Revert "Configure the insecure and secure parts of the async resolver separately."

This reverts commit 7faa4bf2.

Reason for revert:
This CL depends on the CL that causes MSAN failures on Linux bots:
https://findit-for-me.appspot.com/waterfall/failure?url=https://build.chromium.org/p/chromium.memory/builders/Linux%20MSan%20Tests/builds/18180

To revert that CL, let me revert this CL.

Original change's description:
> Configure the insecure and secure parts of the async resolver separately.
> 
> We can now set the secure dns mode to AUTOMATIC and turn the insecure part of
> the resolver off, which will result in the async resolver issuing DoH requests
> and falling back to the system resolver without attempting to send plaintext
> DNS requests itself.
> 
> In a follow up cl, the secure dns mode part of the configuration will be read from
> prefs. For now, we continue to set the mode to AUTOMATIC if there are DoH servers
> specified and to OFF otherwise.
> 
> Bug: 985589
> Change-Id: Ia40cbae1fdd57e19e925e125dcf1e82289220242
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1709928
> Commit-Queue: Katharine Daly <dalyk@google.com>
> Reviewed-by: Tom Sepez <tsepez@chromium.org>
> Reviewed-by: Eric Orth <ericorth@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#680161}

TBR=tsepez@chromium.org,ericorth@chromium.org,dalyk@google.com

Change-Id: I0e118abc67bb2b06860894079c5ed509d8179dff
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: 985589
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1715265Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Commit-Queue: Hiroki Nakagawa <nhiroki@chromium.org>
Cr-Commit-Position: refs/heads/master@{#680297}

chrome/browser/net/system_network_context_manager.cc

@@ -84,15 +84,11 @@ SystemNetworkContextManager* g_system_network_context_manager = nullptr;
 
 void GetStubResolverConfig(
     PrefService* local_state,
-    bool* insecure_stub_resolver_enabled,
-    net::DnsConfig::SecureDnsMode* secure_dns_mode,
+    bool* stub_resolver_enabled,
     base::Optional<std::vector<network::mojom::DnsOverHttpsServerPtr>>*
         dns_over_https_servers) {
   DCHECK(!dns_over_https_servers->has_value());
 
-  *insecure_stub_resolver_enabled =
-      local_state->GetBoolean(prefs::kBuiltInDnsClientEnabled);
-
   const auto& doh_server_list =
       local_state->GetList(prefs::kDnsOverHttpsServers)->GetList();
   const auto& doh_server_method_list =
@@ -132,24 +128,20 @@ void GetStubResolverConfig(
     }
   }
 
-  // TODO(crbug.com/985589): Read secure dns mode from prefs.
-  if (dns_over_https_servers->has_value())
-    *secure_dns_mode = net::DnsConfig::SecureDnsMode::AUTOMATIC;
-  else
-    *secure_dns_mode = net::DnsConfig::SecureDnsMode::OFF;
+  *stub_resolver_enabled =
+      dns_over_https_servers->has_value() ||
+      local_state->GetBoolean(prefs::kBuiltInDnsClientEnabled);
 }
 
 void OnStubResolverConfigChanged(PrefService* local_state,
                                  const std::string& pref_name) {
-  bool insecure_stub_resolver_enabled;
-  net::DnsConfig::SecureDnsMode secure_dns_mode;
+  bool stub_resolver_enabled;
   base::Optional<std::vector<network::mojom::DnsOverHttpsServerPtr>>
       dns_over_https_servers;
-  GetStubResolverConfig(local_state, &insecure_stub_resolver_enabled,
-                        &secure_dns_mode, &dns_over_https_servers);
+  GetStubResolverConfig(local_state, &stub_resolver_enabled,
+                        &dns_over_https_servers);
   content::GetNetworkService()->ConfigureStubHostResolver(
-      insecure_stub_resolver_enabled, secure_dns_mode,
-      std::move(dns_over_https_servers));
+      stub_resolver_enabled, std::move(dns_over_https_servers));
 }
 
 // Constructs HttpAuthStaticParams based on |local_state|.
@@ -562,15 +554,13 @@ void SystemNetworkContextManager::OnNetworkServiceCreated(
 
