Bug 1666676 - Use fully-qualified names for all lookups performed by DoH heuristics. r=valentin

Differential Revision: https://phabricator.services.mozilla.com/D91091

browser/components/doh/DoHHeuristics.jsm

@@ -49,7 +49,7 @@ ChromeUtils.defineModuleGetter(
   "resource://gre/modules/Preferences.jsm"
 );
 
-const GLOBAL_CANARY = "use-application-dns.net";
+const GLOBAL_CANARY = "use-application-dns.net.";
 
 const NXDOMAIN_ERR = "NS_ERROR_UNKNOWN_HOST";
 
@@ -264,19 +264,19 @@ async function safeSearch() {
   const providerList = [
     {
       name: "google",
-      unfiltered: ["www.google.com", "google.com"],
-      safeSearch: ["forcesafesearch.google.com"],
+      unfiltered: ["www.google.com.", "google.com."],
+      safeSearch: ["forcesafesearch.google.com."],
     },
     {
       name: "youtube",
       unfiltered: [
-        "www.youtube.com",
-        "m.youtube.com",
-        "youtubei.googleapis.com",
-        "youtube.googleapis.com",
-        "www.youtube-nocookie.com",
+        "www.youtube.com.",
+        "m.youtube.com.",
+        "youtubei.googleapis.com.",
+        "youtube.googleapis.com.",
+        "www.youtube-nocookie.com.",
       ],
-      safeSearch: ["restrict.youtube.com", "restrictmoderate.youtube.com"],
+      safeSearch: ["restrict.youtube.com.", "restrictmoderate.youtube.com."],
     },
   ];
 
@@ -303,7 +303,7 @@ async function safeSearch() {
 }
 
 async function zscalerCanary() {
-  const ZSCALER_CANARY = "sitereview.zscaler.com";
+  const ZSCALER_CANARY = "sitereview.zscaler.com.";
 
   let { addresses } = await dnsLookup(ZSCALER_CANARY);
   for (let address of addresses) {
@@ -358,7 +358,7 @@ async function providerSteering() {
   if (!Config.providerSteering.enabled) {
     return null;
   }
-  const TEST_DOMAIN = "doh.test";
+  const TEST_DOMAIN = "doh.test.";
 
   // Array of { name, canonicalName, uri } where name is an identifier for
   // telemetry, canonicalName is the expected CNAME when looking up doh.test,

browser/components/doh/TRRPerformance.jsm

@@ -68,7 +68,7 @@ XPCOMUtils.defineLazyPreferenceGetter(
   this,
   "kCanonicalDomain",
   "doh-rollout.trrRace.canonicalDomain",
-  "firefox-dns-perf-test.net"
+  "firefox-dns-perf-test.net."
 );
 
 // The number of random subdomains to resolve per TRR.
@@ -89,7 +89,13 @@ XPCOMUtils.defineLazyPreferenceGetter(
   val =>
     val
       ? val.split(",").map(t => t.trim())
-      : ["google.com", "youtube.com", "amazon.com", "facebook.com", "yahoo.com"]
+      : [
+          "google.com.",
+          "youtube.com.",
+          "amazon.com.",
+          "facebook.com.",
+          "yahoo.com.",
+        ]
 );
 
 function getRandomSubdomain() {

browser/components/doh/test/browser/browser_providerSteering.js

@@ -4,7 +4,7 @@
 
 "use strict";
 
-const TEST_DOMAIN = "doh.test";
+const TEST_DOMAIN = "doh.test.";
 const AUTO_TRR_URI = "https://dummytrr.com/query";
 
 add_task(setup);
@@ -82,7 +82,7 @@ add_task(async function testProviderSteering() {
   await testNetChangeResult(provider.uri, "enable_doh", provider.name);
 
   // Trigger safesearch heuristics and ensure provider steering is disabled.
-  let googleDomain = "google.com";
+  let googleDomain = "google.com.";
   let googleIP = "1.1.1.1";
   let googleSafeSearchIP = "1.1.1.2";
   gDNSOverride.clearHostOverride(googleDomain);

browser/components/doh/test/browser/head.js

@@ -92,24 +92,24 @@ async function setup() {
   // Set up heuristics, all passing by default.
 
