fune/netwerk/test/unit/trr_common.js

1233 lines
42 KiB
JavaScript

/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
"use strict";
/* import-globals-from head_cache.js */
/* import-globals-from head_cookies.js */
/* import-globals-from head_trr.js */
/* import-globals-from head_http3.js */
const { TestUtils } = ChromeUtils.importESModule(
"resource://testing-common/TestUtils.sys.mjs"
);
const { HttpServer } = ChromeUtils.import("resource://testing-common/httpd.js");
const TRR_Domain = "foo.example.com";
const { MockRegistrar } = ChromeUtils.importESModule(
"resource://testing-common/MockRegistrar.sys.mjs"
);
const gOverride = Cc["@mozilla.org/network/native-dns-override;1"].getService(
Ci.nsINativeDNSResolverOverride
);
async function SetParentalControlEnabled(aEnabled) {
let parentalControlsService = {
parentalControlsEnabled: aEnabled,
QueryInterface: ChromeUtils.generateQI(["nsIParentalControlsService"]),
};
let cid = MockRegistrar.register(
"@mozilla.org/parental-controls-service;1",
parentalControlsService
);
Services.dns.reloadParentalControlEnabled();
MockRegistrar.unregister(cid);
}
let runningOHTTPTests = false;
let h2Port;
function setModeAndURIForODoH(mode, path) {
Services.prefs.setIntPref("network.trr.mode", mode);
if (path.substr(0, 4) == "doh?") {
path = path.replace("doh?", "odoh?");
}
Services.prefs.setCharPref("network.trr.odoh.target_path", `${path}`);
}
function setModeAndURIForOHTTP(mode, path, domain) {
Services.prefs.setIntPref("network.trr.mode", mode);
if (domain) {
Services.prefs.setCharPref(
"network.trr.ohttp.uri",
`https://${domain}:${h2Port}/${path}`
);
} else {
Services.prefs.setCharPref(
"network.trr.ohttp.uri",
`https://${TRR_Domain}:${h2Port}/${path}`
);
}
}
function setModeAndURI(mode, path, domain) {
if (runningOHTTPTests) {
setModeAndURIForOHTTP(mode, path, domain);
} else {
Services.prefs.setIntPref("network.trr.mode", mode);
if (domain) {
Services.prefs.setCharPref(
"network.trr.uri",
`https://${domain}:${h2Port}/${path}`
);
} else {
Services.prefs.setCharPref(
"network.trr.uri",
`https://${TRR_Domain}:${h2Port}/${path}`
);
}
}
}
async function test_A_record() {
info("Verifying a basic A record");
Services.dns.clearCache(true);
setModeAndURI(2, "doh?responseIP=2.2.2.2"); // TRR-first
await new TRRDNSListener("bar.example.com", "2.2.2.2");
info("Verifying a basic A record - without bootstrapping");
Services.dns.clearCache(true);
setModeAndURI(3, "doh?responseIP=3.3.3.3"); // TRR-only
// Clear bootstrap address and add DoH endpoint hostname to local domains
Services.prefs.clearUserPref("network.trr.bootstrapAddr");
Services.prefs.setCharPref("network.dns.localDomains", TRR_Domain);
await new TRRDNSListener("bar.example.com", "3.3.3.3");
Services.prefs.setCharPref("network.trr.bootstrapAddr", "127.0.0.1");
Services.prefs.clearUserPref("network.dns.localDomains");
info("Verify that the cached record is used when DoH endpoint is down");
// Don't clear the cache. That is what we're checking.
setModeAndURI(3, "404");
await new TRRDNSListener("bar.example.com", "3.3.3.3");
info("verify working credentials in DOH request");
Services.dns.clearCache(true);
setModeAndURI(3, "doh?responseIP=4.4.4.4&auth=true");
Services.prefs.setCharPref("network.trr.credentials", "user:password");
await new TRRDNSListener("bar.example.com", "4.4.4.4");
info("Verify failing credentials in DOH request");
Services.dns.clearCache(true);
setModeAndURI(3, "doh?responseIP=4.4.4.4&auth=true");
Services.prefs.setCharPref("network.trr.credentials", "evil:person");
let { inStatus } = await new TRRDNSListener(
"wrong.example.com",
undefined,
false
);
Assert.ok(
!Components.isSuccessCode(inStatus),
`${inStatus} should be an error code`
);
Services.prefs.clearUserPref("network.trr.credentials");
}
async function test_AAAA_records() {
info("Verifying AAAA record");
Services.dns.clearCache(true);
setModeAndURI(3, "doh?responseIP=2020:2020::2020&delayIPv4=100");
await new TRRDNSListener("aaaa.example.com", "2020:2020::2020");
Services.dns.clearCache(true);
setModeAndURI(3, "doh?responseIP=2020:2020::2020&delayIPv6=100");
await new TRRDNSListener("aaaa.example.com", "2020:2020::2020");
Services.dns.clearCache(true);
setModeAndURI(3, "doh?responseIP=2020:2020::2020");
await new TRRDNSListener("aaaa.example.com", "2020:2020::2020");
}
async function test_RFC1918() {
info("Verifying that RFC1918 address from the server is rejected by default");
Services.dns.clearCache(true);
setModeAndURI(3, "doh?responseIP=192.168.0.1");
let { inStatus } = await new TRRDNSListener(
"rfc1918.example.com",
undefined,
false
);
Assert.ok(
!Components.isSuccessCode(inStatus),
`${inStatus} should be an error code`
);
setModeAndURI(3, "doh?responseIP=::ffff:192.168.0.1");
({ inStatus } = await new TRRDNSListener(
"rfc1918-ipv6.example.com",
undefined,
false
));
Assert.ok(
!Components.isSuccessCode(inStatus),
`${inStatus} should be an error code`
);
info("Verify RFC1918 address from the server is fine when told so");
Services.dns.clearCache(true);
setModeAndURI(3, "doh?responseIP=192.168.0.1");
Services.prefs.setBoolPref("network.trr.allow-rfc1918", true);
await new TRRDNSListener("rfc1918.example.com", "192.168.0.1");
setModeAndURI(3, "doh?responseIP=::ffff:192.168.0.1");
await new TRRDNSListener("rfc1918-ipv6.example.com", "::ffff:192.168.0.1");
Services.prefs.clearUserPref("network.trr.allow-rfc1918");
}
async function test_GET_ECS() {
info("Verifying resolution via GET with ECS disabled");
Services.dns.clearCache(true);
// The template part should be discarded
setModeAndURI(3, "doh{?dns}");
Services.prefs.setBoolPref("network.trr.useGET", true);
Services.prefs.setBoolPref("network.trr.disable-ECS", true);
await new TRRDNSListener("ecs.example.com", "5.5.5.5");
info("Verifying resolution via GET with ECS enabled");
Services.dns.clearCache(true);
setModeAndURI(3, "doh");
Services.prefs.setBoolPref("network.trr.disable-ECS", false);
await new TRRDNSListener("get.example.com", "5.5.5.5");
Services.prefs.clearUserPref("network.trr.useGET");
Services.prefs.clearUserPref("network.trr.disable-ECS");
}
async function test_timeout_mode3() {
info("Verifying that a short timeout causes failure with a slow server");
Services.dns.clearCache(true);
// First, mode 3.