   // Configure the stub resolver. This must be done after the system
   // NetworkContext is created, but before anything has the chance to use it.
-  bool insecure_stub_resolver_enabled;
-  net::DnsConfig::SecureDnsMode secure_dns_mode;
+  bool stub_resolver_enabled;
   base::Optional<std::vector<network::mojom::DnsOverHttpsServerPtr>>
       dns_over_https_servers;
-  GetStubResolverConfig(local_state_, &insecure_stub_resolver_enabled,
-                        &secure_dns_mode, &dns_over_https_servers);
+  GetStubResolverConfig(local_state_, &stub_resolver_enabled,
+                        &dns_over_https_servers);
   content::GetNetworkService()->ConfigureStubHostResolver(
-      insecure_stub_resolver_enabled, secure_dns_mode,
-      std::move(dns_over_https_servers));
+      stub_resolver_enabled, std::move(dns_over_https_servers));
 
 #if defined(OS_LINUX) && !defined(OS_CHROMEOS)
   const base::CommandLine& command_line =
@@ -716,12 +706,10 @@ void SystemNetworkContextManager::FlushNetworkInterfaceForTesting() {
 }
 
 void SystemNetworkContextManager::GetStubResolverConfigForTesting(
-    bool* insecure_stub_resolver_enabled,
-    net::DnsConfig::SecureDnsMode* secure_dns_mode,
+    bool* stub_resolver_enabled,
     base::Optional<std::vector<network::mojom::DnsOverHttpsServerPtr>>*
         dns_over_https_servers) {
-  GetStubResolverConfig(g_browser_process->local_state(),
-                        insecure_stub_resolver_enabled, secure_dns_mode,
+  GetStubResolverConfig(g_browser_process->local_state(), stub_resolver_enabled,
                         dns_over_https_servers);
 }
 

chrome/browser/net/system_network_context_manager.h

@@ -130,8 +130,7 @@ class SystemNetworkContextManager {
 
   // Returns configuration that would be sent to the stub DNS resolver.
   static void GetStubResolverConfigForTesting(
-      bool* insecure_stub_resolver_enabled,
-      net::DnsConfig::SecureDnsMode* secure_dns_mode,
+      bool* stub_resolver_enabled,
       base::Optional<std::vector<network::mojom::DnsOverHttpsServerPtr>>*
           dns_over_https_servers);
 

chrome/browser/net/system_network_context_manager_browsertest.cc

@@ -30,31 +30,25 @@
 namespace {
 
 void GetStubResolverConfig(
-    bool* insecure_stub_resolver_enabled,
-    net::DnsConfig::SecureDnsMode* secure_dns_mode,
+    bool* stub_resolver_enabled,
     base::Optional<std::vector<network::mojom::DnsOverHttpsServerPtr>>*
         dns_over_https_servers) {
   dns_over_https_servers->reset();
 
   SystemNetworkContextManager::GetStubResolverConfigForTesting(
-      insecure_stub_resolver_enabled, secure_dns_mode, dns_over_https_servers);
+      stub_resolver_enabled, dns_over_https_servers);
 }
 
 // Checks the values returned by GetStubResolverConfigForTesting() match
 // |async_dns_feature_enabled| (With empty DNS over HTTPS prefs). Then sets
 // various DNS over HTTPS servers, and makes sure the settings are respected.
-// TODO(crbug.com/985589): Check that the SecureDnsMode is read correctly from
-// the prefs once it is stored there.
 void RunStubResolverConfigTests(bool async_dns_feature_enabled) {
   // Check initial state.
-  bool insecure_stub_resolver_enabled = !async_dns_feature_enabled;
-  net::DnsConfig::SecureDnsMode secure_dns_mode;
+  bool stub_resolver_enabled = !async_dns_feature_enabled;
   base::Optional<std::vector<network::mojom::DnsOverHttpsServerPtr>>
       dns_over_https_servers;
-  GetStubResolverConfig(&insecure_stub_resolver_enabled, &secure_dns_mode,
-                        &dns_over_https_servers);
-  EXPECT_EQ(async_dns_feature_enabled, insecure_stub_resolver_enabled);
-  EXPECT_EQ(net::DnsConfig::SecureDnsMode::OFF, secure_dns_mode);
+  GetStubResolverConfig(&stub_resolver_enabled, &dns_over_https_servers);
+  EXPECT_EQ(async_dns_feature_enabled, stub_resolver_enabled);
   EXPECT_FALSE(dns_over_https_servers.has_value());
 