   // Google safesearch overrides
-  gDNSOverride.addIPOverride("www.google.com", "1.1.1.1");
-  gDNSOverride.addIPOverride("google.com", "1.1.1.1");
-  gDNSOverride.addIPOverride("forcesafesearch.google.com", "1.1.1.2");
+  gDNSOverride.addIPOverride("www.google.com.", "1.1.1.1");
+  gDNSOverride.addIPOverride("google.com.", "1.1.1.1");
+  gDNSOverride.addIPOverride("forcesafesearch.google.com.", "1.1.1.2");
 
   // YouTube safesearch overrides
-  gDNSOverride.addIPOverride("www.youtube.com", "2.1.1.1");
-  gDNSOverride.addIPOverride("m.youtube.com", "2.1.1.1");
-  gDNSOverride.addIPOverride("youtubei.googleapis.com", "2.1.1.1");
-  gDNSOverride.addIPOverride("youtube.googleapis.com", "2.1.1.1");
-  gDNSOverride.addIPOverride("www.youtube-nocookie.com", "2.1.1.1");
-  gDNSOverride.addIPOverride("restrict.youtube.com", "2.1.1.2");
-  gDNSOverride.addIPOverride("restrictmoderate.youtube.com", "2.1.1.2");
+  gDNSOverride.addIPOverride("www.youtube.com.", "2.1.1.1");
+  gDNSOverride.addIPOverride("m.youtube.com.", "2.1.1.1");
+  gDNSOverride.addIPOverride("youtubei.googleapis.com.", "2.1.1.1");
+  gDNSOverride.addIPOverride("youtube.googleapis.com.", "2.1.1.1");
+  gDNSOverride.addIPOverride("www.youtube-nocookie.com.", "2.1.1.1");
+  gDNSOverride.addIPOverride("restrict.youtube.com.", "2.1.1.2");
+  gDNSOverride.addIPOverride("restrictmoderate.youtube.com.", "2.1.1.2");
 
   // Zscaler override
-  gDNSOverride.addIPOverride("sitereview.zscaler.com", "3.1.1.1");
+  gDNSOverride.addIPOverride("sitereview.zscaler.com.", "3.1.1.1");
 
   // Global canary
-  gDNSOverride.addIPOverride("use-application-dns.net", "4.1.1.1");
+  gDNSOverride.addIPOverride("use-application-dns.net.", "4.1.1.1");
 
   registerCleanupFunction(async () => {
     Services.telemetry.canRecordExtended = oldCanRecord;
@@ -237,13 +237,13 @@ async function restartDoHController() {
 // or disabled correctly. We use the zscaler canary arbitrarily here, individual
 // heuristics are tested separately.
 function setPassingHeuristics() {
-  gDNSOverride.clearHostOverride("sitereview.zscaler.com");
-  gDNSOverride.addIPOverride("sitereview.zscaler.com", "3.1.1.1");
+  gDNSOverride.clearHostOverride("sitereview.zscaler.com.");
+  gDNSOverride.addIPOverride("sitereview.zscaler.com.", "3.1.1.1");
 }
 
 function setFailingHeuristics() {
-  gDNSOverride.clearHostOverride("sitereview.zscaler.com");
-  gDNSOverride.addIPOverride("sitereview.zscaler.com", "213.152.228.242");
+  gDNSOverride.clearHostOverride("sitereview.zscaler.com.");
+  gDNSOverride.addIPOverride("sitereview.zscaler.com.", "213.152.228.242");
 }
 
 async function waitForDoorhanger() {

browser/components/doh/test/unit/head.js

@@ -77,12 +77,12 @@ function setup() {
 
   Services.prefs.setCharPref(
     "doh-rollout.trrRace.popularDomains",
-    "foo.example.com, bar.example.com"
+    "foo.example.com., bar.example.com."
   );
 
