sep 10, 2019, 10:26 AM

The whole use case Mozilla and the DoH folks that promote it that much are telling is falling apart IMHO. If a simple NXDOMAIN for the use-application-dns.net Zone is "blocking" the use of DoH in Firefox alltogether, how in the hell is the DoH implementation in Firefox well-thought in the first place? They are pointing fingers at MITM or Rogue ISPs etc. to protect your data and privacy against. OK, fair point, but how in the hell is that protecting if you

completely screw up a fine configured local DNS resolver setup with internal domains by using a DoH server from an external source (and handing your DNS data to them!?)
can override your privacy-DoH-firefox-thingy by said rogue ISP to simply hand out a nxdomain for the use-application-dns.net zone?
begin to segregate DNS into "per application use"? Firefox using DoH with Cloudflare, System using local resolver with internal domains, next Browser/Application uses whatever the f*** they want? How is that transparent and protecting anything about your privacy if you don't have a clue anymore what your system does? It's something like the whole Linux-systemd-everything. NTP? DNS resolving? Yay let's put it into systemd, too! What!?

Narf