   // Check state after setting various DNS over HTTPS preferences.
@@ -80,10 +74,8 @@ void RunStubResolverConfigTests(bool async_dns_feature_enabled) {
   servers.GetList().push_back(base::Value(kGoodGetTemplate));
   local_state->Set(prefs::kDnsOverHttpsServers, servers);
   local_state->Set(prefs::kDnsOverHttpsServerMethods, methods);
-  GetStubResolverConfig(&insecure_stub_resolver_enabled, &secure_dns_mode,
-                        &dns_over_https_servers);
-  EXPECT_EQ(async_dns_feature_enabled, insecure_stub_resolver_enabled);
-  EXPECT_EQ(net::DnsConfig::SecureDnsMode::OFF, secure_dns_mode);
+  GetStubResolverConfig(&stub_resolver_enabled, &dns_over_https_servers);
+  EXPECT_EQ(async_dns_feature_enabled, stub_resolver_enabled);
   EXPECT_FALSE(dns_over_https_servers.has_value());
   servers.GetList().clear();
   methods.GetList().clear();
@@ -91,10 +83,8 @@ void RunStubResolverConfigTests(bool async_dns_feature_enabled) {
   methods.GetList().push_back(base::Value(kPost));
   local_state->Set(prefs::kDnsOverHttpsServers, servers);
   local_state->Set(prefs::kDnsOverHttpsServerMethods, methods);
-  GetStubResolverConfig(&insecure_stub_resolver_enabled, &secure_dns_mode,
-                        &dns_over_https_servers);
-  EXPECT_EQ(async_dns_feature_enabled, insecure_stub_resolver_enabled);
-  EXPECT_EQ(net::DnsConfig::SecureDnsMode::OFF, secure_dns_mode);
+  GetStubResolverConfig(&stub_resolver_enabled, &dns_over_https_servers);
+  EXPECT_EQ(async_dns_feature_enabled, stub_resolver_enabled);
   EXPECT_FALSE(dns_over_https_servers.has_value());
   servers.GetList().clear();
   methods.GetList().clear();
@@ -104,10 +94,8 @@ void RunStubResolverConfigTests(bool async_dns_feature_enabled) {
   methods.GetList().push_back(base::Value(kPost));
   local_state->Set(prefs::kDnsOverHttpsServers, servers);
   local_state->Set(prefs::kDnsOverHttpsServerMethods, methods);
-  GetStubResolverConfig(&insecure_stub_resolver_enabled, &secure_dns_mode,
-                        &dns_over_https_servers);
-  EXPECT_EQ(async_dns_feature_enabled, insecure_stub_resolver_enabled);
-  EXPECT_EQ(net::DnsConfig::SecureDnsMode::OFF, secure_dns_mode);
+  GetStubResolverConfig(&stub_resolver_enabled, &dns_over_https_servers);
+  EXPECT_EQ(async_dns_feature_enabled, stub_resolver_enabled);
   EXPECT_FALSE(dns_over_https_servers.has_value());
   servers.GetList().clear();
   methods.GetList().clear();
@@ -117,10 +105,8 @@ void RunStubResolverConfigTests(bool async_dns_feature_enabled) {
   methods.GetList().push_back(base::Value(3.14));
   local_state->Set(prefs::kDnsOverHttpsServers, servers);
   local_state->Set(prefs::kDnsOverHttpsServerMethods, methods);
-  GetStubResolverConfig(&insecure_stub_resolver_enabled, &secure_dns_mode,
-                        &dns_over_https_servers);
-  EXPECT_EQ(async_dns_feature_enabled, insecure_stub_resolver_enabled);
-  EXPECT_EQ(net::DnsConfig::SecureDnsMode::OFF, secure_dns_mode);
+  GetStubResolverConfig(&stub_resolver_enabled, &dns_over_https_servers);
+  EXPECT_EQ(async_dns_feature_enabled, stub_resolver_enabled);
   EXPECT_FALSE(dns_over_https_servers.has_value());
   servers.GetList().clear();
   methods.GetList().clear();
@@ -130,10 +116,8 @@ void RunStubResolverConfigTests(bool async_dns_feature_enabled) {
   methods.GetList().push_back(base::Value(kPost));
   local_state->Set(prefs::kDnsOverHttpsServers, servers);
   local_state->Set(prefs::kDnsOverHttpsServerMethods, methods);
-  GetStubResolverConfig(&insecure_stub_resolver_enabled, &secure_dns_mode,
-                        &dns_over_https_servers);
-  EXPECT_EQ(async_dns_feature_enabled, insecure_stub_resolver_enabled);
-  EXPECT_EQ(net::DnsConfig::SecureDnsMode::OFF, secure_dns_mode);
+  GetStubResolverConfig(&stub_resolver_enabled, &dns_over_https_servers);
+  EXPECT_EQ(async_dns_feature_enabled, stub_resolver_enabled);
   EXPECT_FALSE(dns_over_https_servers.has_value());
