Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dnsdist: Allow accepting DoH queries over HTTP instead of HTTPS #8267

Merged
merged 1 commit into from Sep 18, 2019

Conversation

@rgacogne
Copy link
Member

commented Sep 2, 2019

Short description

It allows using dnsdist behind a reverse-proxy or any other device offloading TLS.
Closes #8263.

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled this code
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)
@rgacogne rgacogne added this to the dnsdist-1.4.0 milestone Sep 2, 2019
@Habbie

This comment has been minimized.

Copy link
Member

commented Sep 3, 2019

Like

Please use the emoji button instead of comment like, thank you!

@PowerDNS PowerDNS deleted a comment Sep 3, 2019
@@ -103,11 +103,12 @@ Listen Sockets
higher than 0 to enable TCP Fast Open when available.
Default is 0.

.. function:: addDOHLocal(address, certFile(s), keyFile(s) [, urls [, options]])
.. function:: addDOHLocal(address, [certFile(s) [, keyFile(s) [, urls [, options]]]])

This comment has been minimized.

Copy link
@Jamesits

Jamesits Sep 5, 2019

I think it should be

function:: addDOHLocal(address, [certFile(s), keyFile(s) [, urls [, options]]])

Since if you have certFile then you should have keyFile too.

This comment has been minimized.

Copy link
@rgacogne

rgacogne Sep 14, 2019

Author Member

In practice that's pretty much what the code does, it requires the same number of keys.

@cmouse

This comment has been minimized.

Copy link
Contributor

commented Sep 5, 2019

Should this come with some check(s) that the remote actually offloaded SSL? Or at least support for such thing?

HAPROXY supports sending TLS status with in version 2 header. Apache/nginx can send header(s) that inform about TLS usage. Also these connections should not be accepted from untrusted IP sources.

@krombel

This comment has been minimized.

Copy link

commented Sep 10, 2019

I would not require such header nor would I add such restriction.
The person which is configuring this should know what it is doing.
I think the log output that encryption is disabled (as done) is sufficient.

What I think is more important:
How do the filter (especially rate limiting) apply?
Is it possible to accept X-Forwared-For or X-Real-IP header in http-only setups?

@rgacogne

This comment has been minimized.

Copy link
Member Author

commented Sep 14, 2019

Should this come with some check(s) that the remote actually offloaded SSL? Or at least support for such thing?

HAPROXY supports sending TLS status with in version 2 header. Apache/nginx can send header(s) that inform about TLS usage. Also these connections should not be accepted from untrusted IP sources.

I think we should let the administrator configure the ACL properly, and accept plaintext connections when told to do so.

@rgacogne rgacogne merged commit 831f6c1 into PowerDNS:master Sep 18, 2019
25 of 26 checks passed
25 of 26 checks passed
LGTM analysis: JavaScript No code changes detected
Details
LGTM analysis: C/C++ No new or fixed alerts
Details
LGTM analysis: Python No new or fixed alerts
Details
ci/circleci: build-auth Your tests passed on CircleCI!
Details
ci/circleci: build-auth-docs Your tests passed on CircleCI!
Details
ci/circleci: build-dnsdist Your tests passed on CircleCI!
Details
ci/circleci: build-dnsdist-docs Your tests passed on CircleCI!
Details
ci/circleci: build-recursor Your tests passed on CircleCI!
Details
ci/circleci: test-auth-algorithms Your tests passed on CircleCI!
Details
ci/circleci: test-auth-api Your tests passed on CircleCI!
Details
ci/circleci: test-auth-regress-bind Your tests passed on CircleCI!
Details
ci/circleci: test-auth-regress-gmysql Your tests passed on CircleCI!
Details
ci/circleci: test-auth-regress-gpgsql Your tests passed on CircleCI!
Details
ci/circleci: test-auth-regress-gsqlite3 Your tests passed on CircleCI!
Details
ci/circleci: test-auth-regress-ldap Your tests passed on CircleCI!
Details
ci/circleci: test-auth-regress-lmdb Your tests passed on CircleCI!
Details
ci/circleci: test-auth-regress-mydns Your tests passed on CircleCI!
Details
ci/circleci: test-auth-regress-odbc-mssql Your tests passed on CircleCI!
Details
ci/circleci: test-auth-regress-odbc-sqlite3 Your tests passed on CircleCI!
Details
ci/circleci: test-auth-regress-tinydns Your tests passed on CircleCI!
Details
ci/circleci: test-dnsdist-regression Your tests passed on CircleCI!
Details
ci/circleci: test-ixfrdist-regression Your tests passed on CircleCI!
Details
ci/circleci: test-recursor-api Your tests passed on CircleCI!
Details
ci/circleci: test-recursor-bulk Your tests passed on CircleCI!
Details
ci/circleci: test-recursor-regression Your tests passed on CircleCI!
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@rgacogne rgacogne deleted the rgacogne:dnsdist-doh-over-http branch Sep 18, 2019
@christianbur

