Security/DNS Over HTTPS/Heuristics: Difference between revisions
(add doc for individual heuristics) |
(use lists in markup) |
||
| Line 14: | Line 14: | ||
See also: | See also: | ||
# [https://searchfox.org/mozilla-central/source/toolkit/components/parentalcontrols/ Parental Controls Service component] | |||
# https://developer.apple.com/documentation/devicemanagement/parentalcontrolscontentfilter | |||
# https://docs.microsoft.com/en-us/windows/win32/parcon/using-parental-controls-settings-apis | |||
== Forced SafeSearch (DNS-based Parental Controls) == | == Forced SafeSearch (DNS-based Parental Controls) == | ||
| Line 31: | Line 31: | ||
See also: | See also: | ||
# https://support.mozilla.org/en-US/products/firefox-enterprise/policies-customization-enterprise/policies-overview-enterprise | |||
== Enterprise Roots == | == Enterprise Roots == | ||
| Line 38: | Line 38: | ||
See also: | See also: | ||
# https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox | |||
== ZScaler Canary Domain == | == ZScaler Canary Domain == | ||
Currently, ZScaler has not yet adopted the global canary, and is supported by a separate canary lookup heuristic that operates on `sitereview.zscaler.com`. | Currently, ZScaler has not yet adopted the global canary, and is supported by a separate canary lookup heuristic that operates on `sitereview.zscaler.com`. | ||
Revision as of 15:49, 16 July 2020
Firefox runs several heuristics on each network to determine whether it's OK to enable DoH on that network. This page details each heuristic we use.
Generally, the heuristics attempt to disable DoH in order to support parental controls and enterprise configurations.
A high-level overview is also available here: https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
Global Canary
See https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
Parental Controls Service
nsIParentalControlsService provides an interface to check whether parental controls are enabled on the user account on the OS. If so, we disable DoH.
See also:
- Parental Controls Service component
- https://developer.apple.com/documentation/devicemanagement/parentalcontrolscontentfilter
- https://docs.microsoft.com/en-us/windows/win32/parcon/using-parental-controls-settings-apis
Forced SafeSearch (DNS-based Parental Controls)
As a way to detect DNS-based content filtering, we perform DNS lookups of filtered and unfiltered domains of popular content platforms. If any of the IPs returned for the filtered domains of a given platform are identical to any of the IPs returned for the unfiltered domains, we disable DoH. Currently, Google and YouTube are supported.
Third-party Root Certificates
We look at all certs in the cert database and check if any of them are not "built-in". If such certs are present, we disable DoH.
Enterprise Policies
If enterprise policies are active, we disable DoH unless it is explicitly enabled by the DNSOverHTTPS policy.
See also:
Enterprise Roots
If enterprise root support has been enabled by setting the pref `security.enterprise_roots.enabled` to true, we disable DoH.
See also:
ZScaler Canary Domain
Currently, ZScaler has not yet adopted the global canary, and is supported by a separate canary lookup heuristic that operates on `sitereview.zscaler.com`.