Unbound DNS over HTTPS Trouble

Aaron D. Gifford anothernsduser at tambler.com
Thu Jun 17 17:48:39 UTC 2021

On 6/17/21 11:19 AM, A. Schulze via Unbound-users wrote:
> Am 17.06.21 um 18:17 schrieb Aaron D. Gifford via Unbound-users:
>> Hi,
>> I've been trying out DoH using Unbound 1.13.1 on a FreeBSD host and a Let's Encrypt TLS certificate.  Unbound starts and listens on my DoH port, and when I connect to it, the TLS session is established as expected.  I can send DNS queries and the server sends me a response, but it's one byte short and is simply a reply containing NO RR records, only the original question sent to the server, oddly truncated by a single byte.
> Hi,
> you didn't describe, which client you used to send the DoH query.

I sent the HTTP/2 GET query using libcurl's facilities.  I don't believe 
the querying code nor HTTP/2 HTTP/1.1 HTTP/1.0 implementation libcurl 
uses is related to why the server's response is truncated, one byte 
short of a valid application/dns-message response.  Whether I send it 
using libcurl or from the CLI with the curl command directly, the issue 
is the same.

And to be clear, the client isn't doing the reply truncation.  The 
HTTP/2 server response clearly includes a "Content-Length: 27" header, 
indicating the FULL reply is exactly 27 bytes in size.  And I fully 
documented in my original post how it SHOULD have been a 28-byte reply 
to be a valid "Content-Type: application/dns-message" response.  The 
"question" section of the response was one-byte short, supplying only a 
single zero byte where a two-byte value is described in the DNS RFCs for 
the question section's rtype field. Two bytes, a zero followed by a one, 
were expected, where only a single zero byte was provided.  This is why 
I suspect this truncation issue might be a bug in Unbound.

> Andreas

Thanks for your reply!

I didn't realize that curl's more recent incarnation added a --doh-url 
option.  That might prove useful in the future.

--Aaron out.

More information about the Unbound-users mailing list