Remi Gacogne via dnsdist:
thanks for the pointer, really looking forward to the dnsdist version
that has this solved.
Sure, I expect to release 1.9.2 including this fix in the next couple
weeks.
thanks!
Note that this metric (doh_http_version_queries) is incremented after
doing some sanity checks but before actually parsing the DNS query, so
unfortunately we cannot be sure these are valid DoH queries. At this
point they could be bots. Can you check doh_version_status_responses for
httpversion=1 and status=200 instead?
Thanks for pointing that out.
In our case these two graphs overlap very closely.
Maybe because only requests using the correct hostname in the SNI
actually reach dnsdist in the first place.
So the practical solution to use dnsdist 1.9.0 with nghttp2 and
still support HTTP/1.1 clients is to use a webserver like nginx in
front of dnsdist?
Yes, a reverse proxy like nginx or HAProxy might be the best option to
keep HTTP/1.1 support at this point.
Turns out nginx does not speak HTTP/2 with upstream servers
but HAProxy does according to the documentation.
I'm afraid we are currently not increasing any counter in this exact
case, I'll see what I can do about it.
Thanks, appreciated.
You are correct, but in practice I am yet to see a DoH client using
HTTP/1.1 in production.
Would be interesting to know how much non-HTTP/2 traffic large DoH
service providers see in practice, maybe I'm going to reach out on the
dns-operations mailing list.
I just don't want to increase the
code complexity and attack surface just to reply to crawlers..
Yes, that makes sense :)
best regards,
Christoph
_______________________________________________
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist
