|  | // Copyright 2020 The Chromium Authors | 
|  | // Use of this source code is governed by a BSD-style license that can be | 
|  | // found in the LICENSE file. | 
|  |  | 
|  | #include "chrome/browser/net/stub_resolver_config_reader.h" | 
|  |  | 
|  | #include <set> | 
|  | #include <string> | 
|  | #include <utility> | 
|  | #include <vector> | 
|  |  | 
|  | #include "base/check.h" | 
|  | #include "base/feature_list.h" | 
|  | #include "base/functional/bind.h" | 
|  | #include "base/functional/callback.h" | 
|  | #include "base/location.h" | 
|  | #include "base/metrics/field_trial_params.h" | 
|  | #include "base/metrics/histogram_macros.h" | 
|  | #include "base/notreached.h" | 
|  | #include "base/values.h" | 
|  | #include "build/build_config.h" | 
|  | #include "build/chromeos_buildflags.h" | 
|  | #include "chrome/browser/browser_process.h" | 
|  | #include "chrome/browser/net/default_dns_over_https_config_source.h" | 
|  | #include "chrome/browser/net/dns_over_https_config_source.h" | 
|  | #include "chrome/browser/net/secure_dns_config.h" | 
|  | #include "chrome/browser/net/secure_dns_util.h" | 
|  | #include "chrome/browser/policy/chrome_browser_policy_connector.h" | 
|  | #include "chrome/common/chrome_features.h" | 
|  | #include "chrome/common/pref_names.h" | 
|  | #include "components/prefs/pref_registry_simple.h" | 
|  | #include "components/prefs/pref_service.h" | 
|  | #include "components/webui/flags/pref_service_flags_storage.h" | 
|  | #include "content/public/browser/network_service_instance.h" | 
|  | #include "net/base/features.h" | 
|  | #include "net/dns/public/dns_over_https_config.h" | 
|  | #include "net/dns/public/secure_dns_mode.h" | 
|  | #include "net/dns/public/util.h" | 
|  | #include "services/network/public/mojom/host_resolver.mojom.h" | 
|  | #include "services/network/public/mojom/network_service.mojom.h" | 
|  |  | 
|  | #if BUILDFLAG(IS_ANDROID) | 
|  | #include "base/android/android_info.h" | 
|  | #include "chrome/browser/enterprise/util/android_enterprise_info.h" | 
|  | #endif | 
|  |  | 
|  | #if BUILDFLAG(IS_WIN) | 
|  | #include "base/enterprise_util.h" | 
|  | #include "base/scoped_native_library.h" | 
|  | #include "base/win/win_util.h" | 
|  | #include "base/win/windows_version.h" | 
|  | #include "chrome/browser/win/parental_controls.h" | 
|  | #endif | 
|  |  | 
|  | namespace { | 
|  |  | 
|  | // Detailed descriptions of the secure DNS mode. These values are logged to UMA. | 
|  | // Entries should not be renumbered and numeric values should never be reused. | 
|  | // Please keep in sync with "SecureDnsModeDetails" in | 
|  | // src/tools/metrics/histograms/enums.xml. | 
|  | enum class SecureDnsModeDetailsForHistogram { | 
|  | // The mode is controlled by the user and is set to 'off'. | 
|  | kOffByUser = 0, | 
|  | // The mode is controlled via enterprise policy and is set to 'off'. | 
|  | kOffByEnterprisePolicy = 1, | 
|  | // Chrome detected a managed environment and forced the mode to 'off'. | 
|  | kOffByDetectedManagedEnvironment = 2, | 
|  | // Chrome detected parental controls and forced the mode to 'off'. | 
|  | kOffByDetectedParentalControls = 3, | 
|  | // The mode is controlled by the user and is set to 'automatic' (the default | 
|  | // mode). | 
|  | kAutomaticByUser = 4, | 
