GitLab

I have this config trying out DoH on Bind 9.17

acl goodclients {
        192.168.1.0/24;
        localhost;
        localnets;
};

tls local-tls {
        key-file "/etc/bind/server.key";
        cert-file "/etc/bind/server.crt";
};

# HTTP endpoint description
http local-http-server {
        # multiple paths can be specified
        endpoints { "/dns-query";  };
};

options {
        directory "/var/cache/bind";

        listen-on port 53 {any;};
        listen-on-v6 port 53 {any;};
        recursion yes;
        allow-query { goodclients; };
        allow-recursion { goodclients; };

        forwarders {
                1.1.1.1;
                1.0.0.1;
                #8.8.8.8;
                #8.8.4.4;
        };
        forward only;
        #dnssec-enable yes;
        #dnssec-validation yes;

        auth-nxdomain no;    # conform to RFC1035
        http-port 80;
        https-port 443;
        max-cache-size 5%;
        listen-on port 443 tls local-tls http default {any;};
        listen-on-v6 port 443 tls local-tls http default {any;};

};

Cant seem to get https to work. Port 53 works fine. Here's the error message I get from kdig

kdig -d @192.168.1.1 +tls-ca +tls-host=ns.example.com www.google.co.uk -p 443
;; DEBUG: Querying for owner(www.google.co.uk.), class(1), type(1), server(192.168.1.1), port(443), protocol(TCP)
;; DEBUG: TLS, imported 129 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=AU,ST=Some-State,O=Internet Widgits Pty Ltd,CN=ns.example.com
;; DEBUG:      SHA-256 PIN: /BaoYTTAMxnRXqqmEHIWvlG+wUO+FQhcliV4a4Xvgm8=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; WARNING: failed to query server 192.168.1.1@443(TCP)

I'm using a self signed cert which I imported to the systems trusted ca list. Any complete example would be highly appreciated.