[nsd-users] Testing DoH
Wytze van der Raay
wytze at deboca.net
Mon Dec 8 15:21:39 UTC 2025
Op 08-12-2025 om 15:28 schreef Chris Croome via nsd-users:
> Hi
>
> I have development NSD server running on Debian Trixie (using the Debian
> package) with the following server section in /etc/nsd/nsd.conf:
>
> server:
> hide-identity: yes
> hide-version: yes
> log-only-syslog: yes
> ip-address: 81.95.52.27
> interface: 81.95.52.27 at 853
> tls-port: 853
> tls-service-key: /etc/nsd/dns5.webarch.org.uk.privkey.secp384r1.pem
> tls-service-pem: /etc/nsd/dns5.webarch.org.uk.pubcert.secp384r1.pem
>
> I have used ip-address and interface rather than either using interface
> twice or ip-address twice in order that the config is parsable as YAML.
>
> Everything is fine with queries to port 53, I'm struggling to get a
> response on port 853, the server don't have a firewall running for
> either of these two ports.
>
> dig @dns5.webarch.org.uk webarch.org.uk A +short
> 81.95.52.56
>
> I have installed doh-cli [1] are tried testing using that:
>
> doh-cli --verbose --url https://dns5.webarch.org.uk:853 webarch.org.uk A
> ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response'))
>
> This fails after a while with the above error.
NSD does not support DoH (DNS-over-HTTPS). But it does support DoT
(DNS-over-TLS), which runs indeed on port 853 normally. To check it, you could
configure unbound to query your DNS server only over TLS.
Kind regards,
Wytze van der Raay
> Is there another CLI tool that anyone would suggest I try test the
> service with or have I not configured the server correctly or is there
> an issue with the TLS cert and key?
>
> The cert and key are the same ones that Apache is using:
>
> - https://www.ssllabs.com/ssltest/analyze.html?d=dns5.webarch.org.uk
>
> All the best
>
> Chris
>
>
> [1] https://pypi.org/project/doh-cli/
More information about the nsd-users
mailing list