|  | // The mode is controlled via enterprise policy and is set to 'automatic'. | 
|  | kAutomaticByEnterprisePolicy = 5, | 
|  | // The mode is controlled by the user and is set to 'secure'. | 
|  | kSecureByUser = 6, | 
|  | // The mode is controlled via enterprise policy and is set to 'secure'. | 
|  | kSecureByEnterprisePolicy = 7, | 
|  | kMaxValue = kSecureByEnterprisePolicy, | 
|  | }; | 
|  |  | 
|  | #if BUILDFLAG(IS_WIN) | 
|  | bool ShouldDisableDohForWindowsParentalControls() { | 
|  | return GetWinParentalControls().web_filter; | 
|  | } | 
|  |  | 
|  | // Defines the base::Feature for controlling the ZTDNS check. | 
|  | BASE_FEATURE(kZeroTrustDNS, base::FEATURE_ENABLED_BY_DEFAULT); | 
|  |  | 
|  | // DnsIsZtEnabled returns a BOOL value that specifies whether Zero | 
|  | // Trust DNS (ZTDNS) is enabled on the current device. | 
|  | using DnsIsZtEnabledFunc = BOOL (*)(); | 
|  |  | 
|  | // Applicable to Windows OS. | 
|  | // Returns true if Zero Trust DNS is enabled at the OS level. | 
|  | // Returns false if Zero Trust DNS is either not enabled or unsupported. | 
|  | bool IsZTDNSEnabled() { | 
|  | if (StubResolverConfigReader::IsZTDNSEnabledForTesting()) { | 
|  | return true; | 
|  | } | 
|  |  | 
|  | if (!base::FeatureList::IsEnabled(kZeroTrustDNS)) { | 
|  | return false; | 
|  | } | 
|  |  | 
|  | // DnsIsZtEnabled returns a BOOL value that specifies whether Zero | 
|  | // Trust DNS (ZTDNS) is enabled on the current device. | 
|  | // There is no import library for this function, thus using native | 
|  | // dnsapi.dll library. | 
|  | const wchar_t* dll_name = L"dnsapi.dll"; | 
|  | const char* function_name = "DnsIsZtEnabled"; | 
|  | auto dns_api_dll = base::ScopedNativeLibrary(base::FilePath(dll_name)); | 
|  |  | 
|  | if (!dns_api_dll.is_valid()) { | 
|  | return false; | 
|  | } | 
|  |  | 
|  | auto dns_is_zt_enabled_func = reinterpret_cast<DnsIsZtEnabledFunc>( | 
|  | dns_api_dll.GetFunctionPointer(function_name)); | 
|  |  | 
|  | if (!dns_is_zt_enabled_func) { | 
|  | const base::win::OSInfo* os_info = base::win::OSInfo::GetInstance(); | 
|  | auto os_info_version = os_info->version(); | 
|  | auto os_info_version_number = os_info->version_number(); | 
|  |  | 
|  | DCHECK(!(os_info_version > base::win::Version::WIN11_24H2 || | 
|  | (os_info_version == base::win::Version::WIN11_24H2 && | 
|  | os_info_version_number.build >= 27766))) | 
|  | << function_name | 
|  | << " not found, but it was expected on this OS version: " | 
|  | << "Major: " << os_info_version_number.major | 
|  | << ", Minor: " << os_info_version_number.minor | 
|  | << ", Build: " << os_info_version_number.build | 
|  | << " (Comparing against > WIN11_24H2 or WIN11_24H2 with build >= " | 
|  | "27766)"; | 
|  | return false; | 
|  | } | 
|  | return dns_is_zt_enabled_func(); | 
|  | } | 
|  | #endif  // BUILDFLAG(IS_WIN) | 
|  |  | 
|  | // Check the AsyncDns field trial and return true if it should be enabled. On | 
|  | // Android this includes checking the Android version in the field trial. | 
|  | bool ShouldEnableAsyncDns() { | 
|  | #if BUILDFLAG(IS_WIN) | 
|  | // On Windows if Zero Trust DNS is enabled on current device, | 
|  | // we should not use built-in resolver (async dns). It should | 
|  | // always use system (OS) resolver. | 
|  | if (IsZTDNSEnabled()) { | 
