search

TechnitiumSoftware / DnsServer

Technitium DNS Server
https://technitium.com/dns/
GNU General Public License v3.0
4.27k stars 418 forks source link

DNS over HTTP anti-proxy issues #635

Closed Potterli20 closed 1 year ago

Potterli20 commented 1 year ago

Technitium ip is 192.168.2.3 DNS over http is http://192.168.2.3/dns-query but using DNS over http is problematic. This is the image of DNS over HTTP inspection 1684813382740

Potterli20 commented 1 year ago

图片

ShreyasZare commented 1 year ago

Thanks for the post. The DNS-over-HTTP URL that you have will work only when you send it the correct DoH request. When you just use the URL with curl or enter it on web browser then its going to redirect to the base URL which displays the DoH info web page.

To test it, use the built-in DNS Client tab where you should enter the DoH URL as the server, select the protocol as DNS-over-HTTPS and then use any domain name to do the test.

Potterli20 commented 1 year ago

Thanks for the post. The DNS-over-HTTP URL that you have will work only when you send it the correct DoH request. When you just use the URL with curl or enter it on web browser then its going to redirect to the base URL which displays the DoH info web page.

To test it, use the built-in DNS Client tab where you should enter the DoH URL as the server, select the protocol as DNS-over-HTTPS and then use any domain name to do the test.

How does that work? I want to use the counter proxy in nginx

ShreyasZare commented 1 year ago

How does that work? I want to use the counter proxy in nginx

You just setup the nginx reverse proxy like usual and it will work. You can test if the reverse proxy is working using the DNS Client tool.

Potterli20 commented 1 year ago

You just setup the nginx reverse proxy like usual and it will work. You can test if the reverse proxy is working using the DNS Client tool.

location /doh/dns { proxy_http_version 1.1; proxy_buffering off; proxy_redirect off; proxy_ssl_server_name on; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; client_max_body_size 1m; client_body_buffer_size 256k; client_body_timeout 60s; send_timeout 60s; proxy_connect_timeout 60s; proxy_read_timeout 60s; proxy_send_timeout 60s; proxy_buffer_size 32k; proxy_buffers 4 16k; proxy_busy_buffers_size 32k; proxy_temp_file_write_size 32k; proxy_ignore_client_abort on; 

    proxy_pass http://192.168.2.3:82/dns-query;

}

The way I set it up, it's direct feedback to the home page. 80c5c027fcd9509514cb1cabc2cd5c3

ShreyasZare commented 1 year ago

The way I set it up, it's direct feedback to the home page.

Your reverse proxy config looks correct. And like I said earlier, if you visit the URL with a web browser, its going to get 302 redirect to the home page which is how its expected to work.

The URL will work for DoH only and only when it received a proper DoH request. Which is why you should not use curl or web browser to test it. You must use the DNS Client tab to test it.

Potterli20 commented 1 year ago

The way I set it up, it's direct feedback to the home page.

Your reverse proxy config looks correct. And like I said earlier, if you visit the URL with a web browser, its going to get 302 redirect to the home page which is how its expected to work.

The URL will work for DoH only and only when it received a proper DoH request. Which is why you should not use curl or web browser to test it. You must use the DNS Client tab to test it.

