How to use different views on DNS-over-HTTPS vs normal DNS on port 53
Hello, How can I configure BIND9 to reply to requests from DNS-over-HTTPS with view A, and if the requests is from normal DNS on port 53, reply with view B? Example: client 192.168.1.5 requests A record test.example.com with DNS over HTTPS, BIND should reply with view A client 192.168.1.5 requests A record test.example.com with DNS on port 53, BIND should reply with view B -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DiG DoH TLS Error
Hello, I am trying to resolve a DNS record with DNS over HTTPS with DiG on our DNS server. However DiG is returning a TLS error. See following anonymized result ➜ dig +trace +https @dns.example.com www.example.com ;; Connection to 192.168.132.5#443(192.168.132.5) for www.example.com failed: TLS error. ;; no servers could be reached ;; Connection to 192.168.132.5#443(192.168.132.5) for www.example.com failed: TLS error. ;; no servers could be reached ;; Connection to 192.168.132.5#443(192.168.132.5) for www.example.com failed: TLS error. ;; no servers could be reached I can confirm that the server can be reached and with openssl s_client -connect, the certificate returned OK result Connecting to 192.168.132.5 CONNECTED(0003) depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1 verify return:1 depth=1 C=US, O=Let's Encrypt, CN=R3 verify return:1 depth=0 CN=*.example.com verify return:1 --- Certificate chain 0 s:CN=*.example.com i:C=US, O=Let's Encrypt, CN=R3 a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256 v:NotBefore: Jan 2024 GMT; NotAfter: Apr 2024 GMT 1 s:C=US, O=Let's Encrypt, CN=R3 i:C=US, O=Internet Security Research Group, CN=ISRG Root X1 a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT --- Server certificate -BEGIN CERTIFICATE- -END CERTIFICATE- subject=CN=*.example.com issuer=C=US, O=Let's Encrypt, CN=R3 --- No client certificate CA names sent Peer signing digest: SHA384 Peer signature type: ECDSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 2816 bytes and written 392 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 Server public key is 384 bit This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher: TLS_AES_128_GCM_SHA256 Session-ID: Session-ID-ctx: Resumption PSK: PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 604800 (seconds) TLS session ticket: . Start Time: 1705398062 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no Max Early Data: 0 --- read R BLOCK Any idea what is causing the TLS error? -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to Query DoH with `tls none` and Plain HTTP
Hello,
Thank you very much, I was unaware of the HTTP/2 requirement and was
assuming it is a bug. Is there any reason for omitting the HTTP/1.1
upgrade part of the protocol?
On 2024/01/01 22:30, Ondřej Surý wrote:
Hi,
BIND 9 DoH implementation always uses HTTP/2, so you
can't talk to it via HTTP/0.9, so your proxy balancer needs
to talk HTTP/2.
curl --http2-prior-knowledge -v -H 'accept: application/dns-message'
'http://172.23.0.2:80/dns-query?dns=AAABAAABA3d3dwdleGFtcGxlA2NvbQAAAQAB'
should work if I am reading the curl man page correctly (I don't have bind with
doh no-tls here)
dig +http-plain @172.23.0.2
will definitely work.
Ondřej
--
Ondřej Surý (He/Him)
ond...@isc.org
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
On 1. 1. 2024, at 13:35, r1wcp42w--- via bind-users
wrote:
Hello,
Hope you are having a great day.
I am trying to setup a BIND9 DNS over HTTP (DoH but in plain HTTP) server with
the ubuntu/bind9:latest docker image behind a HTTPS load balancer however I am
unable to perform any DNS query with the newly installed BIND9 server(not
through the load balancer).
I am getting the following when I try to perform the query:
➜ curl -v -H 'accept: application/dns-message'
'http://172.23.0.2:80/dns-query?dns=AAABAAABA3d3dwdleGFtcGxlA2NvbQAAAQAB'
* Trying 172.23.0.2:80...
* Connected to 172.23.0.2 (172.23.0.2) port 80
GET /dns-query?dns=AAABAAABA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/1.1
Host: 172.23.0.2
User-Agent: curl/8.5.0
accept: application/dns-message
* Received HTTP/0.9 when not allowed
* Closing connection
curl: (1) Received HTTP/0.9 when not allowed
and here is my named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://psrp.bbqporkmccity.com/vye5rn/vXKoBzwW
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See
http://psrp.bbqporkmccity.com/vye5rn/WflSTkLF
//
dnssec-validation auto;
listen-on-v6 { any; };
// Custom Options From Here
allow-query { any;};
allow-transfer { none; };
listen-on port 53 { any; };
listen-on port 80 tls none http default { any; };
};
Am I doing something wrong?
Thank you very much and I am looking forward to a solution.
--
Visit http://psrp.bbqporkmccity.com/vye5rn/jprjhJwF to unsubscribe from this
list
ISC funds the development of this software with paid support subscriptions.
Contact us at http://psrp.bbqporkmccity.com/vye5rn/HiPEm7Fv for more
information.
bind-users mailing list
bind-users@lists.isc.org
http://psrp.bbqporkmccity.com/vye5rn/pgPJe84v
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Unable to Query DoH with `tls none` and Plain HTTP
Hello,
Hope you are having a great day.
I am trying to setup a BIND9 DNS over HTTP (DoH but in plain HTTP)
server with the ubuntu/bind9:latest docker image behind a HTTPS load
balancer however I am unable to perform any DNS query with the newly
installed BIND9 server(not through the load balancer).
I am getting the following when I try to perform the query:
➜ curl -v -H 'accept: application/dns-message'
'http://172.23.0.2:80/dns-query?dns=AAABAAABA3d3dwdleGFtcGxlA2NvbQAAAQAB'
* Trying 172.23.0.2:80...
* Connected to 172.23.0.2 (172.23.0.2) port 80
GET /dns-query?dns=AAABAAABA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/1.1
Host: 172.23.0.2
User-Agent: curl/8.5.0
accept: application/dns-message
* Received HTTP/0.9 when not allowed
* Closing connection
curl: (1) Received HTTP/0.9 when not allowed
and here is my named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://psrp.bbqporkmccity.com/vye5rn/iw5hSZ1O
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See
http://psrp.bbqporkmccity.com/vye5rn/nH13n27l
//
dnssec-validation auto;
listen-on-v6 { any; };
// Custom Options From Here
allow-query { any;};
allow-transfer { none; };
listen-on port 53 { any; };
listen-on port 80 tls none http default { any; };
};
Am I doing something wrong?
Thank you very much and I am looking forward to a solution.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
