Re: Unable to Query DoH with `tls none` and Plain HTTP
> On 2. 1. 2024, at 10:38, Jakob Bohm via bind-users > wrote: > > Funny, given that HTTP/2 (the spec) had a CVE against it last October, > while HTTP/0.9 and HTTP/1.x did not. I’ve said that a single modern HTTP/2 implementation (backed by maintained library) is much better than having two different implementations of HTTP protocol that need to cooperate on a single port. You came with vulnerability in the HTTP/2 specification. So, what’s your point? Or you were just trying to be “funny”? > Having the DoH server as a standalone process talking to DNS/TCP would > be a solid implementation given the constant flow of changes made to > HTTP(S) by the Big 5. Sure, but most people don’t want to integrate different programs to talk to each other and having an all-in-one solution works for most people. For the rest, there’s always something like dnsdist that can actually talk DoH on external side and Do53 on the internal side. From a maintainers perspective, I would love to have a minimal DNS implementation with as few features, because that’s easier to maintain. But we are not building BIND 9 for just our own needs, we are building it for the users regardless what I personally think about DoH/2, DoH/3 or DoQ and whatever the Big Tech comes next to shave a nanosecond from the latency and pushes onto the open source developers who are limited on resources and maintain software that has long history… Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to Query DoH with `tls none` and Plain HTTP
On Tue, Jan 2, 2024 at 4:38 AM Jakob Bohm via bind-users wrote: > Having the DoH server as a standalone process talking to DNS/TCP would > be a solid implementation given the constant flow of changes made to > HTTP(S) by the Big 5. Perhaps, but for reference here is the relevant section of the DoH spec: https://datatracker.ietf.org/doc/html/rfc8484#section-5.2 HTTP/2 [RFC7540] is the minimum RECOMMENDED version of HTTP for use with DoH. The messages in classic UDP-based DNS [RFC1035] are inherently unordered and have low overhead. A competitive HTTP transport needs to support reordering, parallelism, priority, and header compression to achieve similar performance. Those features were introduced to HTTP in HTTP/2 [RFC7540]. Earlier versions of HTTP are capable of conveying the semantic requirements of DoH but may result in very poor performance. That ISC has chosen to follow the minimum HTTP version as recommended by the RFC is solid ground on which to be standing. -- tale -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to Query DoH with `tls none` and Plain HTTP
On 2024-01-01 16:38, Ondřej Surý wrote: On 1. 1. 2024, at 15:19, r1wcp...@bbqporkmccity.com wrote: Thank you very much, I was unaware of the HTTP/2 requirement and was assuming it is a bug. Is there any reason for omitting the HTTP/1.1 upgrade part of the protocol? It would be additional complexity that's really not needed. The HTTP/2 library (libnghttp) doesn't provide HTTP/1.1 implementation, so we would have to bolt something own for a little gain. And it would increase an attack surface as it would be yet another protocol open to the world that can have bugs in it. Funny, given that HTTP/2 (the spec) had a CVE against it last October, while HTTP/0.9 and HTTP/1.x did not. Having the DoH server as a standalone process talking to DNS/TCP would be a solid implementation given the constant flow of changes made to HTTP(S) by the Big 5. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to Query DoH with `tls none` and Plain HTTP
> On 1. 1. 2024, at 15:19, r1wcp...@bbqporkmccity.com wrote: > > Thank you very much, I was unaware of the HTTP/2 requirement and was assuming > it is a bug. Is there any reason for omitting the HTTP/1.1 upgrade part of > the protocol? It would be additional complexity that's really not needed. The HTTP/2 library (libnghttp) doesn't provide HTTP/1.1 implementation, so we would have to bolt something own for a little gain. And it would increase an attack surface as it would be yet another protocol open to the world that can have bugs in it. Ondřej -- Ondřej Surý (He/Him) ond...@isc.org My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to Query DoH with `tls none` and Plain HTTP
Hello, Thank you very much, I was unaware of the HTTP/2 requirement and was assuming it is a bug. Is there any reason for omitting the HTTP/1.1 upgrade part of the protocol? On 2024/01/01 22:30, Ondřej Surý wrote: Hi, BIND 9 DoH implementation always uses HTTP/2, so you can't talk to it via HTTP/0.9, so your proxy balancer needs to talk HTTP/2. curl --http2-prior-knowledge -v -H 'accept: application/dns-message' 'http://172.23.0.2:80/dns-query?dns=AAABAAABA3d3dwdleGFtcGxlA2NvbQAAAQAB' should work if I am reading the curl man page correctly (I don't have bind with doh no-tls here) dig +http-plain @172.23.0.2 will definitely work. Ondřej -- Ondřej Surý (He/Him) ond...@isc.org My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. On 1. 1. 