   servers.GetList().clear();
   methods.GetList().clear();
@@ -143,10 +127,8 @@ void RunStubResolverConfigTests(bool async_dns_feature_enabled) {
   methods.GetList().push_back(base::Value(kPost));
   local_state->Set(prefs::kDnsOverHttpsServers, servers);
   local_state->Set(prefs::kDnsOverHttpsServerMethods, methods);
-  GetStubResolverConfig(&insecure_stub_resolver_enabled, &secure_dns_mode,
-                        &dns_over_https_servers);
-  EXPECT_EQ(async_dns_feature_enabled, insecure_stub_resolver_enabled);
-  EXPECT_EQ(net::DnsConfig::SecureDnsMode::AUTOMATIC, secure_dns_mode);
+  GetStubResolverConfig(&stub_resolver_enabled, &dns_over_https_servers);
+  EXPECT_EQ(true, stub_resolver_enabled);
   ASSERT_TRUE(dns_over_https_servers.has_value());
   ASSERT_EQ(1u, dns_over_https_servers->size());
   EXPECT_EQ(kGoodPostTemplate, dns_over_https_servers->at(0)->server_template);
@@ -161,10 +143,8 @@ void RunStubResolverConfigTests(bool async_dns_feature_enabled) {
   methods.GetList().push_back(base::Value(kPost));
   local_state->Set(prefs::kDnsOverHttpsServers, servers);
   local_state->Set(prefs::kDnsOverHttpsServerMethods, methods);
-  GetStubResolverConfig(&insecure_stub_resolver_enabled, &secure_dns_mode,
-                        &dns_over_https_servers);
-  EXPECT_EQ(async_dns_feature_enabled, insecure_stub_resolver_enabled);
-  EXPECT_EQ(net::DnsConfig::SecureDnsMode::AUTOMATIC, secure_dns_mode);
+  GetStubResolverConfig(&stub_resolver_enabled, &dns_over_https_servers);
+  EXPECT_EQ(true, stub_resolver_enabled);
   ASSERT_TRUE(dns_over_https_servers.has_value());
   ASSERT_EQ(1u, dns_over_https_servers->size());
   EXPECT_EQ(kGoodGetTemplate, dns_over_https_servers->at(0)->server_template);
@@ -179,10 +159,8 @@ void RunStubResolverConfigTests(bool async_dns_feature_enabled) {
   methods.GetList().push_back(base::Value(kGet));
   local_state->Set(prefs::kDnsOverHttpsServers, servers);
   local_state->Set(prefs::kDnsOverHttpsServerMethods, methods);
-  GetStubResolverConfig(&insecure_stub_resolver_enabled, &secure_dns_mode,
-                        &dns_over_https_servers);
-  EXPECT_EQ(async_dns_feature_enabled, insecure_stub_resolver_enabled);
-  EXPECT_EQ(net::DnsConfig::SecureDnsMode::AUTOMATIC, secure_dns_mode);
+  GetStubResolverConfig(&stub_resolver_enabled, &dns_over_https_servers);
+  EXPECT_EQ(true, stub_resolver_enabled);
   ASSERT_TRUE(dns_over_https_servers.has_value());
   ASSERT_EQ(2u, dns_over_https_servers->size());
   EXPECT_EQ(kGoodPostTemplate, dns_over_https_servers->at(0)->server_template);
@@ -195,17 +173,13 @@ void RunStubResolverConfigTests(bool async_dns_feature_enabled) {
   // Test case with policy BuiltInDnsClientEnabled enabled.
   local_state->Set(prefs::kDnsOverHttpsServers, servers);
   local_state->Set(prefs::kDnsOverHttpsServerMethods, methods);
-  GetStubResolverConfig(&insecure_stub_resolver_enabled, &secure_dns_mode,
-                        &dns_over_https_servers);
-  EXPECT_EQ(async_dns_feature_enabled, insecure_stub_resolver_enabled);
-  EXPECT_EQ(net::DnsConfig::SecureDnsMode::OFF, secure_dns_mode);
+  GetStubResolverConfig(&stub_resolver_enabled, &dns_over_https_servers);
+  EXPECT_EQ(async_dns_feature_enabled, stub_resolver_enabled);
   EXPECT_FALSE(dns_over_https_servers.has_value());
   local_state->Set(prefs::kBuiltInDnsClientEnabled,
                    base::Value(!async_dns_feature_enabled));
-  GetStubResolverConfig(&insecure_stub_resolver_enabled, &secure_dns_mode,
-                        &dns_over_https_servers);
-  EXPECT_EQ(!async_dns_feature_enabled, insecure_stub_resolver_enabled);
-  EXPECT_EQ(net::DnsConfig::SecureDnsMode::OFF, secure_dns_mode);
+  GetStubResolverConfig(&stub_resolver_enabled, &dns_over_https_servers);
+  EXPECT_EQ(!async_dns_feature_enabled, stub_resolver_enabled);
   EXPECT_FALSE(dns_over_https_servers.has_value());
 }
 

