5.2 hijacks port 80 on Windows server

[shawnkhall]

In 5.0.1 (and 5.0.2) I configured IIS to use a new domain bound to port 80+443 then configured a reverse proxy in that site within IIS to match "/(.*)" and map it to the internal Technitium DNS Server on 127.0.0.1:5380.

This has worked perfectly for months and I've restarted the server several times since installing and configuring it this way. No problems. All supported protocols worked through the mapped domain with its certificate.

I installed 5.2 a couple days ago and it ran without a hitch. No changes necessary and it appeared to work as normal.

Until I installed Windows Updates today, necessitating a reboot. When the server came back up IIS would not load at all because TDNS loaded itself on port 80 before IIS loaded. Since port 80 was unavailable IIS would not even load the HTTPS or alternative ports for any of the IIS hosted websites. Disabling the Technitium DNS Server service and restarting the server allowed it to operate normally again, but Technitium DNS Server wasn't working, obviously.

As far as I can tell there is no configuration option within TDNS that tells it to run on port 80 and I have the settings configured ONLY to the "Web Service Port" on 5380.

DNS-over-HTTP, DNS-over-TLS and DNS-over-HTTPS are enabled, but I assume that since there is no indication that port 80 is used by any of these, that it shouldn't be consumed by TDNS. Why is it consuming port 80 and how do I stop it?

What do I need to do to get TDNS to play well with IIS again? For now I'm changing the service to load 'delayed start' so IIS will load first and TDNS won't block it, but I can't imagine this is a good long-term solution, since the next update will revert this to 'automatic'.

Thank you,

[ShreyasZare]

Thanks for the feedback. The current release listens on port 80 when you enable DNS-over-HTTPS optional protocol. This feature is added to allow using certbot webroot to automatically renew TLS certificates.

Are you running/hosting DNS-over-HTTPS service to be consumed? If your setup is just using UDP & TCP port 53 services then you need to disable DNS-over-HTTP, DNS-over-TLS and DNS-over-HTTPS optional protocols in the settings. You don't need to enable them to use these protocols with the forwarder configuration.

If you are hosting DNS-over-HTTPS service then you cannot run both it and IIS on the same server. If you still wish to run both of the services then you need to enable the DNS-over-HTTP protocol, disable DNS-over-HTTPS protocol, and reverse proxy IIS to 8053.

[Fedora-Core]

Dears,

If there is/are conflict(s) over the portnumbers between services, then consider adding a secondary static IP address on the same interface. Microsoft Windows and GNU/Linux can do this since the last 20 years, or so. But one forgets this easily.

Greetings.

From: Shreyas Zare Sent: vrijdag 11 september 2020 09:59 To: TechnitiumSoftware/DnsServer Cc: Subscribed Subject: Re: [TechnitiumSoftware/DnsServer] 5.2 hijacks port 80 on Windowsserver (#172)

Thanks for the feedback. The current release listens on port 80 when you enable DNS-over-HTTPS optional protocol. This feature is added to allow using certbot webroot to automatically renew TLS certificates. Are you running/hosting DNS-over-HTTPS service to be consumed? If your setup is just using UDP & TCP port 53 services then you need to disable DNS-over-HTTP, DNS-over-TLS and DNS-over-HTTPS optional protocols in the settings. You don't need to enable them to use these protocols with the forwarder configuration. If you are hosting DNS-over-HTTPS service then you cannot run both it and IIS on the same server. If you still wish to run both of the services then you need to enable the DNS-over-HTTP protocol, disable DNS-over-HTTPS protocol, and reverse proxy IIS to 8053. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

[ShreyasZare]

Dears, If there is/are conflict(s) over the portnumbers between services, then consider adding a secondary static IP address on the same interface. Microsoft Windows and GNU/Linux can do this since the last 20 years, or so. But one forgets this easily. Greetings.

Yes, that is one solution when you are running these services on local networks. Both IIS and DNS server can be configured with a different local IP addresses and thus wont conflict.

In certain cases when you want them to run on public IP address and you got only one public IP address available then the option that I posted earlier would be useful.

[shawnkhall]

You're missing the point. I already had a working instance using a custom domain through IIS that serviced all of this by using a reverse proxy within IIS (a native feature of IIS for many years) to the port that TDNS actually allows you to control as the "Web Service Port". This allows me to host additional content on the same domain using an exclusion list and not have to use more IP addresses for the same site or use yet another certificate service.

What I would like to be able to do is control the ports that these services use so I can continue to run it alongside IIS using a reverse proxy. This should be a relatively minor change.

[ShreyasZare]

This is just an issue with the configuration.

This issue has nothing to do with the web service running on port 5380. In fact on windows, the DNS web service on port 5380 is running internally via IIS itself.

I think you are not hosting the optional DNS protocols and thus all you need to do to fix this issue is to disable the DNS-over-HTTP, DNS-over-TLS and DNS-over-HTTPS protocols from the settings and the DNS server will stop listening on port 80, 443 and 853.

The latest v5.2 has added feature to listen on port 80 but the previous versions were already listening on port 443 and 853. Thus even in older versions if the DNS server starts before the IIS server while booting up then it would listen on 443 and cause IIS to fail to start.

The reason this is not happening in older versions is that you have not configured the TLS certificate in settings and thus the DNS server is not running on port 443 and 853. However the latest v5.2 will still start port 80 since it doesn't require TLS certificate to work.

TL;DR: just disable the 3 optional DNS server protocols in settings and the issue will get resolved.