DNS Proxy as DoH Server with NGINX

[MarinoMtz]

Hi,

I'm trying to configure a DNS Server using the dnsproxy as forwarder for the dns-queries. The configuration i have is the following:

Client : dnsproxy as a DoH client
Server : dnsproxy as a forwarder : the idea is that it takes the DNS query from the HTTP and then replies with the corresponding DNS response by using the desired upstream, for the certificates validation I use NGINX with let's encrypt certs.

I have the following configuration:

Client:

verbose: true
output: /home/ivan/client.txt
listen-addrs:
  - 127.0.0.3
listen-ports:
  - 53
tls-min-version: 1.3
upstream:
  - "https://dohauth.iot-roam.net/dns-query"
bootstrap:
  - '8.8.8.8:53'
cache-size: 64000
ratelimit: 0
ipv6-disabled: false
udp-buf-size: 0
max-go-routines: 0
version: false

Server:

---
bootstrap:
  - "8.8.8.8:53"
listen-addrs:
  - "127.0.0.1"
listen-ports:
  - 53
  - 8053
max-go-routines: 0
ratelimit: 0
udp-buf-size: 0
upstream:
  - "8.8.8.8:53"
https-port:
  - 443
verbose: true
output: "/home/ivan/server.txt"

Then, if I run tshark I can actually see the DNS query arriving:

Running as user "root" and group "root". This could be dangerous.
Capturing on 'Loopback: lo'
    1 0.000000000    127.0.0.1 → 127.0.0.1    TCP 74 32902 → 8053 [SYN] Seq=0 Win=65495 Len=0 MSS=65495 SACK_PERM=1 TSval=1702772584 TSecr=0 WS=128
    2 0.000015800    127.0.0.1 → 127.0.0.1    TCP 74 8053 → 32902 [SYN, ACK] Seq=0 Ack=1 Win=65483 Len=0 MSS=65495 SACK_PERM=1 TSval=1702772584 TSecr=1702772584 WS=128
    3 0.000031916    127.0.0.1 → 127.0.0.1    TCP 66 32902 → 8053 [ACK] Seq=1 Ack=1 Win=65536 Len=0 TSval=1702772584 TSecr=1702772584
    4 0.000443476    127.0.0.1 → 127.0.0.1    HTTP 387 GET /dns-query?dns=l0YBIAABAAAAAAABBmdvb2dsZQNjb20AAAEAAQAAKRAAAAAAAAAMAAoACFlUCwOWR0Cg HTTP/1.1 

But there is no successful DNS resolution

I attached both, the server and client side traces

client.txt
server.txt

Maybe I'm misunderstanding something?
Thanks for your help !

[ameshkov]

Could it be that misconfiguration is on the nginx side? Have you tried using curl and requesting the plain HTTP URL first?

Also, why listening on 443 for plain HTTP?

[MarinoMtz]

Hi,

I have tried using curl as you suggest, but I get this :

ivan@ivan:~$ curl -i --http2 https://dohauth.iot-roam.net:443/dns-query
HTTP/2 502 
server: nginx/1.20.1
date: Wed, 17 Nov 2021 09:24:50 GMT
content-type: text/html
content-length: 157
strict-transport-security: max-age=31536000; includeSubDomains

<html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.20.1</center>
</body>
</html>

Then, if I stop the dns proxy and start another doh server (the one I want to replace with dnsproxy m12353 that is actually working now:

ivan@ivan:~$ curl -i --http2 https://dohauth.iot-roam.net:443/dns-query
HTTP/2 415 
server: nginx/1.20.1
date: Wed, 17 Nov 2021 09:21:36 GMT
content-type: application/json; charset=UTF-8
content-length: 62
access-control-allow-headers: Content-Type
access-control-allow-methods: GET, HEAD, OPTIONS, POST
access-control-allow-origin: *
access-control-max-age: 3600
x-powered-by: DNS-over-HTTPS/2.3.1 (+https://github.com/m13253/dns-over-https)
strict-transport-security: max-age=31536000; includeSubDomains

I attached the nginx configs

Thanks for your help.

Ivan Marino.

dns-over-https.txt

[ameshkov]

Note that dnspoxy wouldn't run a DoH server without TLSConfig:

dnsproxy/main.go

Line 438 in 499a996

if config.TLSConfig != nil {

Probably, we'll need a separate command-line option to allow that.

[MarinoMtz]

Oh I see now, we need to actually pass the certs to do it.

I'll look at that.

Thx

[ameshkov]

Well, in this case you probably won't need nginx to do TLS termination for you.

Your config only makes sense if dnsproxy listens to plain HTTP.

[MarinoMtz]

Yes, I see your point, but since I'll validate later client-side certificates, I prefer to have nginx to validate it, btw, I've changed the code for client certs, I'll try to make the tests when I have some time.

[rampageX]

dnsproxy:

dnsproxy -l 127.0.0.1 -p 0 -s 8053 -u 8.8.8.8 -u 1.1.1.1 -f 9.9.9.11 --edns --all-servers --cache --cache-size=10485760 --cache-optimistic -c fullchain.cer -k your.key

nginx：

         location /dns-query {
                proxy_pass       https://127.0.0.1:8053/dns-query;
                proxy_set_header Host      $host;
                proxy_set_header X-Real-IP $remote_addr;
        }

Short answer: load certs&key on both dnsproxy and nginx, then change proxy_pass http:// to proxy_pass https://, is woking.

[MarinoMtz]

Thanks for your help @rampageX it worked perfectly !!

[ameshkov]

Well, what I meant is that currently it's double work (you do TLS encryption on both nginx and dnsproxy). Ideally, we should expose an option to work as a plain HTTP server and there's a technical possibility, it is just not exposed via command-line API.

[Glide01]

Well, what I meant is that currently it's double work (you do TLS encryption on both nginx and dnsproxy). Ideally, we should expose an option to work as a plain HTTP server and there's a technical possibility, it is just not exposed via command-line API.

Really need this feature