setModeAndURI(3, "doh?noResponse=true");
Services.prefs.setIntPref("network.trr.request_timeout_ms", 10);
Services.prefs.setIntPref("network.trr.request_timeout_mode_trronly_ms", 10);
let { inStatus } = await new TRRDNSListener(
"timeout.example.com",
undefined,
false
);
Assert.ok(
!Components.isSuccessCode(inStatus),
`${inStatus} should be an error code`
);
// Now for mode 2
Services.dns.clearCache(true);
setModeAndURI(2, "doh?noResponse=true");
await new TRRDNSListener("timeout.example.com", "127.0.0.1"); // Should fallback
Services.prefs.clearUserPref("network.trr.request_timeout_ms");
Services.prefs.clearUserPref("network.trr.request_timeout_mode_trronly_ms");
}
async function test_trr_retry() {
Services.dns.clearCache(true);
Services.prefs.setBoolPref("network.trr.strict_native_fallback", false);
info("Test fallback to native");
Services.prefs.setBoolPref("network.trr.retry_on_recoverable_errors", false);
setModeAndURI(2, "doh?noResponse=true");
Services.prefs.setIntPref("network.trr.request_timeout_ms", 10);
Services.prefs.setIntPref("network.trr.request_timeout_mode_trronly_ms", 10);
await new TRRDNSListener("timeout.example.com", {
expectedAnswer: "127.0.0.1",
});
Services.prefs.clearUserPref("network.trr.request_timeout_ms");
Services.prefs.clearUserPref("network.trr.request_timeout_mode_trronly_ms");
info("Test Retry Success");
Services.prefs.setBoolPref("network.trr.retry_on_recoverable_errors", true);
let chan = makeChan(
`https://foo.example.com:${h2Port}/reset-doh-request-count`,
Ci.nsIRequest.TRR_DISABLED_MODE
);
await new Promise(resolve =>
chan.asyncOpen(new ChannelListener(resolve, null))
);
setModeAndURI(2, "doh?responseIP=2.2.2.2&retryOnDecodeFailure=true");
await new TRRDNSListener("retry_ok.example.com", "2.2.2.2");
info("Test Retry Failed");
Services.dns.clearCache(true);
setModeAndURI(2, "doh?responseIP=2.2.2.2&corruptedAnswer=true");
await new TRRDNSListener("retry_ng.example.com", "127.0.0.1");
}
async function test_strict_native_fallback() {
Services.dns.clearCache(true);
Services.prefs.setBoolPref("network.trr.retry_on_recoverable_errors", true);
Services.prefs.setBoolPref("network.trr.strict_native_fallback", true);
info("First a timeout case");
setModeAndURI(2, "doh?noResponse=true");
Services.prefs.setIntPref("network.trr.request_timeout_ms", 10);
Services.prefs.setIntPref("network.trr.request_timeout_mode_trronly_ms", 10);
Services.prefs.setIntPref(
"network.trr.strict_fallback_request_timeout_ms",
10
);
Services.prefs.setBoolPref(
"network.trr.strict_native_fallback_allow_timeouts",
false
);
let { inStatus } = await new TRRDNSListener(
"timeout.example.com",
undefined,
false
);
Assert.ok(
!Components.isSuccessCode(inStatus),
`${inStatus} should be an error code`
);
Services.dns.clearCache(true);
await new TRRDNSListener("timeout.example.com", undefined, false);
Services.dns.clearCache(true);
Services.prefs.setBoolPref(
"network.trr.strict_native_fallback_allow_timeouts",
true
);
await new TRRDNSListener("timeout.example.com", {
expectedAnswer: "127.0.0.1",
});
Services.prefs.setBoolPref(
"network.trr.strict_native_fallback_allow_timeouts",
false
);
info("Now a connection error");
Services.dns.clearCache(true);
setModeAndURI(2, "doh?responseIP=2.2.2.2");
Services.prefs.clearUserPref("network.trr.request_timeout_ms");
Services.prefs.clearUserPref("network.trr.request_timeout_mode_trronly_ms");
Services.prefs.clearUserPref(
"network.trr.strict_fallback_request_timeout_ms"
);
({ inStatus } = await new TRRDNSListener("closeme.com", undefined, false));
Assert.ok(
!Components.isSuccessCode(inStatus),
`${inStatus} should be an error code`
);
info("Now a decode error");
Services.dns.clearCache(true);
setModeAndURI(2, "doh?responseIP=2.2.2.2&corruptedAnswer=true");
({ inStatus } = await new TRRDNSListener(
"bar.example.com",
undefined,
false
));
Assert.ok(
!Components.isSuccessCode(inStatus),
`${inStatus} should be an error code`
);
if (!mozinfo.socketprocess_networking) {
// Confirmation state isn't passed cross-process.
