Unbound DNS over HTTPS Trouble

Aaron D. Gifford anothernsduser at tambler.com
Thu Jun 17 16:50:14 UTC 2021

On 6/17/21 10:17 AM, Aaron D. Gifford (that's me) via Unbound-users wrote:
> Hi,
> I've been trying out DoH using Unbound 1.13.1 on a FreeBSD host and a 
> Let's Encrypt TLS certificate.  Unbound starts and listens on my DoH 
> port, and when I connect to it, the TLS session is established as 
> expected.  I can send DNS queries and the server sends me a response, 
> but it's one byte short and is simply a reply containing NO RR 
> records, only the original question sent to the server, oddly 
> truncated by a single byte.
> For example, here's what happens when I query...<<snip>>
> Local Unbound 1.13.1 test server using HTTP/2:
> https://unbound.example.org/dns-query?dns=OmYBAAABAAAAAAAABmdvb2dsZQNjb20AAAEAAQ== 
> So now my questions.
> 1) WHY is Unbound NOT liking the question's format ("format error" as 
> seen in rcode=1) when it IS in application/dns-message format, 
> URL-safe base 64 encoded as part of the GET query?

I should add that when I attempt a non-dns-message style query to my 
server's "/dns-query" DoH endpoint, I simply get a 404 "Not Found" error 
message, again using HTTP/2, and including Accept: headers for whatever 
DoH reply type the server wants, application/dns-json, 
application/dns+json, or application/dns-message.


   404 "Not Found"

I assume this query type isn't supported.  Am I assuming foolishly and 
should I instead be looking for a configuration typo?

         tls-service-key: "/foo/unbound/conf/cert.key"
         tls-service-pem: "/foo/unbound/conf/cert.pem"
         http-endpoint: "/dns-query"

> Thanks, Unbound devs, for some excellent software!
> --Aaron out

Thanks again!

--Aaron out

More information about the Unbound-users mailing list