Unbound DoT traffic is identified as DoH

[Johan Hjälm]

Hello

My company updated their unbound installation a few days ago and I see some strange behavior after that.

Unbound is installed on a Centos 7 machine and the version we had was 1.9.0 from yum.
This version had some issues validating host names so I was asked to update to latest (1.13.2)

I compiled it with no extra flags and installed it, used our old config and started unbound.

To my confusion traffic was blocked in our firewall (port 853 only open to ssl and DoT) and when I reviewed the logs I see the traffic is identified as DoH but nothing like that is configured. And I was under the impression that in order to make DoH work you have to pass some extra compilation flag which I have not done.

When I capture all traffic on the host I can only see DoT traffic so I suspect the firewall is identifying the traffic wrong. Have anyone else seen this? It's a paloalto fw of some model.

The strangest thing of all is that before I upgraded the installation all traffic was identified as DoT, but no hostname verification.

I'm starting to think that the problem could actually be that the firewall is doing something wrong.

I hope someone can give me a push in the right direction in order to solve this.

BR
Johan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20211006/96d04383/attachment.htm>