info("Now with confirmation failed - should fallback");
Services.dns.clearCache(true);
setModeAndURI(2, "doh?responseIP=2.2.2.2&corruptedAnswer=true");
Services.prefs.setCharPref("network.trr.confirmationNS", "example.com");
await TestUtils.waitForCondition(
// 3 => CONFIRM_FAILED, 4 => CONFIRM_TRYING_FAILED
() =>
Services.dns.currentTrrConfirmationState == 3 ||
Services.dns.currentTrrConfirmationState == 4,
`Timed out waiting for confirmation failure. Currently ${Services.dns.currentTrrConfirmationState}`,
1,
5000
);
await new TRRDNSListener("bar.example.com", "127.0.0.1"); // Should fallback
}
info("Now a successful case.");
Services.dns.clearCache(true);
setModeAndURI(2, "doh?responseIP=2.2.2.2");
if (!mozinfo.socketprocess_networking) {
// Only need to reset confirmation state if we messed with it before.
Services.prefs.setCharPref("network.trr.confirmationNS", "skip");
await TestUtils.waitForCondition(
// 5 => CONFIRM_DISABLED
() => Services.dns.currentTrrConfirmationState == 5,
`Timed out waiting for confirmation disabled. Currently ${Services.dns.currentTrrConfirmationState}`,
1,
5000
);
}
await new TRRDNSListener("bar.example.com", "2.2.2.2");
info("Now without strict fallback mode, timeout case");
Services.dns.clearCache(true);
setModeAndURI(2, "doh?noResponse=true");
Services.prefs.setIntPref("network.trr.request_timeout_ms", 10);
Services.prefs.setIntPref("network.trr.request_timeout_mode_trronly_ms", 10);
Services.prefs.setIntPref(
"network.trr.strict_fallback_request_timeout_ms",
10
);
Services.prefs.setBoolPref("network.trr.strict_native_fallback", false);
await new TRRDNSListener("timeout.example.com", "127.0.0.1"); // Should fallback
info("Now a connection error");
Services.dns.clearCache(true);
setModeAndURI(2, "doh?responseIP=2.2.2.2");
Services.prefs.clearUserPref("network.trr.request_timeout_ms");
Services.prefs.clearUserPref("network.trr.request_timeout_mode_trronly_ms");
Services.prefs.clearUserPref(
"network.trr.strict_fallback_request_timeout_ms"
);
await new TRRDNSListener("closeme.com", "127.0.0.1"); // Should fallback
info("Now a decode error");
Services.dns.clearCache(true);
setModeAndURI(2, "doh?responseIP=2.2.2.2&corruptedAnswer=true");
await new TRRDNSListener("bar.example.com", "127.0.0.1"); // Should fallback
Services.prefs.setBoolPref("network.trr.strict_native_fallback", false);
Services.prefs.clearUserPref("network.trr.request_timeout_ms");
Services.prefs.clearUserPref("network.trr.request_timeout_mode_trronly_ms");
Services.prefs.clearUserPref(
"network.trr.strict_fallback_request_timeout_ms"
);
}
async function test_no_answers_fallback() {
info("Verfiying that we correctly fallback to Do53 when no answers from DoH");
Services.dns.clearCache(true);
setModeAndURI(2, "doh?responseIP=none"); // TRR-first
await new TRRDNSListener("confirm.example.com", "127.0.0.1");
info("Now in strict mode - no fallback");
Services.prefs.setBoolPref("network.trr.strict_native_fallback", true);
Services.dns.clearCache(true);
await new TRRDNSListener("confirm.example.com", "127.0.0.1");
Services.prefs.setBoolPref("network.trr.strict_native_fallback", false);
}
async function test_404_fallback() {
info("Verfiying that we correctly fallback to Do53 when DoH sends 404");
Services.dns.clearCache(true);
setModeAndURI(2, "404"); // TRR-first
await new TRRDNSListener("test404.example.com", "127.0.0.1");
info("Now in strict mode - no fallback");
Services.prefs.setBoolPref("network.trr.strict_native_fallback", true);
Services.dns.clearCache(true);
let { inStatus } = await new TRRDNSListener("test404.example.com", {
expectedSuccess: false,
});
Assert.ok(
!Components.isSuccessCode(inStatus),
`${inStatus} should be an error code`
);
Services.prefs.setBoolPref("network.trr.strict_native_fallback", false);
}
async function test_mode_1_and_4() {
info("Verifying modes 1 and 4 are treated as TRR-off");
for (let mode of [1, 4]) {
Services.dns.clearCache(true);
setModeAndURI(mode, "doh?responseIP=2.2.2.2");
Assert.equal(
Services.dns.currentTrrMode,
5,
"Effective TRR mode should be 5"
);
}
}
async function test_CNAME() {
info("Checking that we follow a CNAME correctly");
Services.dns.clearCache(true);
// The dns-cname path alternates between sending us a CNAME pointing to
// another domain, and an A record. If we follow the cname correctly, doing
// a lookup with this path as the DoH URI should resolve to that A record.
setModeAndURI(3, "dns-cname");
await new TRRDNSListener("cname.example.com", "99.88.77.66");
info("Verifying that we bail out when we're thrown into a CNAME loop");
Services.dns.clearCache(true);
// First mode 3.
setModeAndURI(3, "doh?responseIP=none&cnameloop=true");
let { inStatus } = await new TRRDNSListener(
"test18.example.com",
undefined,
false
);
Assert.ok(
!Components.isSuccessCode(inStatus),
`${inStatus} should be an error code`
);
// Now mode 2.