This comment has been minimized.

Copy link

commented Oct 3, 2019

I currently suspect an error in the DoH (HTTPs) configuration.

DNS over HTTPs with haproxy works

addDOHLocal("0.0.0.0:443", {"/dnsdist_certs/rsa/fullchain.cer", "/dnsdist_certs/ecdsa/fullchain.cer"}, {"/dnsdist_certs/rsa/example.de.key", "/dnsdist_certs/ecdsa/example.de.key"}, "/doh_654321", {serverTokens="h2o/dnsdist", tcpFastOpenSize=0, reusePort=true})
addDOHLocal("[::]:443",    {"/dnsdist_certs/rsa/fullchain.cer", "/dnsdist_certs/ecdsa/fullchain.cer"}, {"/dnsdist_certs/rsa/example.de.key", "/dnsdist_certs/ecdsa/example.de.key"}, "/doh_654321", {serverTokens="h2o/dnsdist", tcpFastOpenSize=0, reusePort=true})

DNS over HTTP (HTTPS with haproxy) -- but the following two lines do not work.

addDOHLocal("0.0.0.0:80",,, "/doh_654321", {serverTokens="h2o/dnsdist", tcpFastOpenSize=0, reusePort=true})
addDOHLocal("[::]:80",   ,, "/doh_654321", {serverTokens="h2o/dnsdist", tcpFastOpenSize=0, reusePort=true})

The documentary says "If no certificate (or key) files are specified, listen for incoming DNS over HTTP connections instead."

But how do I define "no certificate"?

  • addDOHLocal("0.0.0.0:80",,, "/doh_654321", ..

    • the start of dnsdist fails
    • Fatal error: [string "chunk"]:25: unexpected symbol near ','
  • addDOHLocal("0.0.0.0:80", "", "", "/doh_654321", .. -

    • the start of dnsdist fails
    • 139740307332928:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:288:fopen('','r')
  • addDOHLocal("0.0.0.0:80", "/doh_654321", ..

    • dnsdist starts, but I don't get a doh answer.
    • Fatal Lua error: [string "chunk"]:25: Unable to convert parameter from table to N5boost8optionalINS_7variantINSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEEJSt6vectorISt4pairIiS7_ESaISA_EEEEEEE
  • addDOHLocal("0.0.0.0:80", {}, {}, "/doh_654321", ..

    • dnsdist starts, but I don't get a doh answer, only "Internal Server Error".

However, if I only use addDOHLocal("0.0.0.0:80"), "No certificate provided for DoH endpoint 0.0.0.0:80, running in DNS over HTTP mode instead of DNS over HTTPS" is displayed in the log, but if I call addDOHLocal with parameters, the above errors occur.

@Habbie

This comment has been minimized.

Copy link
Member

commented Oct 3, 2019

Could someone please tell me how I can use DNS over HTTP.

Please find us on IRC or one of our mailinglists, via https://www.powerdns.com/opensource.html, so that we can help you. We do not provide support via GitHub.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.