services/network/network_service.cc

@@ -31,6 +31,7 @@
 #include "net/cert/cert_database.h"
 #include "net/cert/ct_log_response_parser.h"
 #include "net/cert/signed_tree_head.h"
+#include "net/dns/dns_config.h"
 #include "net/dns/dns_config_overrides.h"
 #include "net/dns/host_resolver.h"
 #include "net/dns/host_resolver_manager.h"
@@ -450,16 +451,17 @@ void NetworkService::CreateNetworkContext(
 }
 
 void NetworkService::ConfigureStubHostResolver(
-    bool insecure_dns_client_enabled,
-    net::DnsConfig::SecureDnsMode secure_dns_mode,
+    bool stub_resolver_enabled,
     base::Optional<std::vector<mojom::DnsOverHttpsServerPtr>>
         dns_over_https_servers) {
+  // If the stub resolver is not enabled, |dns_over_https_servers| has no
+  // effect.
+  DCHECK(stub_resolver_enabled || !dns_over_https_servers);
   DCHECK(!dns_over_https_servers || !dns_over_https_servers->empty());
 
   // Enable or disable the insecure part of DnsClient. "DnsClient" is the class
   // that implements the stub resolver.
-  host_resolver_manager_->SetInsecureDnsClientEnabled(
-      insecure_dns_client_enabled);
+  host_resolver_manager_->SetInsecureDnsClientEnabled(stub_resolver_enabled);
 