Services.dns.clearCache(true);
setModeAndURI(2, "doh?responseIP=none&cnameloop=true");
await new TRRDNSListener("test20.example.com", "127.0.0.1"); // Should fallback
info("Check that we correctly handle CNAME bundled with an A record");
Services.dns.clearCache(true);
// "dns-cname-a" path causes server to send a CNAME as well as an A record
setModeAndURI(3, "dns-cname-a");
await new TRRDNSListener("cname-a.example.com", "9.8.7.6");
}
async function test_name_mismatch() {
info("Verify that records that don't match the requested name are rejected");
Services.dns.clearCache(true);
// Setting hostname param tells server to always send record for bar.example.com
// regardless of what was requested.
setModeAndURI(3, "doh?hostname=mismatch.example.com");
let { inStatus } = await new TRRDNSListener(
"bar.example.com",
undefined,
false
);
Assert.ok(
!Components.isSuccessCode(inStatus),
`${inStatus} should be an error code`
);
}
async function test_mode_2() {
info("Checking that TRR result is used in mode 2");
Services.dns.clearCache(true);
setModeAndURI(2, "doh?responseIP=192.192.192.192");
Services.prefs.setCharPref("network.trr.excluded-domains", "");
Services.prefs.setCharPref("network.trr.builtin-excluded-domains", "");
await new TRRDNSListener("bar.example.com", "192.192.192.192");
info("Now in strict mode");
Services.prefs.setBoolPref("network.trr.strict_native_fallback", true);
Services.dns.clearCache(true);
await new TRRDNSListener("bar.example.com", "192.192.192.192");
Services.prefs.setBoolPref("network.trr.strict_native_fallback", false);
}
async function test_excluded_domains() {
info("Checking that Do53 is used for names in excluded-domains list");
for (let strictMode of [true, false]) {
info("Strict mode: " + strictMode);
Services.prefs.setBoolPref(
"network.trr.strict_native_fallback",
strictMode
);
Services.dns.clearCache(true);
setModeAndURI(2, "doh?responseIP=192.192.192.192");
Services.prefs.setCharPref(
"network.trr.excluded-domains",
"bar.example.com"
);
await new TRRDNSListener("bar.example.com", "127.0.0.1"); // Do53 result
Services.dns.clearCache(true);
Services.prefs.setCharPref("network.trr.excluded-domains", "example.com");
await new TRRDNSListener("bar.example.com", "127.0.0.1");
Services.dns.clearCache(true);
Services.prefs.setCharPref(
"network.trr.excluded-domains",
"foo.test.com, bar.example.com"
);
await new TRRDNSListener("bar.example.com", "127.0.0.1");
Services.dns.clearCache(true);
Services.prefs.setCharPref(
"network.trr.excluded-domains",
"bar.example.com, foo.test.com"
);
await new TRRDNSListener("bar.example.com", "127.0.0.1");
Services.prefs.clearUserPref("network.trr.excluded-domains");
}
}
function topicObserved(topic) {
return new Promise(resolve => {
let observer = {
QueryInterface: ChromeUtils.generateQI(["nsIObserver"]),
observe(aSubject, aTopic, aData) {
if (aTopic == topic) {
Services.obs.removeObserver(observer, topic);
resolve(aData);
}
},
};
Services.obs.addObserver(observer, topic);
});
}
async function test_captiveportal_canonicalURL() {
info("Check that captivedetect.canonicalURL is resolved via native DNS");
for (let strictMode of [true, false]) {
info("Strict mode: " + strictMode);
Services.prefs.setBoolPref(
"network.trr.strict_native_fallback",
strictMode
);
Services.dns.clearCache(true);
setModeAndURI(2, "doh?responseIP=2.2.2.2");
const cpServer = new HttpServer();
cpServer.registerPathHandler(
"/cp",
function handleRawData(request, response) {
response.setHeader("Content-Type", "text/plain", false);
response.setHeader("Cache-Control", "no-cache", false);
response.bodyOutputStream.write("data", 4);
}
);
cpServer.start(-1);
cpServer.identity.setPrimary(
"http",
"detectportal.firefox.com",
cpServer.identity.primaryPort
);
let cpPromise = topicObserved("captive-portal-login");
Services.prefs.setCharPref(
"captivedetect.canonicalURL",
`http://detectportal.firefox.com:${cpServer.identity.primaryPort}/cp`
);
Services.prefs.setBoolPref("network.captive-portal-service.testMode", true);
Services.prefs.setBoolPref("network.captive-portal-service.enabled", true);
// The captive portal has to have used native DNS, otherwise creating
// a socket to a non-local IP would trigger a crash.
