Unable to Query DoH with `tls none` and Plain HTTP
Ondřej Surý
ondrej at isc.org
Mon Jan 1 13:30:42 UTC 2024
Hi,
BIND 9 DoH implementation always uses HTTP/2, so you
can't talk to it via HTTP/0.9, so your proxy balancer needs
to talk HTTP/2.
curl --http2-prior-knowledge -v -H 'accept: application/dns-message' 'http://172.23.0.2:80/dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB'
should work if I am reading the curl man page correctly (I don't have bind with doh no-tls here)
dig +http-plain @172.23.0.2
will definitely work.
Ondřej
--
Ondřej Surý (He/Him)
ondrej at isc.org
My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
> On 1. 1. 2024, at 13:35, r1wcp42w--- via bind-users <bind-users at lists.isc.org> wrote:
>
> Hello,
>
> Hope you are having a great day.
>
> I am trying to setup a BIND9 DNS over HTTP (DoH but in plain HTTP) server with the ubuntu/bind9:latest docker image behind a HTTPS load balancer however I am unable to perform any DNS query with the newly installed BIND9 server(not through the load balancer).
>
> I am getting the following when I try to perform the query:
>
>
>> ➜ curl -v -H 'accept: application/dns-message' 'http://172.23.0.2:80/dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB'
>> * Trying 172.23.0.2:80...
>> * Connected to 172.23.0.2 (172.23.0.2) port 80
>>> GET /dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/1.1
>>> Host: 172.23.0.2
>>> User-Agent: curl/8.5.0
>>> accept: application/dns-message
>> * Received HTTP/0.9 when not allowed
>> * Closing connection
>> curl: (1) Received HTTP/0.9 when not allowed
>
>
>
> and here is my named.conf.options
>
>> options {
>> directory "/var/cache/bind";
>> // If there is a firewall between you and nameservers you want
>> // to talk to, you may need to fix the firewall to allow multiple
>> // ports to talk. See http://psrp.bbqporkmccity.com/vye5rn/iw5hSZ1O
>> // If your ISP provided one or more IP addresses for stable
>> // nameservers, you probably want to use them as forwarders.
>> // Uncomment the following block, and insert the addresses replacing
>> // the all-0's placeholder.
>> // forwarders {
>> // 0.0.0.0;
>> // };
>> //========================================================================
>> // If BIND logs error messages about the root key being expired,
>> // you will need to update your keys. See http://psrp.bbqporkmccity.com/vye5rn/nH13n27l
>> //========================================================================
>> dnssec-validation auto;
>> listen-on-v6 { any; };
>> // Custom Options From Here
>> allow-query { any;};
>> allow-transfer { none; };
>> listen-on port 53 { any; };
>> listen-on port 80 tls none http default { any; };
>> };
>
> Am I doing something wrong?
>
> Thank you very much and I am looking forward to a solution.
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list