Re: [dnsdist] DoH issues after 1.8.3 -> 1.9.0 upgrade

Mon, 18 Mar 2024 14:00:40 -0700 

Otto Moerbeek wrote:
This might be related:https://github.com/PowerDNS/pdns/issues/13850, not backported yet 

thanks for the pointer, really looking forward to the dnsdist version
that has this solved.

Remi wrote:

In addition to the issue mentioned by Otto, it might also be that the
monitoring does not support HTTP/2.



yes, that appears to be the case uptimerobot does not support HTTP/2 and 
was affected, our blackbox_exporter appears to support HTTP/2 and was 
not affected.



The new nghttp2 provider for
incoming DNS over HTTPS does not support HTTP/1.1. In 1.9.x it's
still possible to switch back to the legacy h2o provider but note
that it will likely go away in the next major version of DNSdist. In
our testing the lack of HTTP/1.1 support was not an issue for actual
DNS over HTTPS clients, with most of HTTP/1.1 queries coming from
crawlers/bots, but of course we will reconsider if you find out that
legitimate DoH clients are impacted.


we see about 5-10% of non-version 2 DoH requests by looking at:

sum by (version)
(irate(dnsdist_frontend_doh_http_version_queries{job="$job"}[$__rate_interval]))

So the practical solution to use dnsdist 1.9.0 with nghttp2 and

still support HTTP/1.1 clients is to use a webserver like nginx in front 
of dnsdist?


I expected an increase of this metric during our partial outage but
this value did not increase, is this expected?

irate(dnsdist_frontend_doh_version_status_responses{httpversion="1",status="400",job="$job"}[$__rate_interval])

dnsdist_frontend_noncompliantqueries also didn't increase.
Which value is expected to increase?


btw:
dnsdist's v1.9.0 answer to HTTP requests not using HTTP/2:


This server implements RFC 8484 - DNS Queries over HTTP, and
requires HTTP/2 in accordance with section 5.2 of the RFC.


but RFC8484 does not actually require HTTP/2, right?

https://www.rfc-editor.org/rfc/rfc8484.html#section-5.2
> 5.2.  HTTP/2



HTTP/2 [RFC7540] is the minimum RECOMMENDED version of HTTP for use 
with DoH.


It is recommended but not a "MUST".

best regards,
Christoph
_______________________________________________
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist






















					Reply via email to