await cpPromise;
// Simply resolving the captive portal domain should still use TRR
await new TRRDNSListener("detectportal.firefox.com", "2.2.2.2");
Services.prefs.clearUserPref("network.captive-portal-service.enabled");
Services.prefs.clearUserPref("network.captive-portal-service.testMode");
Services.prefs.clearUserPref("captivedetect.canonicalURL");
await new Promise(resolve => cpServer.stop(resolve));
}
}
async function test_parentalcontrols() {
info("Check that DoH isn't used when parental controls are enabled");
Services.dns.clearCache(true);
setModeAndURI(2, "doh?responseIP=2.2.2.2");
await SetParentalControlEnabled(true);
await new TRRDNSListener("www.example.com", "127.0.0.1");
await SetParentalControlEnabled(false);
info("Now in strict mode");
Services.prefs.setBoolPref("network.trr.strict_native_fallback", true);
Services.dns.clearCache(true);
setModeAndURI(2, "doh?responseIP=2.2.2.2");
await SetParentalControlEnabled(true);
await new TRRDNSListener("www.example.com", "127.0.0.1");
await SetParentalControlEnabled(false);
Services.prefs.setBoolPref("network.trr.strict_native_fallback", false);
}
async function test_builtin_excluded_domains() {
info("Verifying Do53 is used for domains in builtin-excluded-domians list");
for (let strictMode of [true, false]) {
info("Strict mode: " + strictMode);
Services.prefs.setBoolPref(
"network.trr.strict_native_fallback",
strictMode
);
Services.dns.clearCache(true);
setModeAndURI(2, "doh?responseIP=2.2.2.2");
Services.prefs.setCharPref("network.trr.excluded-domains", "");
Services.prefs.setCharPref(
"network.trr.builtin-excluded-domains",
"bar.example.com"
);
await new TRRDNSListener("bar.example.com", "127.0.0.1");
Services.dns.clearCache(true);
Services.prefs.setCharPref(
"network.trr.builtin-excluded-domains",
"example.com"
);
await new TRRDNSListener("bar.example.com", "127.0.0.1");
Services.dns.clearCache(true);
Services.prefs.setCharPref(
"network.trr.builtin-excluded-domains",
"foo.test.com, bar.example.com"
);
await new TRRDNSListener("bar.example.com", "127.0.0.1");
await new TRRDNSListener("foo.test.com", "127.0.0.1");
}
}
async function test_excluded_domains_mode3() {
info("Checking Do53 is used for names in excluded-domains list in mode 3");
Services.dns.clearCache(true);
setModeAndURI(3, "doh?responseIP=192.192.192.192");
Services.prefs.setCharPref("network.trr.excluded-domains", "");
Services.prefs.setCharPref("network.trr.builtin-excluded-domains", "");
await new TRRDNSListener("excluded", "192.192.192.192", true);
Services.dns.clearCache(true);
Services.prefs.setCharPref("network.trr.excluded-domains", "excluded");
await new TRRDNSListener("excluded", "127.0.0.1");
// Test .local
Services.dns.clearCache(true);
Services.prefs.setCharPref("network.trr.excluded-domains", "excluded,local");
await new TRRDNSListener("test.local", "127.0.0.1");
// Test .other
Services.dns.clearCache(true);
Services.prefs.setCharPref(
"network.trr.excluded-domains",
"excluded,local,other"
);
await new TRRDNSListener("domain.other", "127.0.0.1");
}
async function test25e() {
info("Check captivedetect.canonicalURL is resolved via native DNS in mode 3");
Services.dns.clearCache(true);
setModeAndURI(3, "doh?responseIP=192.192.192.192");
const cpServer = new HttpServer();
cpServer.registerPathHandler(
"/cp",
function handleRawData(request, response) {
response.setHeader("Content-Type", "text/plain", false);
response.setHeader("Cache-Control", "no-cache", false);
response.bodyOutputStream.write("data", 4);
}
);
cpServer.start(-1);
cpServer.identity.setPrimary(
"http",
"detectportal.firefox.com",
cpServer.identity.primaryPort
);
let cpPromise = topicObserved("captive-portal-login");
Services.prefs.setCharPref(
"captivedetect.canonicalURL",
`http://detectportal.firefox.com:${cpServer.identity.primaryPort}/cp`
);
Services.prefs.setBoolPref("network.captive-portal-service.testMode", true);
Services.prefs.setBoolPref("network.captive-portal-service.enabled", true);
// The captive portal has to have used native DNS, otherwise creating
// a socket to a non-local IP would trigger a crash.
await cpPromise;
// // Simply resolving the captive portal domain should still use TRR
await new TRRDNSListener("detectportal.firefox.com", "192.192.192.192");
Services.prefs.clearUserPref("network.captive-portal-service.enabled");
Services.prefs.clearUserPref("network.captive-portal-service.testMode");
Services.prefs.clearUserPref("captivedetect.canonicalURL");
await new Promise(resolve => cpServer.stop(resolve));
}
async function test_parentalcontrols_mode3() {
info("Check DoH isn't used when parental controls are enabled in mode 3");
Services.dns.clearCache(true);
setModeAndURI(3, "doh?responseIP=192.192.192.192");
await SetParentalControlEnabled(true);
await new TRRDNSListener("www.example.com", "127.0.0.1");
await SetParentalControlEnabled(false);
}
async function test_builtin_excluded_domains_mode3() {
info("Check Do53 used for domains in builtin-excluded-domians list, mode 3");
Services.dns.clearCache(true);
setModeAndURI(3, "doh?responseIP=192.192.192.192");
Services.prefs.setCharPref("network.trr.excluded-domains", "");
Services.prefs.setCharPref(
"network.trr.builtin-excluded-domains",
"excluded"
);
await new TRRDNSListener("excluded", "127.0.0.1");
// Test .local
Services.dns.clearCache(true);
Services.prefs.setCharPref(
"network.trr.builtin-excluded-domains",
"excluded,local"
);
await new TRRDNSListener("test.local", "127.0.0.1");
// Test .other
Services.dns.clearCache(true);
Services.prefs.setCharPref(
"network.trr.builtin-excluded-domains",
"excluded,local,other"
);
await new TRRDNSListener("domain.other", "127.0.0.1");
}
async function count_cookies() {
info("Check that none of the requests have set any cookies.");
Assert.equal(Services.cookies.countCookiesFromHost("example.com"), 0);
Assert.equal(Services.cookies.countCookiesFromHost("foo.example.com."), 0);
}
async function test_connection_closed() {
info("Check we handle it correctly when the connection is closed");
Services.dns.clearCache(true);
setModeAndURI(3, "doh?responseIP=2.2.2.2");
Services.prefs.setCharPref("network.trr.excluded-domains", "");
// We don't need to wait for 30 seconds for the request to fail
Services.prefs.setIntPref("network.trr.request_timeout_mode_trronly_ms", 500);
// bootstrap
Services.prefs.clearUserPref("network.dns.localDomains");
Services.prefs.setCharPref("network.trr.bootstrapAddr", "127.0.0.1");
await new TRRDNSListener("bar.example.com", "2.2.2.2");
// makes the TRR connection shut down.
