Unbound DNS over HTTPS Trouble
Aaron D. Gifford
anothernsduser at tambler.com
Thu Jun 17 17:48:39 UTC 2021
On 6/17/21 11:19 AM, A. Schulze via Unbound-users wrote:
> Am 17.06.21 um 18:17 schrieb Aaron D. Gifford via Unbound-users:
>> I've been trying out DoH using Unbound 1.13.1 on a FreeBSD host and a Let's Encrypt TLS certificate. Unbound starts and listens on my DoH port, and when I connect to it, the TLS session is established as expected. I can send DNS queries and the server sends me a response, but it's one byte short and is simply a reply containing NO RR records, only the original question sent to the server, oddly truncated by a single byte.
> you didn't describe, which client you used to send the DoH query.
I sent the HTTP/2 GET query using libcurl's facilities. I don't believe
the querying code nor HTTP/2 HTTP/1.1 HTTP/1.0 implementation libcurl
uses is related to why the server's response is truncated, one byte
short of a valid application/dns-message response. Whether I send it
using libcurl or from the CLI with the curl command directly, the issue
is the same.
And to be clear, the client isn't doing the reply truncation. The
HTTP/2 server response clearly includes a "Content-Length: 27" header,
indicating the FULL reply is exactly 27 bytes in size. And I fully
documented in my original post how it SHOULD have been a 28-byte reply
to be a valid "Content-Type: application/dns-message" response. The
"question" section of the response was one-byte short, supplying only a
single zero byte where a two-byte value is described in the DNS RFCs for
the question section's rtype field. Two bytes, a zero followed by a one,
were expected, where only a single zero byte was provided. This is why
I suspect this truncation issue might be a bug in Unbound.
Thanks for your reply!
I didn't realize that curl's more recent incarnation added a --doh-url
option. That might prove useful in the future.
More information about the Unbound-users