dnsdist 1.9.0-pre does not seem to respond well to DoH3 POST

[hlindqvist]

• This is not a support question, I have read about opensource and will send support questions to the IRC channel, Github Discussions or the mailing list.
• I have read and understood the 'out in the open' support policy

• Program: dnsdist
• Issue type: Bug report

Short description

Environment

• Operating system: Debian
• Software version: 1.9.0-pre / master
• Software source: compiled myself

Steps to reproduce

1. Run dnsdist with DoH2 and DoH3 endpoints. Something to the effect of:

v = "127.0.0.1"
addDOHLocal(v, '/etc/dnsdist/cert/fullchain.pem', '/etc/dnsdist/cert/privkey.pem', '/dns-query',{ customResponseHeaders={ ["alt-svc"]= "h3=\":443\"; ma=3600" } })
addDOH3Local(v, '/etc/dnsdist/cert/fullchain.pem', '/etc/dnsdist/cert/privkey.pem')
newServer("9.9.9.9")

2. Prepare a file with post data

base64 -d <<EOF >decoded
AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB
EOF

3. Send an initial query over h2 (discovering alt-svc, works fine)

curl -v --alt-svc altsvcrepo.txt -H 'accept: application/dns-message' -H 'content-type: application/dns-message' -XPOST 'https://dns.example/dns-query' --data-binary @decoded -o response-h2

4. Send the query over h3 (get stuck somehow?)

curl -v --alt-svc altsvcrepo.txt -H 'accept: application/dns-message' -H 'content-type: application/dns-message' -XPOST 'https://dns.example/dns-query' --data-binary @decoded -o response-h3

5. Send the query over h3 but using GET (works fine)

curl -v --alt-svc altsvcrepo.txt -H 'accept: application/dns-message' -H 'content-type: application/dns-message' 'https://dns.example/dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' -o response-h3-get

6. Entirely for reference h3 POST to Cloudflare (works fine)

curl -v --http3 -H 'accept: application/dns-message' -H 'content-type: application/dns-message' -XPOST 'https://1.1.1.1/dns-query' --data-binary @decoded -o response-h3-cf

Expected behaviour

All the above responses should be equivalent (and the response-* files should be created with equivalent contents)

Actual behaviour

All files but response-h3 are ok. response-h3 is not even created because of the request somehow failing.

Other information

1. I have seen Chrome(ium) fail completely when exposed to dnsdist's h3 as well, this is what led me down this path. I haven't really figured out the Chrome(ium) logging fully but at least it ends up with this failure after doing the h3 POST to the DOH endpoint (but works fine with same dnsdist setup only doing h2):

t=109 [st=1]       -HOST_RESOLVER_MANAGER_REQUEST
                    --> net_error = -800 (ERR_DNS_MALFORMED_RESPONSE)
t=109 [st=1]     -TRANSPORT_CONNECT_JOB_CONNECT
                  --> net_error = -105 (ERR_NAME_NOT_RESOLVED)

2. You probably have better tooling for looking at DNS messages, but as a simple pretty-printer I used:

#!/usr/bin/env python3

import dns.message
import io

f = open("file-with-message", mode="rb")
f2 = io.BytesIO(f.read())
msg = dns.message.from_wire(f2.getvalue())

print(msg)