I just read a news article about the availability of DNS over HTTPS in Firefox and as a result decided to try it. I'm using FF on Leap 15.0 There is a network.trr.mode config setting that was 0. If I set that to 3 (DoH is enabled, and regular DNS is disabled AFAIK) and network.trr.uri to https://mozilla.cloudflare-dns.com/dns-query then I can't reach https://duckduckgo.com/ for example. If I set network.trr.mode to 2 (2 - DoH is enabled, and regular DNS works as a backup) then I can reach it. I infer that DoH is not working for some reason and it is falling back on normal DNS, but I'm at a loss how to investigate. How can I tell whether FF uses DoH or not on a particular request? How can I see why it is failing? I found FF's HTTP logging and I can see, for example: 2019-07-10 20:42:35.371246 UTC - [14510:Socket Thread]: D/nsHostResolver Resolving host [duckduckgo.com]. 2019-07-10 20:42:35.371251 UTC - [14510:Socket Thread]: D/nsHostResolver No usable address in cache for host [duckduckgo.com]. 2019-07-10 20:42:35.371254 UTC - [14510:Socket Thread]: D/nsHostResolver TRRService::Enabled mConfirmationState=0 2019-07-10 20:42:35.371256 UTC - [14510:Socket Thread]: D/nsHostResolver TrrLookup:: duckduckgo.com service not enabled but I don't know what that means. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Dave Howorth wrote:
I just read a news article about the availability of DNS over HTTPS in Firefox and as a result decided to try it. I'm using FF on Leap 15.0
There is a network.trr.mode config setting that was 0. If I set that to 3 (DoH is enabled, and regular DNS is disabled AFAIK) and network.trr.uri to https://mozilla.cloudflare-dns.com/dns-query then I can't reach https://duckduckgo.com/ for example. If I set network.trr.mode to 2 (2 - DoH is enabled, and regular DNS works as a backup) then I can reach it.
I infer that DoH is not working for some reason and it is falling back on normal DNS, but I'm at a loss how to investigate.
How can I tell whether FF uses DoH or not on a particular request?
With tcpdump, you could at least see what is going in and out, if anything.
2019-07-10 20:42:35.371256 UTC - [14510:Socket Thread]: D/nsHostResolver TrrLookup:: duckduckgo.com service not enabled
I see something like that mentioned in a mozilla bug, but over a year ago - https://bugzilla.mozilla.org/show_bug.cgi?id=1441391 Maybe you need a newer FF ? -- Per Jessen, Zürich (17.2°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
On 2019-07-11 02:23 AM, Per Jessen wrote:
With tcpdump, you could at least see what is going in and out, if anything.
I prefer Wireshark.
Personally, I rarely have the need for using the GUI. Unless I am debugging some particularly difficult issue and need to study the packet contents in detail, tcpdump is easier - and most often I only have command line access anyway. -- Per Jessen, Zürich (20.2°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, Jul 11, 2019 at 2:05 PM Per Jessen <per@computer.org> wrote:
James Knott wrote:
On 2019-07-11 02:23 AM, Per Jessen wrote:
With tcpdump, you could at least see what is going in and out, if anything.
I prefer Wireshark.
Personally, I rarely have the need for using the GUI.
there is also tshark if you want command line. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Andrei Borzenkov wrote:
On Thu, Jul 11, 2019 at 2:05 PM Per Jessen <per@computer.org> wrote:
James Knott wrote:
On 2019-07-11 02:23 AM, Per Jessen wrote:
With tcpdump, you could at least see what is going in and out, if anything.
I prefer Wireshark.
Personally, I rarely have the need for using the GUI.
there is also tshark if you want command line.
Oh, I'll have to have a look, I don't know that one. -- Per Jessen, Zürich (20.1°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, 11 Jul 2019 13:21:09 +0200 Per Jessen <per@computer.org> wrote:
Andrei Borzenkov wrote:
On Thu, Jul 11, 2019 at 2:05 PM Per Jessen <per@computer.org> wrote:
James Knott wrote:
On 2019-07-11 02:23 AM, Per Jessen wrote:
With tcpdump, you could at least see what is going in and out, if anything.
I prefer Wireshark.
Personally, I rarely have the need for using the GUI.
there is also tshark if you want command line.
Oh, I'll have to have a look, I don't know that one.
FWIW, this turned out to be a bootstrap issue. Unless you also give it a bootstrap DNS server as an IP address, it can't find the DoH server whose name you gave it. (Unless it's already in cache, leading to strange hit-or-fail behaviour). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Andrei Borzenkov -
Dave Howorth -
James Knott -
Per Jessen