   // Configure DNS over HTTPS.
   if (!dns_over_https_servers || dns_over_https_servers.value().empty()) {
@@ -473,7 +475,9 @@ void NetworkService::ConfigureStubHostResolver(
     overrides.dns_over_https_servers.value().emplace_back(
         doh_server->server_template, doh_server->use_post);
   }
-  overrides.secure_dns_mode = secure_dns_mode;
+  // TODO(crbug.com/985589): Allow the secure dns mode to be set independently
+  // of the insecure part of the stub resolver.
+  overrides.secure_dns_mode = net::DnsConfig::SecureDnsMode::AUTOMATIC;
   host_resolver_manager_->SetDnsConfigOverrides(overrides);
 }
 

services/network/network_service.h

@@ -23,7 +23,6 @@
 #include "base/timer/timer.h"
 #include "build/build_config.h"
 #include "mojo/public/cpp/bindings/binding.h"
-#include "net/dns/dns_config.h"
 #include "net/http/http_auth_preferences.h"
 #include "net/log/net_log.h"
 #include "net/log/trace_net_log_observer.h"
@@ -143,8 +142,7 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) NetworkService
   void CreateNetworkContext(mojom::NetworkContextRequest request,
                             mojom::NetworkContextParamsPtr params) override;
   void ConfigureStubHostResolver(
-      bool insecure_dns_client_enabled,
-      net::DnsConfig::SecureDnsMode secure_dns_mode,
+      bool stub_resolver_enabled,
       base::Optional<std::vector<mojom::DnsOverHttpsServerPtr>>
           dns_over_https_servers) override;
   void DisableQuic() override;

services/network/network_service_unittest.cc

@@ -22,7 +22,6 @@
 #include "base/threading/thread_task_runner_handle.h"
 #include "build/build_config.h"
 #include "net/base/escape.h"
-#include "net/base/ip_endpoint.h"
 #include "net/base/mock_network_change_notifier.h"
 #include "net/base/url_util.h"
 #include "net/dns/dns_config_service.h"
@@ -444,55 +443,23 @@ TEST_F(NetworkServiceTest, AuthEnableNegotiatePort) {
 #if !defined(OS_IOS)
 
 TEST_F(NetworkServiceTest, DnsClientEnableDisable) {
-  // Set valid DnsConfig.
-  net::DnsConfig config;
-  config.nameservers.push_back(net::IPEndPoint());
-  service()->host_resolver_manager()->SetBaseDnsConfigForTesting(config);
-
+  // HostResolver::GetDnsConfigAsValue() returns nullptr if the stub resolver is
+  // disabled.
+  EXPECT_FALSE(service()
+                   ->host_resolver_manager()
+                   ->GetInsecureDnsClientEnabledForTesting());
   service()->ConfigureStubHostResolver(
-      true /* insecure_dns_client_enabled */,
-      net::DnsConfig::SecureDnsMode::OFF,
+      true /* stub_resolver_enabled */,
       base::nullopt /* dns_over_https_servers */);
   EXPECT_TRUE(service()
                   ->host_resolver_manager()
                   ->GetInsecureDnsClientEnabledForTesting());
-  EXPECT_EQ(net::DnsConfig::SecureDnsMode::OFF,
-            service()->host_resolver_manager()->GetSecureDnsModeForTesting());
-
-  service()->ConfigureStubHostResolver(
-      false /* insecure_dns_client_enabled */,
-      net::DnsConfig::SecureDnsMode::OFF,
-      base::nullopt /* dns_over_https_servers */);
-  EXPECT_FALSE(service()
-                   ->host_resolver_manager()
-                   ->GetInsecureDnsClientEnabledForTesting());
-  EXPECT_EQ(net::DnsConfig::SecureDnsMode::OFF,
-            service()->host_resolver_manager()->GetSecureDnsModeForTesting());
-
   service()->ConfigureStubHostResolver(
-      false /* insecure_dns_client_enabled */,
-      net::DnsConfig::SecureDnsMode::AUTOMATIC,
+      false /* stub_resolver_enabled */,
       base::nullopt /* dns_over_https_servers */);
   EXPECT_FALSE(service()
                    ->host_resolver_manager()
                    ->GetInsecureDnsClientEnabledForTesting());
-  EXPECT_EQ(net::DnsConfig::SecureDnsMode::OFF,
-            service()->host_resolver_manager()->GetSecureDnsModeForTesting());
-
-  std::vector<mojom::DnsOverHttpsServerPtr> dns_over_https_servers_ptr;
-  mojom::DnsOverHttpsServerPtr dns_over_https_server =
-      mojom::DnsOverHttpsServer::New();
-  dns_over_https_server->server_template = "https://foo/";
-  dns_over_https_server->use_post = true;
-  dns_over_https_servers_ptr.emplace_back(std::move(dns_over_https_server));
-  service()->ConfigureStubHostResolver(false /* insecure_dns_client_enabled */,
-                                       net::DnsConfig::SecureDnsMode::AUTOMATIC,
-                                       std::move(dns_over_https_servers_ptr));
-  EXPECT_FALSE(service()
-                   ->host_resolver_manager()
-                   ->GetInsecureDnsClientEnabledForTesting());
-  EXPECT_EQ(net::DnsConfig::SecureDnsMode::AUTOMATIC,
-            service()->host_resolver_manager()->GetSecureDnsModeForTesting());
 }
 