|  | return false; | 
|  | } | 
|  | #endif | 
|  | bool feature_can_be_enabled = true; | 
|  | #if BUILDFLAG(IS_ANDROID) | 
|  | int min_sdk = base::GetFieldTrialParamByFeatureAsInt(net::features::kAsyncDns, | 
|  | "min_sdk", 0); | 
|  | if (base::android::android_info::sdk_int() < min_sdk) { | 
|  | feature_can_be_enabled = false; | 
|  | } | 
|  | #endif | 
|  | return feature_can_be_enabled && | 
|  | base::FeatureList::IsEnabled(net::features::kAsyncDns); | 
|  | } | 
|  |  | 
|  | }  // namespace | 
|  |  | 
|  | #if BUILDFLAG(IS_WIN) | 
|  | // static | 
|  | bool StubResolverConfigReader::is_ztdns_enabled_for_testing_ = false; | 
|  | #endif | 
|  |  | 
|  | // static | 
|  | constexpr base::TimeDelta StubResolverConfigReader::kParentalControlsCheckDelay; | 
|  |  | 
|  | StubResolverConfigReader::StubResolverConfigReader(PrefService* local_state, | 
|  | bool set_up_pref_defaults) | 
|  | : local_state_(local_state) { | 
|  | default_doh_source_ = std::make_unique<DefaultDnsOverHttpsConfigSource>( | 
|  | local_state_, set_up_pref_defaults); | 
|  | if (set_up_pref_defaults) { | 
|  | // Update the DnsClient based on the corresponding features before | 
|  | // registering change callbacks for these preferences. Changing prefs or | 
|  | // defaults after registering change callbacks could result in reentrancy | 
|  | // and mess up registration between this code and NetworkService creation. | 
|  | local_state->SetDefaultPrefValue(prefs::kBuiltInDnsClientEnabled, | 
|  | base::Value(ShouldEnableAsyncDns())); | 
|  | } | 
|  | base::RepeatingClosure pref_callback = | 
|  | base::BindRepeating(&StubResolverConfigReader::UpdateNetworkService, | 
|  | base::Unretained(this), false /* record_metrics */); | 
|  | default_doh_source_->SetDohChangeCallback(pref_callback); | 
|  |  | 
|  | pref_change_registrar_.Init(local_state_); | 
|  | pref_change_registrar_.Add(prefs::kBuiltInDnsClientEnabled, pref_callback); | 
|  | pref_change_registrar_.Add(prefs::kAdditionalDnsQueryTypesEnabled, | 
|  | pref_callback); | 
|  | pref_change_registrar_.Add(prefs::kHappyEyeballsV3Enabled, pref_callback); | 
|  |  | 
|  | parental_controls_delay_timer_.Start( | 
|  | FROM_HERE, kParentalControlsCheckDelay, | 
|  | base::BindOnce(&StubResolverConfigReader::OnParentalControlsDelayTimer, | 
|  | base::Unretained(this))); | 
|  |  | 
|  | #if BUILDFLAG(IS_ANDROID) | 
|  | enterprise_util::AndroidEnterpriseInfo::GetInstance() | 
|  | ->GetAndroidEnterpriseInfoState(base::BindOnce( | 
|  | &StubResolverConfigReader::OnAndroidOwnedStateCheckComplete, | 
|  | weak_factory_.GetWeakPtr())); | 
|  | #endif | 
|  | } | 
|  |  | 
|  | StubResolverConfigReader::~StubResolverConfigReader() = default; | 
|  |  | 
|  | // static | 
|  | void StubResolverConfigReader::RegisterPrefs(PrefRegistrySimple* registry) { | 
|  | // Register the DnsClient and DoH preferences. The feature list has not been | 
|  | // initialized yet, so setting the preference defaults here to reflect the | 
|  | // corresponding features will only cause the preference defaults to reflect | 
|  | // the feature defaults (feature values set via the command line will not be | 
|  | // captured). Thus, the preference defaults are updated in the constructor | 
|  | // for SystemNetworkContextManager, at which point the feature list is ready. | 
