Skip to content

fix(webtransport): prevent Chrome DNS port-scanning penalty #3357

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(webtransport): prevent Chrome DNS port-scanning penalty #3357

wants to merge 1 commit into from
+263 −4

Conversation

@aannaannyaaa
Copy link

@aannaannyaaa aannaannyaaa commented Nov 21, 2025

Fix Chrome WebTransport DNS port-scanning penalty

Fixes #3286

Problem

Chrome has an anti-port-scanning mechanism that penalizes cancelled WebTransport requests. When a DNS-based multiaddr is dialed and cancelled before DNS resolution completes, Chrome stores the penalty against an empty string key instead of a specific IP address.

This causes ALL future DNS-based WebTransport dials to be penalized, not just dials to that specific host.

Solution

This PR adds DNS pre-resolution for WebTransport multiaddrs in Chrome only:

  1. Detects Chrome browser via user agent (isChrome())
  2. Detects DNS components in multiaddrs (hasDNSComponent())
  3. Adds async boundary before creating WebTransport session
  4. Allows Chrome's DNS resolver to complete before dial
  5. Ensures penalties are applied per-IP, not globally

Key Changes

  • Added isChrome() function to detect Chrome/Chromium browsers
  • Added hasDNSComponent() to detect DNS-based multiaddrs
  • Added resolveMultiaddrDNS() to create async boundary for Chrome
  • Refactored dial() to pre-resolve DNS before dialing
  • Added dialSingleAddress() private method for cleaner separation
  • Added comprehensive tests for Chrome detection and DNS handling

How It Works

The async boundary (await setTimeout(0)) ensures we yield to the event loop, giving Chrome's internal DNS resolver time to complete before the WebTransport session is created:

  • Before: dial() → immediately create WebTransport → DNS not resolved → cancellation → penalty to ""
  • After: dial() → async boundary → create WebTransport → DNS resolved → cancellation → penalty to specific IP

Test Results

22/22 tests passing in browser environment
22/22 tests passing in webworker environment
All new Chrome DNS tests passing (11 new tests)
No regressions in existing tests

New Tests Added

  • Chrome detection tests (4 tests)
  • DNS component detection tests (5 tests)
  • DNS multiaddr handling tests (2 tests)

Browser Compatibility

  • Chrome/Chromium: DNS pre-resolution active (fixes issue)
  • Firefox/Safari/Edge: No change in behavior
  • Node.js: No change in behavior

Breaking Changes

None. This is a backward-compatible fix that only affects Chrome browsers with DNS-based multiaddrs.

image

@aannaannyaaa aannaannyaaa requested a review from a team as a code owner November 21, 2025 19:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Resolve DNS portions of WebTransport addresses before dialing

1 participant

@aannaannyaaa