 TEST_F(NetworkServiceTest, DnsOverHttpsEnableDisable) {
@@ -520,8 +487,7 @@ TEST_F(NetworkServiceTest, DnsOverHttpsEnableDisable) {
   dns_over_https_server->use_post = kServer1UsePost;
   dns_over_https_servers_ptr.emplace_back(std::move(dns_over_https_server));
 
-  service()->ConfigureStubHostResolver(false /* insecure_dns_client_enabled */,
-                                       net::DnsConfig::SecureDnsMode::AUTOMATIC,
+  service()->ConfigureStubHostResolver(true /* stub_resolver_enabled */,
                                        std::move(dns_over_https_servers_ptr));
   EXPECT_TRUE(service()->host_resolver_manager()->GetDnsConfigAsValue());
   const auto* dns_over_https_servers =
@@ -544,8 +510,7 @@ TEST_F(NetworkServiceTest, DnsOverHttpsEnableDisable) {
   dns_over_https_server->use_post = kServer3UsePost;
   dns_over_https_servers_ptr.emplace_back(std::move(dns_over_https_server));
 
-  service()->ConfigureStubHostResolver(true /* insecure_dns_client_enabled */,
-                                       net::DnsConfig::SecureDnsMode::SECURE,
+  service()->ConfigureStubHostResolver(true /* stub_resolver_enabled */,
                                        std::move(dns_over_https_servers_ptr));
   EXPECT_TRUE(service()->host_resolver_manager()->GetDnsConfigAsValue());
   dns_over_https_servers =

services/network/public/cpp/host_resolver.typemap

 # Copyright 2018 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
-# found in the LICENSE file.
+# found in the LICENSE file.
 
 mojom = "//services/network/public/mojom/host_resolver.mojom"
 public_headers = [
-  "//net/dns/dns_config.h",
   "//net/dns/dns_config_overrides.h",
   "//net/dns/host_resolver.h",
   "//net/dns/host_resolver_source.h",
@@ -23,5 +22,4 @@ type_mappings = [
   "network.mojom.DnsQueryType=net::DnsQueryType",
   "network.mojom.ResolveHostParameters.Source=net::HostResolverSource",
   "network.mojom.MdnsListenClient.UpdateType=net::HostResolver::MdnsListener::Delegate::UpdateType",
-  "network.mojom.SecureDnsMode=net::DnsConfig::SecureDnsMode",
 ]

services/network/public/cpp/host_resolver_mojom_traits.cc

@@ -373,38 +373,4 @@ bool EnumTraits<MdnsListenClient::UpdateType,
   }
 }
 
-// static
-network::mojom::SecureDnsMode
-EnumTraits<network::mojom::SecureDnsMode, net::DnsConfig::SecureDnsMode>::
-    ToMojom(net::DnsConfig::SecureDnsMode secure_dns_mode) {
-  switch (secure_dns_mode) {
-    case net::DnsConfig::SecureDnsMode::OFF:
-      return network::mojom::SecureDnsMode::OFF;
-    case net::DnsConfig::SecureDnsMode::AUTOMATIC:
-      return network::mojom::SecureDnsMode::AUTOMATIC;
-    case net::DnsConfig::SecureDnsMode::SECURE:
-      return network::mojom::SecureDnsMode::SECURE;
-  }
-  NOTREACHED();
-  return network::mojom::SecureDnsMode::OFF;
-}
-
-// static
-bool EnumTraits<network::mojom::SecureDnsMode, net::DnsConfig::SecureDnsMode>::
-    FromMojom(network::mojom::SecureDnsMode in,
-              net::DnsConfig::SecureDnsMode* out) {
-  switch (in) {
-    case network::mojom::SecureDnsMode::OFF:
-      *out = net::DnsConfig::SecureDnsMode::OFF;
-      return true;
-    case network::mojom::SecureDnsMode::AUTOMATIC:
-      *out = net::DnsConfig::SecureDnsMode::AUTOMATIC;
-      return true;
-    case network::mojom::SecureDnsMode::SECURE:
-      *out = net::DnsConfig::SecureDnsMode::SECURE;
-      return true;
-  }
-  return false;
-}
-
 }  // namespace mojo