No, I don't understand 图片

Is this correct? [23/May/2023:04:09:31 -0400] "GET /doh1/ad-dns?ct=application/dns-message&dns=AAMBgAABAAAAAAABCWxpZ2h0c3RlcAZrYWl6ZW4GbnZpZGlhA2NvbQAAAQABAAApEAAAAAAAAAsACAAHAAEYABsnWAAA HTTP/1.1" 302 0 "-" "AuroraDNSC/0.1" [23/May/2023:04:09:42 -0400] "GET /doh1/ad-dns?ct=application/dns-message&dns=AAMBgAABAAAAAAABBmV2ZW50cwNnZmUGbnZpZGlhA2NvbQAAAQABAAApEAAAAAAAAAsACAAHAAEYABsnWAAA HTTP/1.1" 302 0 "-" "AuroraDNSC/0.1" [23/May/2023:04:09:49 -0400] "GET /doh1/ad-dns?ct=application/dns-message&dns=AAIBgAABAAAAAAABC2RlbGx1cGRhdGVyBGRlbGwDY29tAAABAAEAACkQAAAAAAAACwAIAAcAARgAGydYAAA HTTP/1.1" 302 0 "-" "AuroraDNSC/0.1" [23/May/2023:04:09:59 -0400] "GET /doh1/ad-dns?ct=application/dns-message&dns=AAgBgAABAAAAAAABBnN0YXRpYwpudmlkaWFncmlkA25ldAAAAQABAAApEAAAAAAAAAsACAAHAAEYABsnWAAA HTTP/1.1" 302 0 "-" "AuroraDNSC/0.1" [23/May/2023:04:10:10 -0400] "GET /doh1/ad-dns?ct=application/dns-message&dns=AAcBgAABAAAAAAABBG9jc3AHZW50cnVzdANuZXQAAAEAAQAAKRAAAAAAAAALAAgABwABGAAbJ1gAAA HTTP/1.1" 302 0 "-" "AuroraDNSC/0.1" [23/May/2023:04:10:10 -0400] "GET /doh1/ad-dns?ct=application/dns-message&dns=AAkBgAABAAAAAAABBWN0bGRsDXdpbmRvd3N1cGRhdGUDY29tAAABAAEAACkQAAAAAAAACwAIAAcAARgAGydYAAA HTTP/1.1" 302 0 "-" "AuroraDNSC/0.1" [23/May/2023:04:10:23 -0400] "GET /doh1/ad-dns?ct=application/dns-message&dns=AAMBgAABAAAAAAABBmV2ZW50cwNnZmUGbnZpZGlhA2NvbQAAAQABAAApEAAAAAAAAAsACAAHAAEYABsnWAAA HTTP/1.1" 302 0 "-" "AuroraDNSC/0.1" [23/May/2023:04:10:25 -0400] "GET /doh1/ad-dns?ct=application/dns-message&dns=AAMBgAABAAAAAAABCWxpZ2h0c3RlcAZrYWl6ZW4GbnZpZGlhA2NvbQAAAQABAAApEAAAAAAAAAsACAAHAAEYABsnWAAA HTTP/1.1" 302 0 "-" "AuroraDNSC/0.1" [23/May/2023:04:11:01 -0400] "GET /doh1/ad-dns?ct=application/dns-message&dns=AAgBgAABAAAAAAABCWxpZ2h0c3RlcAZrYWl6ZW4GbnZpZGlhA2NvbQAAAQABAAApEAAAAAAAAAsACAAHAAEYABsnWAAA HTTP/1.1" 302 0 "-" "AuroraDNSC/0.1" [23/May/2023:04:11:36 -0400] "GET /doh1/ad-dns?ct=application/dns-message&dns=AAIBgAABAAAAAAABCWxpZ2h0c3RlcAZrYWl6ZW4GbnZpZGlhA2NvbQAAAQABAAApEAAAAAAAAAsACAAHAAEYABsnWAAA HTTP/1.1" 302 0 "-" "AuroraDNSC/0.1" [23/May/2023:04:12:31 -0400] "GET /doh1/ad-dns?ct=application/dns-message&dns=AAcBgAABAAAAAAABCWxpZ2h0c3RlcAZrYWl6ZW4GbnZpZGlhA2NvbQAAAQABAAApEAAAAAAAAAsACAAHAAEYABsnWAAA HTTP/1.1" 302 0 "-" "AuroraDNSC/0.1" 1684829782532

ShreyasZare commented 1 year ago

Thanks for the details. Looks like the AuroraDNSC DoH client that you are using is sending the content type as a ct=application/dns-message query string value in the URL which is not defined the DoH standard.

The DNS server expects a Accept: application/dns-message header in the request and only then the DNS server will consider it as a valid DoH request.

Test the URL with DNS Client and see if that works.

