Which DNS server is queried in this situation?

Discussion in 'other firewalls' started by pinkfufu, Jul 9, 2020.

  1. pinkfufu

    pinkfufu Registered Member

    Joined:
    Oct 22, 2016
    Posts:
    18
    Location:
    withheld
    I'm unable to find an answer to this anywhere.

    Where does name resolution occur when:
    • The browser is Firefox with its network settings configured for Enable DNS over HTTPS for User Provider: Cloudlflare
    • The adapter is configured in Internet Protocol Version 4 (TCP/IPv4) | Use the following DNS server address: 8.8.8.8
    • Windows Firewall is configured to allow svchost (applied to dnscache) out to remote IP address: 9.9.9.9
    • The modem is configured to use the ISP's DNS servers?
    How would browsing with Internet Explorer (assuming caches are empty) differ?

    OS: Windows 10. No VPN.

    TIA.
     
  2. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,259
    Location:
    UK
    I would think cloudflare would get priority.
     
  3. pinkfufu

    pinkfufu Registered Member

    Joined:
    Oct 22, 2016
    Posts:
    18
    Location:
    withheld
    Any reference?

    What would happen in the case of IE?

    I thought it might be 9.9.9.9 in all cases.
     
  4. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,259
    Location:
    UK
    Chrome can overide system settingswith Google dns so I expect Firefox can
     
  5. pinkfufu

    pinkfufu Registered Member

    Joined:
    Oct 22, 2016
    Posts:
    18
    Location:
    withheld
    That's interesting. I didn't know Chrome could do that.
     
  6. pinkfufu

    pinkfufu Registered Member

    Joined:
    Oct 22, 2016
    Posts:
    18
    Location:
    withheld
    If the firewall is configured to allow svchost (applied to dnscache) out for UDP to remote port 53 on remote IP 9.9.9.9, should not all name resolution be directed to 9.9.9.9 only? Where do the ISP's DNS servers on the modem fit into this then?
     
  7. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,307
    Location:
    Member state of European Union
    Firefox will try to connect to Cloudflare. Since it is done on https (tcp 443) port it should succeed, because firewall will not distinguish this connection among other browsing connections.

    Probably Firefox is not the only Internet client, so other programs are going to try to use 8.8.8.8 (Google), but these packets are going to be blocked by firewall. Packet are going to be blocked, not redirected by firewall, so these programs are going to not have DNS resolution at all. These programs may not work correctly.

    If you would block Cloudflare's DNS addresses (9.9.9.9 and others) address then Firefox is going to fallback to use 8.8.8.8 (Google) just as other programs, but will get blocked by Firewall just as any other program and will not have any DNS resolution at all.
     
    Last edited: Jul 9, 2020
  8. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,307
    Location:
    Member state of European Union
    Firewall is not right place to define DNS setting. Firewall is used mostly to allow/block stuff, not configure DNS settings. In Linux you could do some redirection, but it is not clean solution and I don't even know if it would work (maybe there is some destination IP information in DNS packets?)

    Modem DNS settings are going to be sent by DHCP protocol to dynamically configured interfaces, but since you mentioned that network interface is configured to statically use 8.8.8.8 address that DHCP information will not be sent or will be ignored.
     
  9. pinkfufu

    pinkfufu Registered Member

    Joined:
    Oct 22, 2016
    Posts:
    18
    Location:
    withheld
    @reasonablePrivacy

    Appreciate the detailed replies.

    Still not managed to wrap my head around all this though.

    This sounds reasonable... but Firefox has been firewalled to only allow outbound TCP connections to ports 80 & 443. How should Cloudflare DNS servers, which expect UDP packets arriving at port 53, respond? Would these packets be dropped?

    I don't know what happens with name resolution with Internet Explorer, but it does work as expected. It's been firewalled, like Firefox, to only allow outbound TCP connections to ports 80 & 443. Obviously, name resolution is taking place somewhere and somehow.

    When IE needs a domain name resolved to an IP address, does Windows forward it through svchost (applied to dnscache)? I think I'll look into this; it might lead somewhere.

    Cloudfare's DNS is 1.1.1.1. DNS 9.9.9.9 is Quad9.

