Unable to Query DoH with `tls none` and Plain HTTP
r1wcp42w at bbqporkmccity.com
r1wcp42w at bbqporkmccity.com
Mon Jan 1 14:19:36 UTC 2024
Hello,
Thank you very much, I was unaware of the HTTP/2 requirement and was
assuming it is a bug. Is there any reason for omitting the HTTP/1.1
upgrade part of the protocol?
On 2024/01/01 22:30, Ondřej Surý wrote:
> Hi,
>
> BIND 9 DoH implementation always uses HTTP/2, so you
> can't talk to it via HTTP/0.9, so your proxy balancer needs
> to talk HTTP/2.
>
> curl --http2-prior-knowledge -v -H 'accept: application/dns-message' 'http://172.23.0.2:80/dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB'
>
> should work if I am reading the curl man page correctly (I don't have bind with doh no-tls here)
>
> dig +http-plain @172.23.0.2
>
> will definitely work.
>
> Ondřej
> --
> Ondřej Surý (He/Him)
> ondrej at isc.org
>
> My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
>
>> On 1. 1. 2024, at 13:35, r1wcp42w--- via bind-users <bind-users at lists.isc.org> wrote:
>>
>> Hello,
>>
>> Hope you are having a great day.
>>
>> I am trying to setup a BIND9 DNS over HTTP (DoH but in plain HTTP) server with the ubuntu/bind9:latest docker image behind a HTTPS load balancer however I am unable to perform any DNS query with the newly installed BIND9 server(not through the load balancer).
>>
>> I am getting the following when I try to perform the query:
>>
>>
>>> ➜ curl -v -H 'accept: application/dns-message' 'http://172.23.0.2:80/dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB'
>>> * Trying 172.23.0.2:80...
>>> * Connected to 172.23.0.2 (172.23.0.2) port 80
>>>> GET /dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/1.1
>>>> Host: 172.23.0.2
>>>> User-Agent: curl/8.5.0
>>>> accept: application/dns-message
>>> * Received HTTP/0.9 when not allowed
>>> * Closing connection
>>> curl: (1) Received HTTP/0.9 when not allowed
>>
>>
>>
>> and here is my named.conf.options
>>
>>> options {
>>> directory "/var/cache/bind";
>>> // If there is a firewall between you and nameservers you want
>>> // to talk to, you may need to fix the firewall to allow multiple
>>> // ports to talk. See http://psrp.bbqporkmccity.com/vye5rn/vXKoBzwW
>>> // If your ISP provided one or more IP addresses for stable
>>> // nameservers, you probably want to use them as forwarders.
>>> // Uncomment the following block, and insert the addresses replacing
>>> // the all-0's placeholder.
>>> // forwarders {
>>> // 0.0.0.0;
>>> // };
>>> //========================================================================
>>> // If BIND logs error messages about the root key being expired,
>>> // you will need to update your keys. See http://psrp.bbqporkmccity.com/vye5rn/WflSTkLF
>>> //========================================================================
>>> dnssec-validation auto;
>>> listen-on-v6 { any; };
>>> // Custom Options From Here
>>> allow-query { any;};
>>> allow-transfer { none; };
>>> listen-on port 53 { any; };
>>> listen-on port 80 tls none http default { any; };
>>> };
>>
>> Am I doing something wrong?
>>
>> Thank you very much and I am looking forward to a solution.
>> --
>> Visit http://psrp.bbqporkmccity.com/vye5rn/jprjhJwF to unsubscribe from this list
>>
>> ISC funds the development of this software with paid support subscriptions. Contact us at http://psrp.bbqporkmccity.com/vye5rn/HiPEm7Fv for more information.
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> http://psrp.bbqporkmccity.com/vye5rn/pgPJe84v
>
More information about the bind-users
mailing list