|  | registry->RegisterBooleanPref(prefs::kBuiltInDnsClientEnabled, false); | 
|  | registry->RegisterBooleanPref(prefs::kAdditionalDnsQueryTypesEnabled, true); | 
|  | registry->RegisterBooleanPref(prefs::kHappyEyeballsV3Enabled, false); | 
|  | } | 
|  |  | 
|  | SecureDnsConfig StubResolverConfigReader::GetSecureDnsConfiguration( | 
|  | bool force_check_parental_controls_for_automatic_mode) { | 
|  | return GetAndUpdateConfiguration( | 
|  | force_check_parental_controls_for_automatic_mode, | 
|  | false /* record_metrics */, false /* update_network_service */); | 
|  | } | 
|  |  | 
|  | void StubResolverConfigReader::UpdateNetworkService(bool record_metrics) { | 
|  | GetAndUpdateConfiguration( | 
|  | false /* force_check_parental_controls_for_automatic_mode */, | 
|  | record_metrics, true /* update_network_service */); | 
|  | } | 
|  |  | 
|  | bool StubResolverConfigReader::ShouldDisableDohForManaged() { | 
|  | // This function ignores cloud policies which are loaded on a per-profile basis. | 
|  | #if BUILDFLAG(IS_ANDROID) | 
|  | // Check for MDM/management/owner apps. android_has_owner_ is true if either a | 
|  | // device or policy owner app is discovered by | 
|  | // GetAndroidEnterpriseInfoState(). If android_has_owner_ is nullopt, take a | 
|  | // value of false so that we don't disable DoH during the async check. | 
|  |  | 
|  | // Because Android policies can only be loaded with owner apps this is | 
|  | // sufficient to check for the prescences of policies as well. | 
|  | if (android_has_owner_.value_or(false)) | 
|  | return true; | 
|  | #elif BUILDFLAG(IS_WIN) | 
|  | // TODO(crbug.com/40229843): What is the correct function to use here? (This | 
|  | // may or may not obsolete the following TODO) | 
|  | // TODO(crbug.com/40223626): For legacy compatibility, this uses | 
|  | // IsEnterpriseDevice() which effectively equates to a domain join check. | 
|  | // Consider whether this should use IsManagedDevice() instead. | 
|  | if (base::win::IsEnrolledToDomain()) | 
|  | return true; | 
|  | #endif | 
|  | #if !BUILDFLAG(IS_ANDROID) && !BUILDFLAG(IS_CHROMEOS) | 
|  | if (g_browser_process->browser_policy_connector()->HasMachineLevelPolicies()) | 
|  | return true; | 
|  | #endif | 
|  | return false; | 
|  | } | 
|  |  | 
|  | bool StubResolverConfigReader::ShouldDisableDohForParentalControls() { | 
|  | if (parental_controls_testing_override_.has_value()) | 
|  | return parental_controls_testing_override_.value(); | 
|  |  | 
|  | #if BUILDFLAG(IS_WIN) | 
|  | return ShouldDisableDohForWindowsParentalControls(); | 
|  | #else | 
|  | return false; | 
|  | #endif | 
|  | } | 
|  |  | 
|  | void StubResolverConfigReader::SetOverrideDnsOverHttpsConfigSource( | 
|  | std::unique_ptr<DnsOverHttpsConfigSource> doh_source) { | 
|  | override_doh_source_ = std::move(doh_source); | 
|  |  | 
|  | if (override_doh_source_) { | 
|  | override_doh_source_->SetDohChangeCallback(base::BindRepeating( | 
|  | &StubResolverConfigReader::UpdateNetworkService, | 
|  | weak_factory_.GetWeakPtr(), /*record_metrics=*/false)); | 
|  | } | 
|  | UpdateNetworkService(/*record_metrics=*/false); | 
|  | } | 
|  |  | 
|  | const DnsOverHttpsConfigSource* | 
|  | StubResolverConfigReader::GetDnsOverHttpsConfigSource() const { | 