    This is where the confusion starts for me. I now have three different places with DNS configured, each pointing to a different place: 1.1.1.1, 8.8.8.8, & 9.9.9.9.

    Just a note, if I configure Firefox not to use DNS over HTTPS, i.e., remove the 1.1.1.1, Firefox continues to work. I guess it behaves as IE in this case.

    The Windows Firewall is configured to allow svchost (applied to dnscache) out for UDP to port 53 for privacy and security. Configured as such, it keeps Windows from updating itself. It also appears to stop telemetry data from being sent to Microsoft. (I need to run more tests regarding the latter however). It just happens I've configured svchost to forward queries to 9.9.9.9; this could just as easily have been set to all IP addresses.

    If I've got this right, 8.8.8.8 will never be used for name resolution. Is that correct?

    Anyone have any thoughts?

    Thanks.
     
  10. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,307
    Location:
    Member state of European Union
    While Cloudflare DNS allow for UDP 53 packet DNS requests and responses, they also allow for DoH communication. You clearly stated in you post that "Enable DNS over HTTPS", so Firefox should connect on TCP 443, not UDP 53. Idk, maybe there is some UDP 53 communication at the beginning, but it is not what I expect.
     
  11. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,307
    Location:
    Member state of European Union
    My point is that programs (Firefox, e-mail client etc) are not going to read firewall rules to know where they are allowed to connect to. Programs are going to blindly try to connect (yes, I know udp doesn't have a concept of connection built-in) when they are configured to connect to. Hard-coded settings (some Google devices), in-program (Firefox) options/preferences/config and system-wide configuration (adapter/network interface) are place where are going to look for DNS settings. When they read configuration then they try to send packets. If it is blocked it's blocked - end of story. It may be blocked by local firewall on the same machine or some firewall on your router or your ISP firewall or anywhere else. Programs don't have advanced algorithms to circumvent firewalls maybe except Tor or some malware.

    Have you cleared Windows's DNS cache between tests?
     
  12. pinkfufu

    pinkfufu Registered Member

    Joined:
    Oct 22, 2016
    Posts:
    18
    Location:
    withheld
    Thanks for clarifying this.
     
  13. pinkfufu

    pinkfufu Registered Member

    Joined:
    Oct 22, 2016
    Posts:
    18
    Location:
    withheld
    Yes, but I'll check this. (I say yes because there have been times when I've browsed the net using IE following a reboot.)

    I'm don't know too much about DNS and TCP/IP. I've been researching and reading up; now I'm trying to make sense of things from a practical or implementation standpoint.

    Appreciate your time on this.
     
  14. kronckew

    kronckew Registered Member

    Joined:
    Aug 27, 2006
    Posts:
    356
    Location:
    CSA Consulate, Glos., UK
    Normal dns uses udp requests to port 53
    DOH (DNS over Https) uses The DOH protocol to port 443 for cloudflare, Firefox uses a variable settable in the about:config options, network.trr.mode,
    • 0 - Off (default). use standard native resolving only (don't use TRR at all)
    • 1 - Reserved (used to be Race mode)
    • 2 - First. Use TRR first, and only if the name resolve fails use the native resolver as a fallback.
    • 3 - Only. Only use TRR, never use the native resolver.
      • Up to FF >= 73, this mode also requires the bootstrapAddress pref to be set. 1.1.1.1 for cloudflare, 8..8.8.8 for google and 9.9.9.9 for quad 9.
      • Starting with Firefox 74, setting the bootstrap address is no longer mandatory - the browser will simply bootstrap itself using regular DNS, unless the DoH server domain can't be resolved.
      • The native resolver will still be used for portal detection and telemetry (Bug 1593873)
    • 4 - Reserved (used to be Shadow mode)
    • 5 - Off by choice. This is the same as 0 but marks it as done by choice and not done by default.
    requires FF62 or newer. TRR=Trusted Recursive Resolver.

    See https://wiki.mozilla.org/Trusted_Recursive_Resolver for a list of all the trr settings in about:config. cloudflare is exampled by default, you will need to change some parameters for the other service providers. Google DOH for chrome browsers to find out how to set chrome and edge to use doh if you want.

