On 6/17/21 10:17 AM, Aaron D. Gifford (that's me) via Unbound-users wrote:
Hi,
I've been trying out DoH using Unbound 1.13.1 on a FreeBSD host and a
Let's Encrypt TLS certificate. Unbound starts and listens on my DoH
port, and when I connect to it, the TLS session is established as
expected. I can send DNS queries and the server sends me a response,
but it's one byte short and is simply a reply containing NO RR
records, only the original question sent to the server, oddly
truncated by a single byte.
For example, here's what happens when I query...<<snip>>
<<snip>>
Local Unbound 1.13.1 test server using HTTP/2:
https://unbound.example.org/dns-query?dns=OmYBAAABAAAAAAAABmdvb2dsZQNjb20AAAEAAQ==
<<snip>>
So now my questions.
1) WHY is Unbound NOT liking the question's format ("format error" as
seen in rcode=1) when it IS in application/dns-message format,
URL-safe base 64 encoded as part of the GET query?
I should add that when I attempt a non-dns-message style query to my
server's "/dns-query" DoH endpoint, I simply get a 404 "Not Found" error
message, again using HTTP/2, and including Accept: headers for whatever
DoH reply type the server wants, application/dns-json,
application/dns+json, or application/dns-message.
https://unbound.example.org/dns-query-foo?name=google.com&type=A
404 "Not Found"
I assume this query type isn't supported. Am I assuming foolishly and
should I instead be looking for a configuration typo?
tls-service-key: "/foo/unbound/conf/cert.key"
tls-service-pem: "/foo/unbound/conf/cert.pem"
...
http-endpoint: "/dns-query"
<<snip>>
Thanks, Unbound devs, for some excellent software!
--Aaron out
Thanks again!
--Aaron out