|  | if (override_doh_source_) { | 
|  | return override_doh_source_.get(); | 
|  | } | 
|  | return default_doh_source_.get(); | 
|  | } | 
|  |  | 
|  | bool StubResolverConfigReader::GetHappyEyeballsV3Enabled() const { | 
|  | if (local_state_->IsManagedPreference(prefs::kHappyEyeballsV3Enabled)) { | 
|  | return local_state_->GetBoolean(prefs::kHappyEyeballsV3Enabled); | 
|  | } | 
|  | return base::FeatureList::IsEnabled(net::features::kHappyEyeballsV3); | 
|  | } | 
|  |  | 
|  | void StubResolverConfigReader::OnParentalControlsDelayTimer() { | 
|  | DCHECK(!parental_controls_delay_timer_.IsRunning()); | 
|  |  | 
|  | // No need to act if parental controls were checked early. | 
|  | if (parental_controls_checked_) | 
|  | return; | 
|  | parental_controls_checked_ = true; | 
|  |  | 
|  | // If parental controls are enabled, force a config change so secure DNS can | 
|  | // be disabled. | 
|  | if (ShouldDisableDohForParentalControls()) | 
|  | UpdateNetworkService(false /* record_metrics */); | 
|  | } | 
|  |  | 
|  | bool StubResolverConfigReader::GetInsecureStubResolverEnabled() { | 
|  | return local_state_->GetBoolean(prefs::kBuiltInDnsClientEnabled); | 
|  | } | 
|  |  | 
|  | SecureDnsConfig StubResolverConfigReader::GetAndUpdateConfiguration( | 
|  | bool force_check_parental_controls_for_automatic_mode, | 
|  | bool record_metrics, | 
|  | bool update_network_service) { | 
|  | DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_); | 
|  |  | 
|  | net::SecureDnsMode secure_dns_mode; | 
|  | SecureDnsModeDetailsForHistogram mode_details; | 
|  | SecureDnsConfig::ManagementMode forced_management_mode = | 
|  | SecureDnsConfig::ManagementMode::kNoOverride; | 
|  | bool is_managed = GetDnsOverHttpsConfigSource()->IsConfigManaged(); | 
|  | if (!is_managed && ShouldDisableDohForManaged()) { | 
|  | secure_dns_mode = net::SecureDnsMode::kOff; | 
|  | forced_management_mode = SecureDnsConfig::ManagementMode::kDisabledManaged; | 
|  | } else { | 
|  | secure_dns_mode = SecureDnsConfig::ParseMode( | 
|  | GetDnsOverHttpsConfigSource()->GetDnsOverHttpsMode()) | 
|  | .value_or(net::SecureDnsMode::kOff); | 
|  | } | 
|  |  | 
|  | bool check_parental_controls = false; | 
|  | if (secure_dns_mode == net::SecureDnsMode::kSecure) { | 
|  | mode_details = | 
|  | is_managed ? SecureDnsModeDetailsForHistogram::kSecureByEnterprisePolicy | 
|  | : SecureDnsModeDetailsForHistogram::kSecureByUser; | 
|  |  | 
|  | // SECURE mode must always check for parental controls immediately (unless | 
|  | // enabled through policy, which takes precedence over parental controls) | 
|  | // because the mode allows sending DoH requests immediately. | 
|  | check_parental_controls = !is_managed; | 
|  | } else if (secure_dns_mode == net::SecureDnsMode::kAutomatic) { | 
|  | mode_details = | 
|  | is_managed | 
|  | ? SecureDnsModeDetailsForHistogram::kAutomaticByEnterprisePolicy | 
|  | : SecureDnsModeDetailsForHistogram::kAutomaticByUser; | 
|  |  | 
|  | // To avoid impacting startup performance, AUTOMATIC mode should defer | 
|  | // checking parental for a short period. This delay should have no practical | 
|  | // effect on DoH queries because DoH enabling probes do not start until a | 
|  | // longer period after startup. | 
|  | bool allow_check_parental_controls = | 
