Unbound DNS over HTTPS Trouble

A. Schulze sca at andreasschulze.de
Thu Jun 17 17:19:49 UTC 2021

Am 17.06.21 um 18:17 schrieb Aaron D. Gifford via Unbound-users:
> Hi,
> I've been trying out DoH using Unbound 1.13.1 on a FreeBSD host and a Let's Encrypt TLS certificate.  Unbound starts and listens on my DoH port, and when I connect to it, the TLS session is established as expected.  I can send DNS queries and the server sends me a response, but it's one byte short and is simply a reply containing NO RR records, only the original question sent to the server, oddly truncated by a single byte.


you didn't describe, which client you used to send the DoH query.

Here are my favorites:

As I compile unbound myself, I can run "make dohclient"
# dohclient 
usage: dohclient [options] name type class ...
        sends the name-type-class queries over DNS-over-HTTPS.
-s server       IP address to send the queries to, default:
-p              Port to connect to, default: 443
-P              Use POST method instead of default GET
-e              HTTP endpoint, default: /dns-query
-c              Content-type in request, default: application/dns-message
-n              no-tls, TLS is disabled
-h              This help text

kdig: (maybe modern dig version also support DoH)
# kdig -p 53 hostname.bind. txt ch @ +https
# kdig -p 53 hostname.bind. txt ch @ +https-get

a recent version of curl
# curl --verbose --doh-url https://unbound.example:443/dns-query https://nlnetlabs.nl

all versions work here with 1.13.1 on Debian/Linux


More information about the Unbound-users mailing list