How to use different views on DNS-over-HTTPS vs normal DNS on port 53
Hello, How can I configure BIND9 to reply to requests from DNS-over-HTTPS with view A, and if the requests is from normal DNS on port 53, reply with view B? Example: client 192.168.1.5 requests A record test.example.com with DNS over HTTPS, BIND should reply with view A client 192.168.1.5 requests A record test.example.com with DNS on port 53, BIND should reply with view B -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DiG DoH TLS Error
Hello, I am trying to resolve a DNS record with DNS over HTTPS with DiG on our DNS server. However DiG is returning a TLS error. See following anonymized result ➜ dig +trace +https @dns.example.com www.example.com ;; Connection to 192.168.132.5#443(192.168.132.5) for www.example.com failed: TLS error. ;; no servers could be reached ;; Connection to 192.168.132.5#443(192.168.132.5) for www.example.com failed: TLS error. ;; no servers could be reached ;; Connection to 192.168.132.5#443(192.168.132.5) for www.example.com failed: TLS error. ;; no servers could be reached I can confirm that the server can be reached and with openssl s_client -connect, the certificate returned OK result Connecting to 192.168.132.5 CONNECTED(0003) depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1 verify return:1 depth=1 C=US, O=Let's Encrypt, CN=R3 verify return:1 depth=0 CN=*.example.com verify return:1 --- Certificate chain 0 s:CN=*.example.com i:C=US, O=Let's Encrypt, CN=R3 a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256 v:NotBefore: Jan 2024 GMT; NotAfter: Apr 2024 GMT 1 s:C=US, O=Let's Encrypt, CN=R3 i:C=US, O=Internet Security Research Group, CN=ISRG Root X1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT --- Server certificate -BEGIN CERTIFICATE- -END CERTIFICATE- subject=CN=*.example.com issuer=C=US, O=Let's Encrypt, CN=R3 --- No client certificate CA names sent Peer signing digest: SHA384 Peer signature type: ECDSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 2816 bytes and written 392 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 Server public key is 384 bit This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher: TLS_AES_128_GCM_SHA256 Session-ID: Session-ID-ctx: Resumption PSK: PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 604800 (seconds) TLS session ticket: . Start Time: 1705398062 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK Any idea what is causing the TLS error? -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to Query DoH with `tls none` and Plain HTTP
Hello, Thank you very much, I was unaware of the HTTP/2 requirement and was assuming it is a bug. Is there any reason for omitting the HTTP/1.1 upgrade part of the protocol? On 2024/01/01 22:30, Ondřej Surý wrote: Hi, BIND 9 DoH implementation always uses HTTP/2, so you can't talk to it via HTTP/0.9, so your proxy balancer needs to talk HTTP/2. curl --http2-prior-knowledge -v -H 'accept: application/dns-message' 'http://172.23.0.2:80/dns-query?dns=AAABAAABA3d3dwdleGFtcGxlA2NvbQAAAQAB' should work if I am reading the curl man page correctly (I don't have bind with doh no-tls here) dig +http-plain @172.23.0.2 will definitely work. Ondřej -- Ondřej Surý (He/Him) ond...@isc.org My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. On 1. 1. 2024, at 13:35, r1wcp42w--- via bind-users wrote: Hello, Hope you are having a great day. I am trying to setup a BIND9 DNS over HTTP (DoH but in plain HTTP) server with the ubuntu/bind9:latest docker image behind a HTTPS load balancer however I am unable to perform any DNS query with the newly installed BIND9 server(not through the load balancer). I am getting the following when I try to perform the query: ➜ curl -v -H 'accept: application/dns-message' 'http://172.23.0.2:80/dns-query?dns=AAABAAABA3d3dwdleGFtcGxlA2NvbQAAAQAB' * Trying 172.23.0.2:80... * Connected to 172.23.0.2 (172.23.0.2) port 80 GET /dns-query?dns=AAABAAABA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/1.1 Host: 172.23.0.2 User-Agent: curl/8.5.0 accept: application/dns-message * Received HTTP/0.9 when not allowed * Closing connection curl: (1) Received HTTP/0.9 when not allowed and here is my named.conf.options options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://psrp.bbqporkmccity.com/vye5rn/vXKoBzwW // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; // // If BIND logs error messages about the root key being expired, // you will need to update your keys. See http://psrp.bbqporkmccity.com/vye5rn/WflSTkLF // dnssec-validation auto; listen-on-v6 { any; }; // Custom Options From Here allow-query { any;}; allow-transfer { none; }; listen-on port 53 { any; }; listen-on port 80 tls none http default { any; }; }; Am I doing something wrong? Thank you very much and I am looking forward to a solution. -- Visit http://psrp.bbqporkmccity.com/vye5rn/jprjhJwF to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at http://psrp.bbqporkmccity.com/vye5rn/HiPEm7Fv for more information. bind-users mailing list bind-users@lists.isc.org http://psrp.bbqporkmccity.com/vye5rn/pgPJe84v -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Unable to Query DoH with `tls none` and Plain HTTP
Hello, Hope you are having a great day. I am trying to setup a BIND9 DNS over HTTP (DoH but in plain HTTP) server with the ubuntu/bind9:latest docker image behind a HTTPS load balancer however I am unable to perform any DNS query with the newly installed BIND9 server(not through the load balancer). I am getting the following when I try to perform the query: ➜ curl -v -H 'accept: application/dns-message' 'http://172.23.0.2:80/dns-query?dns=AAABAAABA3d3dwdleGFtcGxlA2NvbQAAAQAB' * Trying 172.23.0.2:80... * Connected to 172.23.0.2 (172.23.0.2) port 80 GET /dns-query?dns=AAABAAABA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/1.1 Host: 172.23.0.2 User-Agent: curl/8.5.0 accept: application/dns-message * Received HTTP/0.9 when not allowed * Closing connection curl: (1) Received HTTP/0.9 when not allowed and here is my named.conf.options options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://psrp.bbqporkmccity.com/vye5rn/iw5hSZ1O // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; // // If BIND logs error messages about the root key being expired, // you will need to update your keys. See http://psrp.bbqporkmccity.com/vye5rn/nH13n27l // dnssec-validation auto; listen-on-v6 { any; }; // Custom Options From Here allow-query { any;}; allow-transfer { none; }; listen-on port 53 { any; }; listen-on port 80 tls none http default { any; }; }; Am I doing something wrong? Thank you very much and I am looking forward to a solution. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users