Hello,
Thank you very much, I was unaware of the HTTP/2 requirement and was
assuming it is a bug. Is there any reason for omitting the HTTP/1.1
upgrade part of the protocol?
On 2024/01/01 22:30, Ondřej Surý wrote:
Hi,
BIND 9 DoH implementation always uses HTTP/2, so you
can't talk to it via HTTP/0.9, so your proxy balancer needs
to talk HTTP/2.
curl --http2-prior-knowledge -v -H 'accept: application/dns-message'
'http://172.23.0.2:80/dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB'
should work if I am reading the curl man page correctly (I don't have bind with
doh no-tls here)
dig +http-plain @172.23.0.2
will definitely work.
Ondřej
--
Ondřej Surý (He/Him)
ond...@isc.org
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
On 1. 1. 2024, at 13:35, r1wcp42w--- via bind-users <bind-users@lists.isc.org>
wrote:
Hello,
Hope you are having a great day.
I am trying to setup a BIND9 DNS over HTTP (DoH but in plain HTTP) server with
the ubuntu/bind9:latest docker image behind a HTTPS load balancer however I am
unable to perform any DNS query with the newly installed BIND9 server(not
through the load balancer).
I am getting the following when I try to perform the query:
➜ curl -v -H 'accept: application/dns-message'
'http://172.23.0.2:80/dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB'
* Trying 172.23.0.2:80...
* Connected to 172.23.0.2 (172.23.0.2) port 80
GET /dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/1.1
Host: 172.23.0.2
User-Agent: curl/8.5.0
accept: application/dns-message
* Received HTTP/0.9 when not allowed
* Closing connection
curl: (1) Received HTTP/0.9 when not allowed
and here is my named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://psrp.bbqporkmccity.com/vye5rn/vXKoBzwW
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See
http://psrp.bbqporkmccity.com/vye5rn/WflSTkLF
//========================================================================
dnssec-validation auto;
listen-on-v6 { any; };
// Custom Options From Here
allow-query { any;};
allow-transfer { none; };
listen-on port 53 { any; };
listen-on port 80 tls none http default { any; };
};
Am I doing something wrong?
Thank you very much and I am looking forward to a solution.
--
Visit http://psrp.bbqporkmccity.com/vye5rn/jprjhJwF to unsubscribe from this
list
ISC funds the development of this software with paid support subscriptions.
Contact us at http://psrp.bbqporkmccity.com/vye5rn/HiPEm7Fv for more
information.
bind-users mailing list
bind-users@lists.isc.org
http://psrp.bbqporkmccity.com/vye5rn/pgPJe84v
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