Potterli20 commented 1 year ago

Thanks for the details. Looks like the AuroraDNSC DoH client that you are using is sending the content type as a ct=application/dns-message query string value in the URL which is not defined the DoH standard.

The DNS server expects a Accept: application/dns-message header in the request and only then the DNS server will consider it as a valid DoH request.

Test the URL with DNS Client and see if that works.

Got it, but what software supports application/dns-message?

ShreyasZare commented 1 year ago

Thanks for the details. Looks like the AuroraDNSC DoH client that you are using is sending the content type as a ct=application/dns-message query string value in the URL which is not defined the DoH standard. The DNS server expects a Accept: application/dns-message header in the request and only then the DNS server will consider it as a valid DoH request. Test the URL with DNS Client and see if that works.

Got it, but what software supports application/dns-message?

What are you trying to achieve here? It depends on that.

Potterli20 commented 1 year ago

Thanks for the details. Looks like the AuroraDNSC DoH client that you are using is sending the content type as a ct=application/dns-message query string value in the URL which is not defined the DoH standard. The DNS server expects a Accept: application/dns-message header in the request and only then the DNS server will consider it as a valid DoH request. Test the URL with DNS Client and see if that works.

Got it, but what software supports application/dns-message?

What are you trying to achieve here? It depends on that.

Because I am on Android, I can't connect, but it's normal to rely on certificates on ios14 systems.

ShreyasZare commented 1 year ago

What are you trying to achieve here? It depends on that.

Because I am on Android, I can't connect, but it's normal to rely on certificates on ios14 systems.

You can use DoT with Android directly instead of DoH.

Also, I am updating the DNS server to allow accepting DoH request without the Accept header. So that should make it work for the DoH client you tried.

Potterli20 commented 1 year ago

Also, I am updating the DNS server to allow accepting DoH request without the Accept header. So that should make it work for the DoH client you tried.

Okay, okay, thanks sir

ShreyasZare commented 1 year ago

Technitium v11.2 is released that will allow DoH request without the Accept header. Do check and let me know your feedback.

Potterli20 commented 1 year ago

Technitium v11.2 is released that will allow DoH request without the Accept header. Do check and let me know your feedback.

In fact, I don't understand, the app in Android will show errors and connection failures, the iOS certificate and the computer's browser is normal, there are no false positives

Potterli20 commented 1 year ago

Technitium v11.2 is released that will allow DoH request without the Accept header. Do check and let me know your feedback.

The relevant video has been sent, the anti-proxy code is on it, there is no change.

ShreyasZare commented 1 year ago

Technitium v11.2 is released that will allow DoH request without the Accept header. Do check and let me know your feedback.

The relevant video has been sent, the anti-proxy code is on it, there is no change.

Received the video in email. I tested the DoH URL that you have configured in that mobile app from my Internet connection and its working well as expected. I do not see any issues with it. Check the DNS logs to see if there are any errors logged for the time you used the Android app.

Potterli20 commented 1 year ago

Technitium v11.2 is released that will allow DoH request without the Accept header. Do check and let me know your feedback.

The relevant video has been sent, the anti-proxy code is on it, there is no change.

Received the video in email. I tested the DoH URL that you have configured in that mobile app from my Internet connection and its working well as expected. I do not see any issues with it. Check the DNS logs to see if there are any errors logged for the time you used the Android app.

There is a mistake, and if you can't get on the Internet, there will be problems with Android. I don't know how to fix it either.

ShreyasZare commented 1 year ago

Instead of using 3rd party app, use the built in DoT support in Android which works well.

Potterli20 commented 1 year ago

Instead of using 3rd party app, use the built in DoT support in Android which works well.

I know that DOT is normal, but not with third-party software on Android, iOS DOH is normal, and parsing is normal. I really don't understand Android

ShreyasZare commented 1 year ago

Instead of using 3rd party app, use the built in DoT support in Android which works well.

I know that DOT is normal, but not with third-party software on Android, iOS DOH is normal, and parsing is normal. I really don't understand Android

You should try android Private DNS option in settings. Its very straight forward to use.