4

Background

IETF RFC 9460 defines SVCB and HTTPS DNS resource record (RR) which can be used to upgrade connections to HTTPS and also specify the application-layer protocols that are supported (ALPN).

On September 7, 2021 Firefox 92 was released which added support for the HTTPS RR:

Firefox will automatically upgrade an HTTP request to HTTPS when a usable HTTPS RR is available. It will also use information provided in an HTTPS RR to optimize the process of establishing HTTPS connections⁠—this is conceptually similar to using the Alt-Svc header. (Firefox bug 1721132).

Test

Trying to test this out with www.google.com.

First, I tried to see if it had an HTTPS RR:

$ dig 8.8.8.8 www.google.com HTTPS

...


;; ANSWER SECTION:
www.google.com.     3358    IN  HTTPS   1 . alpn="h2,h3"

Here we see that the HTTPS RR does exist and we notice that HTTP/3 is a supported protocol denoted by the h3 value of the alpn parameter.

Next, tried to clear my operating system's DNS cache. For example, on windows, I ran ipconfig /flushdns. Also ran this right before pressing enter on the address bar because Firefox and Chrome (or some other process) seems to try to reach google.com a lot on one of the systems I was testing with.

Opened up Firefox v120 and attempted to visit: www.google.com.

Problem

Firefox v120, although stated in the v92 release that it will use a HTTPS RR to upgrade and optimise, doesn't seem to ask for it.

Wireshark shows that only A and AAAA RR are queried:

wireshark

And Firefox can be seen initially opening an HTTP/2 connection before switching to HTTP/3 because of the Alt-Svc header:

firefox

Actually, it doesn't appear like any (Chrome, IceCat, Edge, etc.) desktop application, on multiple websites, ask for the HTTPS RR at all because when I filter for dns.qry.type == "HTTPS" or dns.qry.type == 65 on WireShark I don't get any hits. I only get hits when I explicitly do a lookup via dig.

Question

Why does it appear that the HTTPS RR is never queried?

To try to understand the issue, I'm also asking these leading questions which might help find the root cause:

  • Is this a feature that is disabled by default?
  • Does this depend on the host setup (other than setting up the HTTPS RR)? No resource I've read indicated that additional steps are needed.
  • Whose responsibility is it to ask for the HTTPS RR? Is it the browser or operating system? So far I've tried it with updated versions of Guix System 1.4, Windows 10, and Windows 11 and all the browsers I mentioned above.
  • Does this depend on hardware?
Daniel
  • 205

2 Answers2

4

Why does it appear that the HTTPS RR is never queried?

It is now possible with Firefox v129+ :

HTTPS DNS records can now be resolved with the operating system's DNS resolver on specific platforms (Windows 11, Linux, Android 10+). Previously this required DNS over HTTPS to be enabled. This capability allows the use of HTTP/3 without needing to use the Alt-Svc header, upgrades requests to HTTPS when the DNS record is present, and enables wider use of ECH. Firefox 129 changelog

Is this a feature that is disabled by default?

At the moment yes but you can set network.dns.native_https_query to true in about:config to enable it.

Whose responsibility is it to ask for the HTTPS RR? Is it the browser or operating system?

Firefox will use the OS resolver.

This is the DNS traffic initiated when trying to access www.cloudflare.com

enter image description here

Rand0mMan
  • 156
0

I think this is a Windows related issue, as nslookup does not support HTTPS lookups and it's used internally in win32. I think the browsers are depending on the win32 functions. If I test it on Safari Chrome or Firefox on my iPhone, it works perfectly.

Dave M
  • 4,494
Outfluencer
  • 1