let { inStatus } = await new TRRDNSListener("closeme.com", undefined, false);
Assert.ok(
!Components.isSuccessCode(inStatus),
`${inStatus} should be an error code`
);
await new TRRDNSListener("bar2.example.com", "2.2.2.2");
// No bootstrap this time
Services.prefs.clearUserPref("network.trr.bootstrapAddr");
Services.dns.clearCache(true);
Services.prefs.setCharPref("network.trr.excluded-domains", "excluded,local");
Services.prefs.setCharPref("network.dns.localDomains", TRR_Domain);
await new TRRDNSListener("bar.example.com", "2.2.2.2");
// makes the TRR connection shut down.
({ inStatus } = await new TRRDNSListener("closeme.com", undefined, false));
Assert.ok(
!Components.isSuccessCode(inStatus),
`${inStatus} should be an error code`
);
await new TRRDNSListener("bar2.example.com", "2.2.2.2");
// No local domains either
Services.dns.clearCache(true);
Services.prefs.setCharPref("network.trr.excluded-domains", "excluded");
Services.prefs.clearUserPref("network.dns.localDomains");
Services.prefs.clearUserPref("network.trr.bootstrapAddr");
await new TRRDNSListener("bar.example.com", "2.2.2.2");
// makes the TRR connection shut down.
({ inStatus } = await new TRRDNSListener("closeme.com", undefined, false));
Assert.ok(
!Components.isSuccessCode(inStatus),
`${inStatus} should be an error code`
);
await new TRRDNSListener("bar2.example.com", "2.2.2.2");
// Now make sure that even in mode 3 without a bootstrap address
// we are able to restart the TRR connection if it drops - the TRR service
// channel will use regular DNS to resolve the TRR address.
Services.dns.clearCache(true);
Services.prefs.setCharPref("network.trr.excluded-domains", "");
Services.prefs.setCharPref("network.trr.builtin-excluded-domains", "");
Services.prefs.clearUserPref("network.dns.localDomains");
Services.prefs.clearUserPref("network.trr.bootstrapAddr");
await new TRRDNSListener("bar.example.com", "2.2.2.2");
// makes the TRR connection shut down.
({ inStatus } = await new TRRDNSListener("closeme.com", undefined, false));
Assert.ok(
!Components.isSuccessCode(inStatus),
`${inStatus} should be an error code`
);
Services.dns.clearCache(true);
await new TRRDNSListener("bar2.example.com", "2.2.2.2");
// This test exists to document what happens when we're in TRR only mode
// and we don't set a bootstrap address. We use DNS to resolve the
// initial URI, but if the connection fails, we don't fallback to DNS
Services.dns.clearCache(true);
setModeAndURI(2, "doh?responseIP=9.9.9.9");
Services.prefs.setCharPref("network.dns.localDomains", "closeme.com");
Services.prefs.clearUserPref("network.trr.bootstrapAddr");
await new TRRDNSListener("bar.example.com", "9.9.9.9");
// makes the TRR connection shut down. Should fallback to DNS
await new TRRDNSListener("closeme.com", "127.0.0.1");
// TRR should be back up again
await new TRRDNSListener("bar2.example.com", "9.9.9.9");
}
async function test_fetch_time() {
info("Verifying timing");
Services.dns.clearCache(true);
setModeAndURI(2, "doh?responseIP=2.2.2.2&delayIPv4=20");
await new TRRDNSListener("bar_time.example.com", "2.2.2.2", true, 20);
// gets an error from DoH. It will fall back to regular DNS. The TRR timing should be 0.
Services.dns.clearCache(true);
setModeAndURI(2, "404&delayIPv4=20");
await new TRRDNSListener("bar_time1.example.com", "127.0.0.1", true, 0);
// check an excluded domain. It should fall back to regular DNS. The TRR timing should be 0.
Services.prefs.setCharPref(
"network.trr.excluded-domains",
"bar_time2.example.com"
);
for (let strictMode of [true, false]) {
info("Strict mode: " + strictMode);
Services.prefs.setBoolPref(
"network.trr.strict_native_fallback",
strictMode
);
Services.dns.clearCache(true);
setModeAndURI(2, "doh?responseIP=2.2.2.2&delayIPv4=20");
await new TRRDNSListener("bar_time2.example.com", "127.0.0.1", true, 0);
}
Services.prefs.setCharPref("network.trr.excluded-domains", "");
// verify RFC1918 address from the server is rejected and the TRR timing will be not set because the response will be from the native resolver.
