Opening DoH 443/TCP without opening 443/UDP
Yorgos Thessalonikefs
yorgos at nlnetlabs.nl
Wed Jan 22 16:06:49 UTC 2025
Hi Dominic,
This wasn't possible as you may need for example to usually listen on
both UDP and TCP on port 53.
However I think that for encrypted channels on single transport
protocols, like your example, it is not desirable to have both encrypted
and unencrypted traffic on the same port.
https://github.com/NLnetLabs/unbound/commit/f822042cd027d380a5050a48c7ac1c5073dbaad5
solves that specifically for encrypted transports where if one of
DoT,DoH or DoQ are used on the interface, the other transport will only
allow encrypted variants as well.
For your example only DoQ is allowed to open UDP next to DoH.
Best regards,
-- Yorgos
On 09/01/2025 16:22, Dominic Preston via Unbound-users wrote:
> Hi, I have an Unbound resolver serving standard DNS over 53/UDP and 53/TCP.
>
> It also serves DNS-over-HTTPS queries over 443/TCP by way of this
> instruction:
> interface: 2603:1c78:b7fa:b2df:8fad:3f52:0955:d930 at 443
>
> In this configuration, standard DNS is still served over 443/UDP,
> despite 443/TCP not serving standard DNS. Is there any way to close 443/
> UDP without disabling anything else or invoking a firewall rule?
>
> Thanks,
> Dominic.
More information about the Unbound-users
mailing list