DoH example config
I have this config trying out DoH on Bind 9.17
acl goodclients {
192.168.1.0/24;
localhost;
localnets;
};
tls local-tls {
key-file "/etc/bind/server.key";
cert-file "/etc/bind/server.crt";
};
# HTTP endpoint description
http local-http-server {
# multiple paths can be specified
endpoints { "/dns-query"; };
};
options {
directory "/var/cache/bind";
listen-on port 53 {any;};
listen-on-v6 port 53 {any;};
recursion yes;
allow-query { goodclients; };
allow-recursion { goodclients; };
forwarders {
1.1.1.1;
1.0.0.1;
#8.8.8.8;
#8.8.4.4;
};
forward only;
#dnssec-enable yes;
#dnssec-validation yes;
auth-nxdomain no; # conform to RFC1035
http-port 80;
https-port 443;
max-cache-size 5%;
listen-on port 443 tls local-tls http default {any;};
listen-on-v6 port 443 tls local-tls http default {any;};
};
Cant seem to get https to work. Port 53 works fine. Here's the error message I get from kdig
kdig -d @192.168.1.1 +tls-ca +tls-host=ns.example.com www.google.co.uk -p 443
;; DEBUG: Querying for owner(www.google.co.uk.), class(1), type(1), server(192.168.1.1), port(443), protocol(TCP)
;; DEBUG: TLS, imported 129 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, C=AU,ST=Some-State,O=Internet Widgits Pty Ltd,CN=ns.example.com
;; DEBUG: SHA-256 PIN: /BaoYTTAMxnRXqqmEHIWvlG+wUO+FQhcliV4a4Xvgm8=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; WARNING: failed to query server 192.168.1.1@443(TCP)
I'm using a self signed cert which I imported to the systems trusted ca list. Any complete example would be highly appreciated.