search

TuxInvader / nginx-dns

Sample Configuration for DNS over HTTPS (DoH/DoT gateway) and GSLB with NGINX
BSD 2-Clause "Simplified" License
194 stars 47 forks source link

Update dns.js #1

Open Wangoviridans opened 4 years ago

Wangoviridans commented 4 years ago

added compatibility with dnscrypt-proxy2 client. (Error when dns is not first parameter. for example GET /dns-query?ct=&dns=blah)

TuxInvader commented 4 years ago

Hi Kirill,

Thanks for the PR. I'll fix the dns_decode_level bug, but I think it would be more efficient to accommodate extra query arguments in the NGINX config itself, rather than looping through them in NJS. Eg:

# proxy pass to the dohloop upstream
proxy_pass http://dohloop/dns-query?dns=$arg_dns;

Are the other arguments that dnscrypt-proxy2 sends relevant to the DoH gateway?

Thanks, Mark

Wangoviridans commented 4 years ago

Hey! I'm not completely sure. Still reading docs & sources. At this moment I try to figure out: upstream prematurely closed connection while reading response header from upstr[...] , request: "POST /dns-query?body_hash=fc3f9e09b65a7ce1e47b02b299[...]" (only 1 arg: body_hash)

TuxInvader commented 4 years ago

Hey! I'm not completely sure. Still reading docs & sources. At this moment I try to figure out: upstream prematurely closed connection while reading response header from upstr[...] , request: "POST /dns-query?body_hash=fc3f9e09b65a7ce1e47b02b299[...]" (only 1 arg: body_hash)

When you send a POST through DoH, the raw packet is sent inside the body, it looks like they are just sending a hash of it in the URI as an argument. I don't know why it would fail though... I've tested a similar thing with curl...

curl -vv -k https://lb01/dns-query?body_hash=blah --data-binary @/var/nginx/dns.packet

Wangoviridans commented 4 years ago

Can u share this 'dns.packet'? I will test from my side

TuxInvader commented 4 years ago

Sure. I had to gzip for github. It's just a capture from a firefox DoH request for detectportal.firefox.com dns.packet.gz

Wangoviridans commented 4 years ago

Sure. I had to gzip for github. It's just a capture from a firefox DoH request for detectportal.firefox.com dns.packet.gz

In that way everything is normal =\

curl -vv -k https://dns.xiii.icu/dns-query?body_hash=helloworld --data-binary @./dns.packet
*   Trying 157.230.26.227...
* TCP_NODELAY set
* Connected to dns.xiii.icu (157.230.26.227) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=xiii.icu
*  start date: Nov 19 21:42:18 2019 GMT
*  expire date: Feb 17 21:42:18 2020 GMT
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* Using Stream ID: 1 (easy handle 0x55e369056580)
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> POST /dns-query?body_hash=sdojksdjklsdgjkl HTTP/2
> Host: dns.xiii.icu
> User-Agent: curl/7.58.0
> Accept: */*
> Content-Length: 61
> Content-Type: application/x-www-form-urlencoded
>
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* We are completely uploaded and fine
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
< HTTP/2 000
< server: nginx
< date: Thu, 28 Nov 2019 14:47:39 GMT
<
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.
* Failed writing body (0 != 416)
* Connection #0 to host dns.xiii.icu left intact