Can unbound answer both DoH and DoT on the same port ?
Philip Homburg
philip at nlnetlabs.nl
Thu Jan 11 19:58:10 UTC 2024
On 11/01/2024 19:26, Peter Hessler via Unbound-users wrote:
>
> :I wonder if unbound is flexible enough to discern that a request is either
> :DoH or DoT and then answer with the matching protocol ?
> :
> :Is that a silly idea ?
> :
> :
> :Thank you.
> :
>
> That isn't possible. The clients would expect different behaviour than
> what the server is providing.
In theory it should be possible to run DoT and DoH on the same port. The
reason is that HTTP/2 requires an ALPN with the string 'h2'. The DoT
RFC does not require a specific ALPN. But this should be enough. If the
ALPN is h2, the server uses HTTP/2, for anything else, the server does DoT.
Note that at this time, unbound does not do this. However some proxies
may be able to split TLS traffic based on ALPN.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20240111/8b8c5d71/attachment.htm>
More information about the Unbound-users
mailing list