|  | force_check_parental_controls_for_automatic_mode || | 
|  | parental_controls_checked_; | 
|  | check_parental_controls = !is_managed && allow_check_parental_controls; | 
|  | } else { | 
|  | switch (forced_management_mode) { | 
|  | case SecureDnsConfig::ManagementMode::kNoOverride: | 
|  | mode_details = | 
|  | is_managed | 
|  | ? SecureDnsModeDetailsForHistogram::kOffByEnterprisePolicy | 
|  | : SecureDnsModeDetailsForHistogram::kOffByUser; | 
|  | break; | 
|  | case SecureDnsConfig::ManagementMode::kDisabledManaged: | 
|  | mode_details = | 
|  | SecureDnsModeDetailsForHistogram::kOffByDetectedManagedEnvironment; | 
|  | break; | 
|  | case SecureDnsConfig::ManagementMode::kDisabledParentalControls: | 
|  | NOTREACHED(); | 
|  | default: | 
|  | NOTREACHED(); | 
|  | } | 
|  |  | 
|  | // No need to check for parental controls if DoH is already disabled. | 
|  | check_parental_controls = false; | 
|  | } | 
|  |  | 
|  | // Check parental controls last because it can be expensive and should only be | 
|  | // checked if necessary for the otherwise-determined mode. | 
|  | if (check_parental_controls) { | 
|  | if (ShouldDisableDohForParentalControls()) { | 
|  | forced_management_mode = | 
|  | SecureDnsConfig::ManagementMode::kDisabledParentalControls; | 
|  | secure_dns_mode = net::SecureDnsMode::kOff; | 
|  | mode_details = | 
|  | SecureDnsModeDetailsForHistogram::kOffByDetectedParentalControls; | 
|  |  | 
|  | // If parental controls had not previously been checked, need to update | 
|  | // network service. | 
|  | if (!parental_controls_checked_) | 
|  | update_network_service = true; | 
|  | } | 
|  |  | 
|  | parental_controls_checked_ = true; | 
|  | } | 
|  |  | 
|  | bool additional_dns_query_types_enabled = | 
|  | local_state_->GetBoolean(prefs::kAdditionalDnsQueryTypesEnabled); | 
|  |  | 
|  | if (record_metrics) { | 
|  | UMA_HISTOGRAM_ENUMERATION("Net.DNS.DnsConfig.SecureDnsMode", mode_details); | 
|  | if (!additional_dns_query_types_enabled || ShouldDisableDohForManaged()) { | 
|  | UMA_HISTOGRAM_BOOLEAN("Net.DNS.DnsConfig.AdditionalDnsQueryTypesEnabled", | 
|  | additional_dns_query_types_enabled); | 
|  | } | 
|  | } | 
|  |  | 
|  | net::DnsOverHttpsConfig doh_config; | 
|  | if (secure_dns_mode != net::SecureDnsMode::kOff) { | 
|  | doh_config = net::DnsOverHttpsConfig::FromStringLax( | 
|  | GetDnsOverHttpsConfigSource()->GetDnsOverHttpsTemplates()); | 
|  | } | 
|  | if (update_network_service) { | 
|  | content::GetNetworkService()->ConfigureStubHostResolver( | 
|  | GetInsecureStubResolverEnabled(), GetHappyEyeballsV3Enabled(), | 
|  | secure_dns_mode, doh_config, additional_dns_query_types_enabled); | 
|  | } | 
|  |  | 
|  | return SecureDnsConfig(secure_dns_mode, std::move(doh_config), | 
|  | forced_management_mode); | 
|  | } | 
|  |  | 
|  | #if BUILDFLAG(IS_ANDROID) | 
|  | void StubResolverConfigReader::OnAndroidOwnedStateCheckComplete( | 
|  | bool has_profile_owner, | 
|  | bool has_device_owner) { | 
|  | DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_); | 
|  | android_has_owner_ = has_profile_owner || has_device_owner; | 
|  | // update the network service if the actual result is "true" to save time. | 
|  | if (android_has_owner_.value()) | 
|  | UpdateNetworkService(false /* record_metrics */); | 
|  | } | 
|  | #endif |