    Cloudflare, google and quad9 dns servers listen for normal dns requests on port 53, but also listen for trr doh requests on 443 and respond accordingly.

    Set trr mode to 5 to turn TRR DOH off by choice. it'll use normal dns thereafter. FF has it's own internal dns cache, as does windows.
    For info, Current Windows 10 insider fast lane (Developer) build have had DOH enabled at the adapter level, with fallback to the native resolver.

    I use Google DOH servers, if your firewall /router is set to a fixed dns (mine is set to BT, british telecom only, but windows essentially will allow outgoing doh or udp dns traffic to all remote adresses on port 53 or 443, overriding the router. best not to add any block rules unless you are very familiar with firewalls. Windows firewall system is fairly decent in it's defaults. Unless you have a rather non-standard local network and security requirements.
     
  15. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    239
    Location:
    USA
    @ pinkfufu
    In order of your OP bullet points.

    • Firefox will use Cloudflare (1.1.1.1) on port 443. Unless you bootstrapped Firefox to Cloudflare, Firefox will fall back to 8.8.8.8 on port 53 if Cloudflare goes down.

    • Everything else on your system will use 8.8.8.8 on port 53. (Other DoH enabled and configured programs will use DoH in whatever way it is implemented in those programs.) Based on the info you've posted up, I don't see how anything on your system could be using 9.9.9.9.

    • The firewall doesn't do name resolution.

    • The modem, and only the modem, will use the ISP for its own purposes. By modem, it is assumed you mean a modem and router in one unit, aka "combo."

    Use these fun tools:
    https://www.nirsoft.net/utils/dns_query_sniffer.html
    https://www.nirsoft.net/utils/dns_records_viewer.html

    Though quite basic, I have found this to be useful, within a browser, of course:
    http://www.whatsmydnsserver.com/

    Cheers.
     
  16. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,307
    Location:
    Member state of European Union
    Modem may send DNS settings via DHCP to other devices in the network.
     
  17. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    239
    Location:
    USA
    My post #15 is relative to the OP's bullet points in their totality:
    "Other devices in the network" has no relevance to the discussion and you could have otherwise made your point about DHCP, a purpose of the "modem," without patronizing a pull quote from my post.
     
    Last edited: Jul 9, 2020
  18. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,307
    Location:
    Member state of European Union
    Due to post #6 I think OP wanted to know more about modem DNS settings. Sorry if my post sounded patronizing.
     
  19. pinkfufu

    pinkfufu Registered Member

    Joined:
    Oct 22, 2016
    Posts:
    18
    Location:
    withheld
    Thanks to everyone who's contributed here. I'm going to try to follow through on this and will report anything of interest.
     
  20. lucd

    lucd Registered Member

    Joined:
    Jan 30, 2018
    Posts:
    445
    Location:
    Island of Woman
    as far as I know, OS settings will override router, if no dns settings are found on OS the OS will use router's dns settings, typical browser connections are different, will override os if dns is set , if not will use OS, if not will use router, also a plugin or program could use its own dns overriding anything set
     
    Last edited: Sep 20, 2020
  21. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    3,588
    thats right.

    from my view
    - DoH in firefox used if applyable, otherwise fallback to common dns request.
    - common dns request by dns servbice if dns service running (!) dns service need outbout UDP/53

    - if dns service is disabled then firefox fallback need outbound dns udp/53 mandatory, so locking firefox to 80/443 is pretty pointless, at least you forgot 8080/8088/81/20/21/1935/5355 and some others for regular work. you have killed your browser.

    - dns service is requesting to 9999 (quad9), no matter what router has been set to - router resolves for other connections from the network.

    I don't understand such not necessary dns requesting. It does not make anything better or safer, you just spread the requests to different directions without any benefit of security.
     
  22. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    239
    Location:
    USA
    Yeah. That router override is pretty much etched in stone.

    I keep my router set for my ISP (for reasons beyond the scope of this discussion) so I make sure my OS's DNS are bent to my will.

    A good demonstration: my Roku Ultra hits 8.8.8.8. So now Google knows I'm a serious I Dream of Jeannie fan...
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.