   Services.prefs.setCharPref(
     "doh-rollout.trrRace.canonicalDomain",
-    "firefox-dns-perf-test.net"
+    "firefox-dns-perf-test.net."
   );
 
   let defaultPrefBranch = Services.prefs.getDefaultBranch("");

browser/components/doh/test/unit/test_DNSLookup.js

@@ -17,7 +17,7 @@ add_task(async function test_SuccessfulRandomDNSLookup() {
   );
   lookup.doLookup();
   let result = await deferred.promise;
-  Assert.ok(result.usedDomain.endsWith(".firefox-dns-perf-test.net"));
+  Assert.ok(result.usedDomain.endsWith(".firefox-dns-perf-test.net."));
   Assert.equal(result.status, Cr.NS_OK);
   Assert.ok(result.record.QueryInterface(Ci.nsIDNSAddrRecord));
   Assert.ok(result.record.IsTRR());
@@ -55,7 +55,7 @@ add_task(async function test_FailedDNSLookup() {
   );
   lookup.doLookup();
   let result = await deferred.promise;
-  Assert.ok(result.usedDomain.endsWith(".firefox-dns-perf-test.net"));
+  Assert.ok(result.usedDomain.endsWith(".firefox-dns-perf-test.net."));
   Assert.notEqual(result.status, Cr.NS_OK);
   Assert.equal(result.record, null);
   Assert.equal(result.retryCount, 3);

browser/components/doh/test/unit/test_LookupAggregator.js

@@ -19,8 +19,8 @@ async function helper_SuccessfulLookupAggregator(
   // popular domains.
   Assert.equal(aggregator.domains[0], null);
   Assert.equal(aggregator.domains[1], null);
-  Assert.equal(aggregator.domains[2], "foo.example.com");
-  Assert.equal(aggregator.domains[3], "bar.example.com");
+  Assert.equal(aggregator.domains[2], "foo.example.com.");
+  Assert.equal(aggregator.domains[3], "bar.example.com.");
   Assert.equal(aggregator.totalLookups, 8); // 2 TRRs * 4 domains.
 
   if (networkUnstable) {
@@ -58,12 +58,12 @@ async function helper_SuccessfulLookupAggregator(
   for (let trr of [trrServer1, trrServer2]) {
     // There should be two results for random subdomains.
     let results = aggregator.results.filter(r => {
-      return r.trr == trr && r.domain.endsWith(".firefox-dns-perf-test.net");
+      return r.trr == trr && r.domain.endsWith(".firefox-dns-perf-test.net.");
     });
     Assert.equal(results.length, 2);
 
     for (let result of results) {
-      Assert.ok(result.domain.endsWith(".firefox-dns-perf-test.net"));
+      Assert.ok(result.domain.endsWith(".firefox-dns-perf-test.net."));
       Assert.equal(result.trr, trr);
       Assert.ok(Components.isSuccessCode(result.status));
       Assert.greater(result.time, 0);
@@ -83,15 +83,15 @@ async function helper_SuccessfulLookupAggregator(
 
     // There should be two results for the popular domains.
     results = aggregator.results.filter(r => {
-      return r.trr == trr && !r.domain.endsWith(".firefox-dns-perf-test.net");
+      return r.trr == trr && !r.domain.endsWith(".firefox-dns-perf-test.net.");
     });
     Assert.equal(results.length, 2);
 
     Assert.ok(
-      [results[0].domain, results[1].domain].includes("foo.example.com")
+      [results[0].domain, results[1].domain].includes("foo.example.com.")
     );
     Assert.ok(
-      [results[0].domain, results[1].domain].includes("bar.example.com")
+      [results[0].domain, results[1].domain].includes("bar.example.com.")
     );
     for (let result of results) {
       Assert.equal(result.trr, trr);
@@ -130,8 +130,8 @@ add_task(async function test_AbortedLookupAggregator() {
   // popular domains.
   Assert.equal(aggregator.domains[0], null);
   Assert.equal(aggregator.domains[1], null);
-  Assert.equal(aggregator.domains[2], "foo.example.com");
-  Assert.equal(aggregator.domains[3], "bar.example.com");
+  Assert.equal(aggregator.domains[2], "foo.example.com.");
+  Assert.equal(aggregator.domains[3], "bar.example.com.");
   Assert.equal(aggregator.totalLookups, 8); // 2 TRRs * 4 domains.
 
   // The aggregator should never call the onComplete callback. To test