Services.dns.clearCache(true);
setModeAndURI(2, "doh?responseIP=192.168.0.1&delayIPv4=20");
await new TRRDNSListener("rfc1918_time.example.com", "127.0.0.1", true, 0);
}
async function test_fqdn() {
info("Test that we handle FQDN encoding and decoding properly");
Services.dns.clearCache(true);
setModeAndURI(3, "doh?responseIP=9.8.7.6");
await new TRRDNSListener("fqdn.example.org.", "9.8.7.6");
// GET
Services.dns.clearCache(true);
Services.prefs.setBoolPref("network.trr.useGET", true);
await new TRRDNSListener("fqdn_get.example.org.", "9.8.7.6");
Services.prefs.clearUserPref("network.trr.useGET");
}
async function test_ipv6_trr_fallback() {
info("Testing fallback with ipv6");
Services.dns.clearCache(true);
setModeAndURI(2, "doh?responseIP=4.4.4.4");
const override = Cc["@mozilla.org/network/native-dns-override;1"].getService(
Ci.nsINativeDNSResolverOverride
);
gOverride.addIPOverride("ipv6.host.com", "1:1::2");
// Should not fallback to Do53 because A request for ipv6.host.com returns
// 4.4.4.4
let { inStatus } = await new TRRDNSListener("ipv6.host.com", {
flags: Ci.nsIDNSService.RESOLVE_DISABLE_IPV4,
expectedSuccess: false,
});
equal(inStatus, Cr.NS_ERROR_UNKNOWN_HOST);
// This time both requests fail, so we do fall back
Services.dns.clearCache(true);
setModeAndURI(2, "doh?responseIP=none");
await new TRRDNSListener("ipv6.host.com", "1:1::2");
info("In strict mode, the lookup should fail when both reqs fail.");
Services.dns.clearCache(true);
Services.prefs.setBoolPref("network.trr.strict_native_fallback", true);
setModeAndURI(2, "doh?responseIP=none");
await new TRRDNSListener("ipv6.host.com", "1:1::2");
Services.prefs.setBoolPref("network.trr.strict_native_fallback", false);
override.clearOverrides();
}
async function test_ipv4_trr_fallback() {
info("Testing fallback with ipv4");
Services.dns.clearCache(true);
setModeAndURI(2, "doh?responseIP=1:2::3");
const override = Cc["@mozilla.org/network/native-dns-override;1"].getService(
Ci.nsINativeDNSResolverOverride
);
gOverride.addIPOverride("ipv4.host.com", "3.4.5.6");
// Should not fallback to Do53 because A request for ipv4.host.com returns
// 1:2::3
let { inStatus } = await new TRRDNSListener("ipv4.host.com", {
flags: Ci.nsIDNSService.RESOLVE_DISABLE_IPV6,
expectedSuccess: false,
});
equal(inStatus, Cr.NS_ERROR_UNKNOWN_HOST);
// This time both requests fail, so we do fall back
Services.dns.clearCache(true);
setModeAndURI(2, "doh?responseIP=none");
await new TRRDNSListener("ipv4.host.com", "3.4.5.6");
// No fallback with strict mode.
Services.dns.clearCache(true);
Services.prefs.setBoolPref("network.trr.strict_native_fallback", true);
setModeAndURI(2, "doh?responseIP=none");
await new TRRDNSListener("ipv4.host.com", "3.4.5.6");
Services.prefs.setBoolPref("network.trr.strict_native_fallback", false);
override.clearOverrides();
}
async function test_no_retry_without_doh() {
info("Bug 1648147 - if the TRR returns 0.0.0.0 we should not retry with DNS");
Services.prefs.setBoolPref("network.trr.fallback-on-zero-response", false);
async function test(url, ip) {
setModeAndURI(2, `doh?responseIP=${ip}`);
// Requests to 0.0.0.0 are usually directed to localhost, so let's use a port
// we know isn't being used - 666 (Doom)
let chan = makeChan(url, Ci.nsIRequest.TRR_DEFAULT_MODE);
let statusCounter = {
statusCount: {},
QueryInterface: ChromeUtils.generateQI([
"nsIInterfaceRequestor",
"nsIProgressEventSink",
]),
getInterface(iid) {
return this.QueryInterface(iid);
},
onProgress(request, progress, progressMax) {},
onStatus(request, status, statusArg) {
this.statusCount[status] = 1 + (this.statusCount[status] || 0);
},
};
chan.notificationCallbacks = statusCounter;
await new Promise(resolve =>
chan.asyncOpen(new ChannelListener(resolve, null, CL_EXPECT_FAILURE))
);
equal(
statusCounter.statusCount[0x4b000b],
1,
"Expecting only one instance of NS_NET_STATUS_RESOLVED_HOST"
);
equal(
statusCounter.statusCount[0x4b0007],
1,
"Expecting only one instance of NS_NET_STATUS_CONNECTING_TO"
);
}
for (let strictMode of [true, false]) {
info("Strict mode: " + strictMode);
Services.prefs.setBoolPref(
"network.trr.strict_native_fallback",
strictMode
);
await test(`http://unknown.ipv4.stuff:666/path`, "0.0.0.0");
await test(`http://unknown.ipv6.stuff:666/path`, "::");
}
}
async function test_connection_reuse_and_cycling() {
Services.dns.clearCache(true);
Services.prefs.setIntPref("network.trr.request_timeout_ms", 500);
Services.prefs.setIntPref(
"network.trr.strict_fallback_request_timeout_ms",
500
);
Services.prefs.setIntPref("network.trr.request_timeout_mode_trronly_ms", 500);
setModeAndURI(2, `doh?responseIP=9.8.7.6`);
Services.prefs.setBoolPref("network.trr.strict_native_fallback", true);
Services.prefs.setCharPref("network.trr.confirmationNS", "example.com");
await TestUtils.waitForCondition(
// 2 => CONFIRM_OK
() => Services.dns.currentTrrConfirmationState == 2,
`Timed out waiting for confirmation success. Currently ${Services.dns.currentTrrConfirmationState}`,
1,
5000
);
// Setting conncycle=true in the URI. Server will start logging reqs.
