Bug 1893944 - Don't resolve HTTPS RR for local domains, r=necko-reviewers,jesup

Differential Revision: https://phabricator.services.mozilla.com/D208984

netwerk/dns/TRRService.cpp

@@ -170,7 +170,7 @@ static void EventTelemetryPrefChanged(const char* aPref, void* aData) {
       StaticPrefs::network_trr_confirmation_telemetry_enabled());
 }
 
-nsresult TRRService::Init() {
+nsresult TRRService::Init(bool aNativeHTTPSQueryEnabled) {
   MOZ_ASSERT(NS_IsMainThread(), "wrong thread");
   if (mInitialized) {
     return NS_OK;
@@ -189,6 +189,7 @@ nsresult TRRService::Init() {
 
   sTRRServicePtr = this;
 
+  mNativeHTTPSQueryEnabled = aNativeHTTPSQueryEnabled;
   ReadPrefs(nullptr);
   mConfirmation.HandleEvent(ConfirmationEvent::Init);
 
@@ -1021,7 +1022,9 @@ bool TRRService::IsExcludedFromTRR_unlocked(const nsACString& aHost) {
       return true;
     }
     if (mDNSSuffixDomains.Contains(subdomain)) {
-      LOG(("Subdomain [%s] of host [%s] Is Excluded From TRR via pref\n",
+      LOG(
+          ("Subdomain [%s] of host [%s] Is Excluded From TRR via DNSSuffix "
+           "domains\n",
            subdomain.BeginReading(), aHost.BeginReading()));
       return true;
     }

netwerk/dns/TRRService.h

@@ -42,7 +42,7 @@ class TRRService : public TRRServiceBase,
 
   bool OnWritingThread() const override { return NS_IsMainThread(); }
 
-  nsresult Init();
+  nsresult Init(bool aNativeHTTPSQueryEnabled);
   nsresult Start();
   bool Enabled(nsIRequest::TRRMode aRequestMode = nsIRequest::TRR_DEFAULT_MODE);
   bool IsConfirmed() { return mConfirmation.State() == CONFIRM_OK; }

netwerk/dns/TRRServiceBase.cpp

@@ -163,8 +163,9 @@ void TRRServiceBase::OnTRRModeChange() {
   }
 
   static bool readHosts = false;
+  // When native HTTPS query is enabled, we need to read etc/hosts.
   if ((mMode == nsIDNSService::MODE_TRRFIRST ||
-       mMode == nsIDNSService::MODE_TRRONLY) &&
+       mMode == nsIDNSService::MODE_TRRONLY || mNativeHTTPSQueryEnabled) &&
       !readHosts) {
     readHosts = true;
     ReadEtcHostsFile();

netwerk/dns/TRRServiceBase.h

@@ -82,6 +82,7 @@ class TRRServiceBase : public nsIProxyConfigChangedCallback {
   Atomic<bool, Relaxed> mURISetByDetection{false};
   Atomic<bool, Relaxed> mTRRConnectionInfoInited{false};
   DataMutex<RefPtr<nsHttpConnectionInfo>> mDefaultTRRConnectionInfo;
+  bool mNativeHTTPSQueryEnabled{false};
 };
 
 }  // namespace net

netwerk/dns/nsDNSService2.cpp

@@ -874,7 +874,7 @@ nsDNSService::Init() {
       do_GetService("@mozilla.org/network/oblivious-http-service;1"));
 
   mTrrService = new TRRService();
-  if (NS_FAILED(mTrrService->Init())) {
+  if (NS_FAILED(mTrrService->Init(mResolver->IsNativeHTTPSEnabled()))) {
     mTrrService = nullptr;
   }
 

netwerk/dns/nsHostResolver.cpp

@@ -455,7 +455,8 @@ already_AddRefed<nsHostRecord> nsHostResolver::InitLoopbackRecord(
   return rec.forget();
 }
 
