Unable to Query DoH with No TLS
Summary
I am trying to setup a BIND9 DNS over HTTP (DoH but in plain HTTP) server behind a HTTPS load balancer however I am unable to perform any DNS query with the newly installed server.
BIND version affected
BIND 9.18.18-0ubuntu2-Ubuntu (Extended Support Version)
Steps to reproduce
-
Run BIND9 with the below config
-
Query the BIND9 server with the following command
curl -v -H 'accept: application/dns-message' --http1.1 'http://<IP address of the BIND9 server>:80/dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB'
What is the current bug behavior?
Returns the following
➜ curl -v -H 'accept: application/dns-message' --http1.1 'http://172.23.0.2:80/dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB'
* Trying 172.23.0.2:80...
* Connected to 172.23.0.2 (172.23.0.2) port 80
> GET /dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/1.1
> Host: 172.23.0.2
> User-Agent: curl/8.5.0
> accept: application/dns-message
>
* Received HTTP/0.9 when not allowed
* Closing connection
curl: (1) Received HTTP/0.9 when not allowed
What is the expected correct behavior?
Returns DNS results such as this (This is with tls ephemeral
in config)
➜ curl -k -H 'accept: application/dns-message' 'https://10.0.0.75:80/dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | hexdump -C
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 49 100 49 0 0 1866 0 --:--:-- --:--:-- --:--:-- 1884
00000000 00 00 81 80 00 01 00 01 00 00 00 00 03 77 77 77 |.............www|
00000010 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00 |.example.com....|
00000020 01 c0 0c 00 01 00 01 00 01 51 2a 00 04 5d b8 d8 |.........Q*..]..|
00000030 22 |"|
00000031
Relevant configuration files
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
listen-on-v6 { any; };
// Custom Options From Here
allow-query { any;};
allow-transfer { none; };
listen-on port 53 { any; };
listen-on port 80 tls none http default { any; };
};
Relevant logs
No new line available after issue happens