// We will do a specific sequence of lookups, then fetch the log from
// the server and check that it matches what we'd expect.
setModeAndURI(2, `doh?responseIP=9.8.7.6&conncycle=true`);
await TestUtils.waitForCondition(
// 2 => CONFIRM_OK
() => Services.dns.currentTrrConfirmationState == 2,
`Timed out waiting for confirmation success. Currently ${Services.dns.currentTrrConfirmationState}`,
1,
5000
);
// Confirmation upon uri-change will have created one req.
// Two reqs for each bar1 and bar2 - A + AAAA.
await new TRRDNSListener("bar1.example.org.", "9.8.7.6");
await new TRRDNSListener("bar2.example.org.", "9.8.7.6");
// Total so far: (1) + 2 + 2 = 5
// Two reqs that fail, one Confirmation req, two retried reqs that succeed.
await new TRRDNSListener("newconn.example.org.", "9.8.7.6");
await TestUtils.waitForCondition(
// 2 => CONFIRM_OK
() => Services.dns.currentTrrConfirmationState == 2,
`Timed out waiting for confirmation success. Currently ${Services.dns.currentTrrConfirmationState}`,
1,
5000
);
// Total so far: (5) + 2 + 1 + 2 = 10
// Two reqs for each bar3 and bar4 .
await new TRRDNSListener("bar3.example.org.", "9.8.7.6");
await new TRRDNSListener("bar4.example.org.", "9.8.7.6");
// Total so far: (10) + 2 + 2 = 14.
// Two reqs that fail, one Confirmation req, two retried reqs that succeed.
await new TRRDNSListener("newconn2.example.org.", "9.8.7.6");
await TestUtils.waitForCondition(
// 2 => CONFIRM_OK
() => Services.dns.currentTrrConfirmationState == 2,
`Timed out waiting for confirmation success. Currently ${Services.dns.currentTrrConfirmationState}`,
1,
5000
);
// Total so far: (14) + 2 + 1 + 2 = 19
// Two reqs for each bar5 and bar6 .
await new TRRDNSListener("bar5.example.org.", "9.8.7.6");
await new TRRDNSListener("bar6.example.org.", "9.8.7.6");
// Total so far: (19) + 2 + 2 = 23
let chan = makeChan(
`https://foo.example.com:${h2Port}/get-doh-req-port-log`,
Ci.nsIRequest.TRR_DISABLED_MODE
);
let dohReqPortLog = await new Promise(resolve =>
chan.asyncOpen(
new ChannelListener((stuff, buffer) => {
resolve(JSON.parse(buffer));
})
)
);
// Since the actual ports seen will vary at runtime, we use placeholders
// instead in our expected output definition. For example, if two entries
// both have "port1", it means they both should have the same port in the
// server's log.
// For reqs that fail and trigger a Confirmation + retry, the retried reqs
// might not re-use the new connection created for Confirmation due to a
// race, so we have an extra alternate expected port for them. This lets
// us test that they use *a* new port even if it's not *the* new port.
// Subsequent lookups are not affected, they will use the same conn as
// the Confirmation req.
let expectedLogTemplate = [
["example.com", "port1"],
["bar1.example.org", "port1"],
["bar1.example.org", "port1"],
["bar2.example.org", "port1"],
["bar2.example.org", "port1"],
["newconn.example.org", "port1"],
["newconn.example.org", "port1"],
["example.com", "port2"],
["newconn.example.org", "port2"],
["newconn.example.org", "port2"],
["bar3.example.org", "port2"],
["bar3.example.org", "port2"],
["bar4.example.org", "port2"],
["bar4.example.org", "port2"],
["newconn2.example.org", "port2"],
["newconn2.example.org", "port2"],
["example.com", "port3"],
["newconn2.example.org", "port3"],
["newconn2.example.org", "port3"],
["bar5.example.org", "port3"],
["bar5.example.org", "port3"],
["bar6.example.org", "port3"],
["bar6.example.org", "port3"],
];
if (expectedLogTemplate.length != dohReqPortLog.length) {
// This shouldn't happen, and if it does, we'll fail the assertion
// below. But first dump the whole server-side log to help with
// debugging should we see a failure. Most likely cause would be
// that another consumer of TRR happened to make a request while
// the test was running and polluted the log.
info(dohReqPortLog);
}
equal(
expectedLogTemplate.length,
dohReqPortLog.length,
"Correct number of req log entries"
);
let seenPorts = new Set();
// This is essentially a symbol table - as we iterate through the log
// we will assign the actual seen port numbers to the placeholders.
let seenPortsByExpectedPort = new Map();
for (let i = 0; i < expectedLogTemplate.length; i++) {
let expectedName = expectedLogTemplate[i][0];
let expectedPort = expectedLogTemplate[i][1];
let seenName = dohReqPortLog[i][0];
let seenPort = dohReqPortLog[i][1];
info(`Checking log entry. Name: ${seenName}, Port: ${seenPort}`);
equal(expectedName, seenName, "Name matches for entry " + i);
if (!seenPortsByExpectedPort.has(expectedPort)) {
ok(!seenPorts.has(seenPort), "Port should not have been previously used");
seenPorts.add(seenPort);
seenPortsByExpectedPort.set(expectedPort, seenPort);
} else {
equal(
seenPort,
seenPortsByExpectedPort.get(expectedPort),
"Connection was reused as expected"
);
}
}
}