63
edits
Security/DNS Over HTTPS: Difference between revisions
Jump to navigation
Jump to search
improve reading flow
(change "popup" to "doorhanger") |
(improve reading flow) |
||
| Line 8: | Line 8: | ||
* Prefs are set to true via Normandy Rollouts, which allows us to target specific regions and control population size and growth so we can manage risk. | * Prefs are set to true via Normandy Rollouts, which allows us to target specific regions and control population size and growth so we can manage risk. | ||
== User-choice == | == Heuristics == | ||
* We run various heuristics to determine whether the network is (un)suitable to enable DoH. | |||
* The heuristics are run at startup and upon network changes. | |||
* DoH is enabled on the network if all heuristics pass. | |||
== Respecting User-choice == | |||
* If we detect that the user changed their DoH settings in about:preferences, we permanently turn off our heuristics and other mechanisms. The user-set values are obeyed. | * If we detect that the user changed their DoH settings in about:preferences, we permanently turn off our heuristics and other mechanisms. The user-set values are obeyed. | ||
* This holds for prefs that were set prior to enrollment in the rollout. | |||
== Enterprise Policy == | == Enterprise Policy == | ||
| Line 18: | Line 24: | ||
* This is true whether the policy is configured on the local machine or propagated by the network e.g. via Group Policy. | * This is true whether the policy is configured on the local machine or propagated by the network e.g. via Group Policy. | ||
* If a DNSOverHTTPS policy to turn on DoH is in effect, this is respected and heuristics and other mechanisms will be enabled. | * If a DNSOverHTTPS policy to turn on DoH is in effect, this is respected and heuristics and other mechanisms will be enabled. | ||
== Default Provider Selection == | == Default Provider Selection == | ||
* Before running heuristics for the first time, we attempt to choose one of the available providers as the default for the profile. | * Before running heuristics for the first time, we attempt to choose one of the available providers as the default for the profile. | ||
* The chosen default is used whenever DoH is enabled, via the pref `doh-rollout.uri`. | * The chosen default is used whenever DoH is enabled, via the pref `doh-rollout.uri`. | ||
* A network-provided endpoint, if detected, will take precedence over the default provider when on that network. (See Provider Steering below) | * A network-provided endpoint, if detected, will take precedence over the default provider when on that network. (See Provider Steering below) | ||
* This feature is controlled by the prefs `doh-rollout.trr-selection.enabled`. | |||
== Provider Steering == | == Provider Steering == | ||
* Some providers supply their own DoH endpoints which we want to use if indicated. | * Some providers supply their own DoH endpoints which we want to use if indicated. | ||
* This capability is discovered via the CNAME response when looking up the domain `doh.test`. | * This capability is discovered via the CNAME response when looking up the domain `doh.test`. | ||
* Discovery is only attempted if all heuristics are passing on the network. | * Discovery is only attempted if all heuristics are passing on the network. | ||
* A DoH endpoint discovered in this manner takes precedence over the automatically chosen default provider (see Default Provider Selection above). | * A DoH endpoint discovered in this manner takes precedence over the automatically chosen default provider (see Default Provider Selection above). | ||
* A provider (endpoint + expected CNAME for discovery) must be explicitly supported for this mechanism to work. | |||
* Currently, Comcast is the only supported provider. | * Currently, Comcast is the only supported provider. | ||
* This feature is controlled by the pref `doh-rollout.provider-steering.enabled`. | |||
== Opt-out Doorhanger == | == Opt-out Doorhanger == | ||