Opening DoH 443/TCP without opening 443/UDP
Dominic Preston
lzqhwo at gmail.com
Fri Jan 24 04:10:46 UTC 2025
Hi Yorgos,
Thank you for making the commit, I agree with your reasoning.
Kind regards,
Dominic.
On Wed, 22 Jan 2025 at 16:07, Yorgos Thessalonikefs via Unbound-users
<unbound-users at lists.nlnetlabs.nl> wrote:
>
> Hi Dominic,
>
> This wasn't possible as you may need for example to usually listen on
> both UDP and TCP on port 53.
>
> However I think that for encrypted channels on single transport
> protocols, like your example, it is not desirable to have both encrypted
> and unencrypted traffic on the same port.
>
> https://github.com/NLnetLabs/unbound/commit/f822042cd027d380a5050a48c7ac1c5073dbaad5
> solves that specifically for encrypted transports where if one of
> DoT,DoH or DoQ are used on the interface, the other transport will only
> allow encrypted variants as well.
>
> For your example only DoQ is allowed to open UDP next to DoH.
>
> Best regards,
> -- Yorgos
>
> On 09/01/2025 16:22, Dominic Preston via Unbound-users wrote:
> > Hi, I have an Unbound resolver serving standard DNS over 53/UDP and 53/TCP.
> >
> > It also serves DNS-over-HTTPS queries over 443/TCP by way of this
> > instruction:
> > interface: 2603:1c78:b7fa:b2df:8fad:3f52:0955:d930 at 443
> >
> > In this configuration, standard DNS is still served over 443/UDP,
> > despite 443/TCP not serving standard DNS. Is there any way to close 443/
> > UDP without disabling anything else or invoking a firewall rule?
> >
> > Thanks,
> > Dominic.
>
More information about the Unbound-users
mailing list