2024, at 13:35, r1wcp42w--- via bind-users wrote: Hello, Hope you are having a great day. I am trying to setup a BIND9 DNS over HTTP (DoH but in plain HTTP) server with the ubuntu/bind9:latest docker image behind a HTTPS load balancer however I am unable to perform any DNS query with the newly installed BIND9 server(not through the load balancer). I am getting the following when I try to perform the query: ➜ curl -v -H 'accept: application/dns-message' 'http://172.23.0.2:80/dns-query?dns=AAABAAABA3d3dwdleGFtcGxlA2NvbQAAAQAB' * Trying 172.23.0.2:80... * Connected to 172.23.0.2 (172.23.0.2) port 80 GET /dns-query?dns=AAABAAABA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/1.1 Host: 172.23.0.2 User-Agent: curl/8.5.0 accept: application/dns-message * Received HTTP/0.9 when not allowed * Closing connection curl: (1) Received HTTP/0.9 when not allowed and here is my named.conf.options options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://psrp.bbqporkmccity.com/vye5rn/vXKoBzwW // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; // // If BIND logs error messages about the root key being expired, // you will need to update your keys. See http://psrp.bbqporkmccity.com/vye5rn/WflSTkLF // dnssec-validation auto; listen-on-v6 { any; }; // Custom Options From Here allow-query { any;}; allow-transfer { none; }; listen-on port 53 { any; }; listen-on port 80 tls none http default { any; }; }; Am I doing something wrong? Thank you very much and I am looking forward to a solution. -- Visit http://psrp.bbqporkmccity.com/vye5rn/jprjhJwF to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at http://psrp.bbqporkmccity.com/vye5rn/HiPEm7Fv for more information. bind-users mailing list bind-users@lists.isc.org http://psrp.bbqporkmccity.com/vye5rn/pgPJe84v -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to Query DoH with `tls none` and Plain HTTP
Hi, BIND 9 DoH implementation always uses HTTP/2, so you can't talk to it via HTTP/0.9, so your proxy balancer needs to talk HTTP/2. curl --http2-prior-knowledge -v -H 'accept: application/dns-message' 'http://172.23.0.2:80/dns-query?dns=AAABAAABA3d3dwdleGFtcGxlA2NvbQAAAQAB' should work if I am reading the curl man page correctly (I don't have bind with doh no-tls here) dig +http-plain @172.23.0.2 will definitely work. Ondřej -- Ondřej Surý (He/Him) ond...@isc.org My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 1. 1. 2024, at 13:35, r1wcp42w--- via bind-users > wrote: > > Hello, > > Hope you are having a great day. > > I am trying to setup a BIND9 DNS over HTTP (DoH but in plain HTTP) server > with the ubuntu/bind9:latest docker image behind a HTTPS load balancer > however I am unable to perform any DNS query with the newly installed BIND9 > server(not through the load balancer). > > I am getting the following when I try to perform the query: > > >> ➜ curl -v -H 'accept: application/dns-message' >> 'http://172.23.0.2:80/dns-query?dns=AAABAAABA3d3dwdleGFtcGxlA2NvbQAAAQAB' >> * Trying 172.23.0.2:80... >> * Connected to 172.23.0.2 (172.23.0.2) port 80 >>> GET /dns-query?dns=AAABAAABA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/1.1 >>> Host: 172.23.0.2 >>> User-Agent: curl/8.5.0 >>> accept: application/dns-message >> * Received HTTP/0.9 when not allowed >> * Closing connection >> curl: (1) Received HTTP/0.9 when not allowed > > > > and here is my named.conf.options > >> options { >>directory "/var/cache/bind"; >>// If there is a firewall between you and nameservers you want >>// to talk to, you may need to fix the firewall to allow multiple >>// ports to talk. See http://psrp.bbqporkmccity.com/vye5rn/iw5hSZ1O >>// If your ISP provided one or more IP addresses for stable >>// nameservers, you probably want to use them as forwarders. >>// Uncomment the following block, and insert the addresses replacing >>// the all-0's placeholder. >>// forwarders { >>// 0.0.0.0; >>// }; >> >> // >>// If BIND logs error messages about the root key being expired, >>// you will need to update your keys. See >> http://psrp.bbqporkmccity.com/vye5rn/nH13n27l >> >> // >>dnssec-validation auto; >>listen-on-v6 { any; }; >>// Custom Options From Here >>allow-query { any;}; >>allow-transfer { none; }; >>listen-on port 53 { any; }; >>listen-on port 80 tls none http default { any; }; >> }; > > Am I doing something wrong? > > Thank you very much and I am looking forward to a solution. > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Unable to Query DoH with `tls none` and Plain HTTP
Hello, Hope you are having a great day. I am trying to setup a BIND9 DNS over HTTP (DoH but in plain HTTP) server with the ubuntu/bind9:latest docker image behind a HTTPS load balancer however I am unable to perform any DNS query with the newly installed BIND9 server(not through the load balancer). I am getting the following when I try to perform the query: ➜ curl -v -H 'accept: application/dns-message' 'http://172.23.0.2:80/dns-query?dns=AAABAAABA3d3dwdleGFtcGxlA2NvbQAAAQAB' * Trying 172.23.0.2:80... * Connected to 172.23.0.2 (172.23.0.2) port 80 GET /dns-query?dns=AAABAAABA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/1.1 Host: 172.23.0.2 User-Agent: curl/8.5.0 accept: application/dns-message * Received HTTP/0.9 when not allowed * Closing connection curl: (1) Received HTTP/0.9 when not allowed and here is my named.conf.options options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://psrp.bbqporkmccity.com/vye5rn/iw5hSZ1O // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; // // If BIND logs error messages about the root key being expired, // you will need to update your keys. See http://psrp.bbqporkmccity.com/vye5rn/nH13n27l // dnssec-validation auto; listen-on-v6 { any; }; // Custom Options From Here allow-query { any;}; allow-transfer { none; }; listen-on port 53 { any; }; listen-on port 80 tls none http default { any; }; }; Am I doing something wrong? Thank you very much and I am looking forward to a solution. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users