On 20/06/12 17:34, Zack Weinberg wrote: > Ugh, you're right; I forgot about /etc/hosts and WINS names. > > There might be something clever we can do to detect these, but I'm not > sure what it would be offhand; the operating system APIs I know about > are deliberately designed to hide the details of where the names come > from :-(
So our current thought is that we can't technically do anything about this? But our options may change when we acquire our own DNS resolver? >> Can we tell those calls not to do their own suffix search before >> they return their answer? > > Yes, we just stick an extra dot on the end before calling getaddrinfo. And we'd have to find the source of suffixes on each OS so we could reimplement this functionality. > It's certainly possible, e.g. http://example.cc/ where `cc` is both a > real TLD and an internal subdomain. I suspect few businesses use existing real TLDs as their external subdomains. However, I also suspect quite a few use future TLDs! There are lots of short TLAs, e.g. ".aco", ".ads" - I bet there are many businesses with 3 or 4-letter initials who use them. And I bet a load use ".corp" (6 applicants) and ".inc" (11 applicants). > I confess I see this as another argument for disabling suffix search > altogether. It breaks *more*, but we get a substantial reduction in > context-dependence of URLs in exchange. I really don't think breaking people's existing DNS resolution configuration, and making Firefox inconsistent with all other apps on the machine, is a goer. Unless someone from the networking team wants to assert we should look into it... > Which we could collect: instrument the DNS resolver to tell us when the > result we got was from suffix search, count the number of times it > happens, report via Telemetry (we don't record the names, so this should > be plenty anonymous). Algorithm for telling: > > rA = getaddrinfo(name + "."); > if (rA) return rA; > > rB = getaddrinfo(name); > if (rB) > suffix_search++; > return rB; > > No additional overhead in the non-suffix-search case. What figures would make the change acceptable? 1%? 0.1%? 0.0001%? I suspect some users will never use this feature, and some will use it a lot (probably without knowing that they are using it). Gerv _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
