DOH does not work on version 1.9, but works on 1.8

[deadsik]

Hi all,

For my home network I use my recursor with dnsdist, config:

setACL({
        "0.0.0.0/0",
        "::/0"
})

addLocal("0.0.0.0:53")
addLocal("[::]:53")


addDOHLocal("127.0.0.1:5353", nil, nil, {"/dns-query"})

--setServerPolicy(whashed)
newServer({address="127.0.0.1:2053", name="local", pool={"default"}, useClientSubnet=false})

addAction(AllRule(), PoolAction("default"))

Example answer for version 1.8:

$ dnslookup example.com https://home.local/dns-query
dnslookup 1.10.0-10436
Server: https://home.local/dns-query

dnslookup result (elapsed 1.027133282s):
;; opcode: QUERY, status: NOERROR, id: 50970
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;example.com.	IN	 A

;; ANSWER SECTION:
example.com.	60	IN	A	127.0.0.1

Example answer for version 1.9:

~$ dnslookup example.com https://home.local/dns-query
dnslookup 1.10.0-10436
2024/03/19 10:34:20 [fatal] Cannot make the DNS request: expected status 200, got 0 from https://home.local:443/dns-query

Also worth nginx with proxy 0.0.0.0:443 ->127.0.0.1:5353 (with ssl)

With version dnsdist 1.8 this works correctly, with version 1.9, unfortunately, I get an error when executing requests, and the service itself starts without any errors.

Please tell me what could be causing this issue?

[deadsik]

I also tried adding certificates directly to dnsdist in the addDOHLocal block and indicated port 443 there, the result was the same, I also tried using addDOH3Local instead of addDOHLocal.

[rgacogne]

Hi! I'm afraid this is caused by #13850. What happens is that dnslookup advertises support for HTTP/1.1 and HTTP/2 (using ALPN in the TLS ClientHello) and DNSdist wrongly selects the first one (HTTP/1.1) instead of HTTP/2. This is a bug in DNSdist, but it would also be nice for dnslookup to advertise HTTP/2 before HTTP/1.1, in my humble opinion.

[mnordhoff]

Putting nginx in front of dnsdist is even more problematic because nginx's proxy module uses HTTP/1 to talk to upstreams.

(Supposedly you can work around this by using the grpc module instead, even though you're not actually doing grpc.)

[rgacogne]

Yes, we have a few words on that in https://dnsdist.org/guides/dns-over-https.html#http-1-support