Unbound DNS over HTTPS Trouble

A. Schulze sca at andreasschulze.de
Thu Jun 17 17:57:02 UTC 2021

Am 17.06.21 um 19:48 schrieb Aaron D. Gifford via Unbound-users:
> On 6/17/21 11:19 AM, A. Schulze via Unbound-users wrote:
>> Am 17.06.21 um 18:17 schrieb Aaron D. Gifford via Unbound-users:
>>> Hi,
>>> I've been trying out DoH using Unbound 1.13.1 on a FreeBSD host and a Let's Encrypt TLS certificate.  Unbound starts and listens on my DoH port, and when I connect to it, the TLS session is established as expected.  I can send DNS queries and the server sends me a response, but it's one byte short and is simply a reply containing NO RR records, only the original question sent to the server, oddly truncated by a single byte.
>> Hi,
>> you didn't describe, which client you used to send the DoH query.
> I sent the HTTP/2 GET query using libcurl's facilities.  I don't believe the querying code nor HTTP/2 HTTP/1.1 HTTP/1.0 implementation libcurl uses is related to why the server's response is truncated, one byte short of a valid application/dns-message response.  Whether I send it using libcurl or from the CLI with the curl command directly, the issue is the same.
> And to be clear, the client isn't doing the reply truncation.  The HTTP/2 server response clearly includes a "Content-Length: 27" header, indicating the FULL reply is exactly 27 bytes in size.  And I fully documented in my original post how it SHOULD have been a 28-byte reply to be a valid "Content-Type: application/dns-message" response.  The "question" section of the response was one-byte short, supplying only a single zero byte where a two-byte value is described in the DNS RFCs for the question section's rtype field. Two bytes, a zero followed by a one, were expected, where only a single zero byte was provided.  This is why I suspect this truncation issue might be a bug in Unbound.

as the DoH-implementation depends on libnghttp2: which version do you use?
I'm on 1.43.0 (https://packages.debian.org/bullseye/libnghttp2-14)

unforunately, "unbound -V" don't mention this version
in contrast to "Linked libs: libev 4.33 (it uses epoll), OpenSSL 1.1.1k  25 Mar 2021"

@nlnetlabs: feature request :-)


More information about the Unbound-users mailing list