search

NLnetLabs / ldns

LDNS is a DNS library that facilitates DNS tool programming
https://nlnetlabs.nl/ldns
BSD 3-Clause "New" or "Revised" License
292 stars 98 forks source link

HTTPS records not returned #177

Closed kuon closed 2 years ago

kuon commented 2 years ago

If I do:

drill HTTPS ifconfig.io

I got the following output:

;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 25097
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; ifconfig.io. IN  A

;; ANSWER SECTION:
ifconfig.io.    232 IN  A   188.114.96.14
ifconfig.io.    232 IN  A   188.114.97.14

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 1 msec
;; SERVER: 10.11.1.1
;; WHEN: Mon Jun  6 23:07:47 2022
;; MSG SIZE  rcvd: 61

I expect the HTTPS record.

Same with dig:

dig HTTPS ifconfig.io

; <<>> DiG 9.18.2 <<>> HTTPS ifconfig.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25199
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ifconfig.io.           IN  HTTPS

;; ANSWER SECTION:
ifconfig.io.        300 IN  HTTPS   1 . alpn="h3,h3-29,h2" ipv4hint=188.114.96.14,188.114.97.14 ipv6hint=2a06:98c1:3120::e,2a06:98c1:3121::e

;; Query time: 20 msec
;; SERVER: 10.11.1.1#53(10.11.1.1) (UDP)
;; WHEN: Mon Jun 06 23:08:35 CEST 2022
;; MSG SIZE  rcvd: 119
wtoorop commented 2 years ago

Hi @kuon , you need to configure ldns with the --enable-rrtype-svcb-https before compiling to get SVCB and HTTPS support. We do these configure flags for all features which are not RFC yet, because we don't want to expose things that are still in development and can still change.

However, since the draft is currently in the RFC editor queue, see https://www.rfc-editor.org/current_queue.php#draft-ietf-dnsop-svcb-https , I do think it is safe to have them configured by default now. I have committed that in d34309f

kuon commented 2 years ago

Great. Thanks.

For information and reference, I came across HTTPS records because I was intercepting DNS requests for iOS devices (iPad) for ad blocking and it took me a while to understand why it wasn't working, that's because I was only intercepting A and AAAA requests, and the iPad already use HTTPS records. So it seems it is already widely deployed (at least on the client side).