On Thu, 28 Jun 2018, Martin Thomson wrote:
If we ever have code to support .local in the browser, then those will need to avoid using the DoH stack for resolving those names.
That is *exactly* what we already have and do! =) Since they're explicitly local, they're considered "blacklisted" by the DoH code.
Daniel's point is that DoH has implications for people who have a local DNS server that produces different or extra results for local services.
That too, but I also explicitly meant that Firefox by default refuses RFC1918 addresses from being used when retrieved from a DoH server. Such a response will be treated as a failed one.
But I think my point that it would help against this attack setup was inaccurate anyway, because such a failed resolve just causes Firefox to fall back and use the native resolver instead - when in "soft fail" mode - which then doesn't have that filter... It will only really help while in "trr only" mode, which has its own separate set of challenges.
-- / daniel.haxx.se _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