-static bool IsNativeHTTPSEnabled() {
+// static
+bool nsHostResolver::IsNativeHTTPSEnabled() {
   if (!StaticPrefs::network_dns_native_https_query()) {
     return false;
   }
@@ -527,6 +528,7 @@ nsresult nsHostResolver::ResolveHost(const nsACString& aHost,
     bool excludedFromTRR = false;
     if (TRRService::Get() && TRRService::Get()->IsExcludedFromTRR(host)) {
       flags |= nsIDNSService::RESOLVE_DISABLE_TRR;
+      flags |= nsIDNSService::RESOLVE_DISABLE_NATIVE_HTTPS_QUERY;
       excludedFromTRR = true;
 
       if (!aTrrServer.IsEmpty()) {
@@ -1182,8 +1184,14 @@ nsresult nsHostResolver::NameLookup(nsHostRecord* rec,
       (rec->mEffectiveTRRMode == nsIRequest::TRR_FIRST_MODE &&
        (rec->flags & nsIDNSService::RESOLVE_DISABLE_TRR || serviceNotReady ||
         NS_FAILED(rv)))) {
-    if (!IsNativeHTTPSEnabled() && !rec->IsAddrRecord()) {
-      return rv;
+    if (!rec->IsAddrRecord()) {
+      if (!IsNativeHTTPSEnabled()) {
+        return NS_ERROR_UNKNOWN_HOST;
+      }
+
+      if (rec->flags & nsIDNSService::RESOLVE_DISABLE_NATIVE_HTTPS_QUERY) {
+        return NS_ERROR_UNKNOWN_HOST;
+      }
     }
 
 #ifdef DEBUG

netwerk/dns/nsHostResolver.h

@@ -339,6 +339,8 @@ class nsHostResolver : public nsISupports, public AHostResolver {
    * Called by the networking dashboard via the DnsService2
    */
   void GetDNSCacheEntries(nsTArray<mozilla::net::DNSCacheEntries>*);
+
+  static bool IsNativeHTTPSEnabled();
 };
 
 #endif  // nsHostResolver_h__

netwerk/dns/nsIDNSService.idl

@@ -91,9 +91,11 @@ interface nsIDNSService : nsISupports
         // If set, the DNS service will pass a DNS record to
         // OnLookupComplete even when there was a resolution error.
         RESOLVE_WANT_RECORD_ON_ERROR = (1 << 16),
+        // If set, the native HTTPS query is not allowed.
+        RESOLVE_DISABLE_NATIVE_HTTPS_QUERY = (1 << 17),
 
         // Bitflag containing all possible flags.
-        ALL_DNSFLAGS_BITS = ((1 << 17) - 1),
+        ALL_DNSFLAGS_BITS = ((1 << 18) - 1),
     };
 
     cenum ConfirmationState : 8 {

netwerk/test/unit/test_dns_override.js

@@ -353,7 +353,10 @@ function hexToUint8Array(hex) {
 
 add_task(
   {
-    skip_if: () => mozinfo.os == "win" || mozinfo.os == "android",
+    skip_if: () =>
+      mozinfo.os == "win" ||
+      mozinfo.os == "android" ||
+      mozinfo.socketprocess_networking,
   },
   async function test_https_record_override() {
     let trrServer = new TRRServer();
@@ -414,6 +417,7 @@ add_task(
     Services.prefs.setBoolPref("network.dns.native_https_query", true);
     registerCleanupFunction(async () => {
       Services.prefs.clearUserPref("network.dns.native_https_query");
+      Services.prefs.clearUserPref("network.trr.excluded-domains");
     });
 
     let listener = new Listener();
@@ -511,5 +515,24 @@ add_task(
       "def...",
       "got correct answer"
     );
+
+    // Adding "service.com" into excluded-domains should fail
+    // native HTTPS query.
+    Services.prefs.setCharPref("network.trr.excluded-domains", "service.com");
+    listener = new Listener();
+    try {
+      Services.dns.asyncResolve(
+        "service.com",
+        Ci.nsIDNSService.RESOLVE_TYPE_HTTPSSVC,
+        0,
+        null,
+        listener,
+        mainThread,
+        defaultOriginAttributes
+      );
+      Assert.ok(false, "asyncResolve should fail");
+    } catch (e) {
+      Assert.equal(e.result, Cr.NS_ERROR_UNKNOWN_HOST);
+    }
   }
 );