services/network/public/cpp/host_resolver_mojom_traits.h

@@ -17,7 +17,6 @@
 #include "net/base/address_family.h"
 #include "net/base/ip_address.h"
 #include "net/base/ip_endpoint.h"
-#include "net/dns/dns_config.h"
 #include "net/dns/dns_config_overrides.h"
 #include "net/dns/dns_hosts.h"
 #include "net/dns/host_resolver.h"
@@ -106,15 +105,6 @@ struct EnumTraits<network::mojom::MdnsListenClient::UpdateType,
       net::HostResolver::MdnsListener::Delegate::UpdateType* output);
 };
 
-template <>
-struct EnumTraits<network::mojom::SecureDnsMode,
-                  net::DnsConfig::SecureDnsMode> {
-  static network::mojom::SecureDnsMode ToMojom(
-      net::DnsConfig::SecureDnsMode secure_dns_mode);
-  static bool FromMojom(network::mojom::SecureDnsMode in,
-                        net::DnsConfig::SecureDnsMode* out);
-};
-
 }  // namespace mojo
 
 #endif  // SERVICES_NETWORK_PUBLIC_CPP_HOST_RESOLVER_MOJOM_TRAITS_H_

services/network/public/mojom/host_resolver.mojom

@@ -40,13 +40,6 @@ enum OptionalSecureDnsMode {
   SECURE,
 };
 
-// This enum corresponds to DnsConfig::SecureDnsMode.
-enum SecureDnsMode {
-  OFF,
-  AUTOMATIC,
-  SECURE,
-};
-
 // Overridable DNS configuration values for host resolution. All fields default
 // to a non-overriding state where the relevant value will be used from system
 // DNS configuration.

services/network/public/mojom/network_service.mojom

@@ -324,21 +324,19 @@ interface NetworkService {
   // resolver.
   //
   // |dns_over_https_servers| is an optional list of DNS over HTTPS servers.
-  // DnsTransactions will by default follow the behavior of |secure_dns_mode|.
-  // In SECURE mode, only DoH lookups will be performed. In AUTOMATIC mode,
-  // DoH lookups to available servers will be performed first, and insecure
-  // lookups will be used as a fallback. In OFF mode, only insecure lookups will
-  // be performed. When insecure lookups are performed, they will be sent by
-  // the async resolver first if |insecure_dns_client_enabled| is true and
-  // then by the system resolver as a fallback.
+  // When populated, all DNS lookups will try to use DNS over HTTPS in the order
+  // the servers are provided in and will only fall back to using system
+  // settings if DNS over HTTPS fails. It is illegal to have a populated
+  // |dns_over_https_servers| when |stub_resolver_enabled| is false.
   //
   // DNS over HTTPS will use the primary NetworkContext, so can only be enabled
   // after the primary network context has been created. Other than that
   // limitation, this method can be called at any time to change DNS
   // configuration, though calling it will fail any DNS lookups that have
   // already been started.
-  ConfigureStubHostResolver(bool insecure_dns_client_enabled,
-                            SecureDnsMode secure_dns_mode,
+  //
+  // Both the stub resolver and DNS over HTTPS are disabled by default.
+  ConfigureStubHostResolver(bool stub_resolver_enabled,
                             array<DnsOverHttpsServer>? dns_over_https_servers);
 
   // Disables QUIC for the NetworkService. Affects all existing NetworkContexts,