1.9.2 compatibility issues with nginx HTTP/3

[ZeroClover]

Because I don't want to use the default Path /dns-query, I run AGH (AdGuard Home) behind nginx so that I can modify the path.

Here is my nginx configuration snippet:

``` upstream agh { server 127.0.0.1:12345; } map $http_upgrade $connection_upgrade { default upgrade; '' close; } server { listen 443 ssl reuseport; listen [::]:443 ssl reuseport; listen 443 quic reuseport; listen [::]:443 quic reuseport; http2 on; server_name dns.domain.tld; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Alt-Svc 'h3=":443"; ma=86400' always; ... location /mypath { proxy_pass https://agh/dns-query; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Scheme $scheme; proxy_set_header Accept-Encoding ''; proxy_redirect off; proxy_buffering off; } ```

nginx version:

nginx -V
nginx version: nginx/1.25.2
built with OpenSSL 3.1.2+quic 1 Aug 2023

There are no issues when using dnslookup 1.9.1, but when using 1.9.2, queries cannot be completed:

dnslookup google.com h3://dns.domain.tld/mypath
dnslookup v1.9.2
2023/09/08 04:08:04 [fatal] Cannot make the DNS request: requesting https:///dns.domain.tld:443/mypath: Get_0rtt "https:///dns.domain.tld:443/mypath?dns=AAABAAABAAAAAAAABmdvb2dsZQNjb20AAAEAAQ": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

But there is no issue in other DoH clients that support HTTP/3 (including AGH itself).

I'm not quite sure what caused the problem, if you could take the time to check this issue, I would be very grateful.

[ameshkov]

Hmm, the only relevant change was quic-go update. Let me move it to dnsproxy repo as DNS upstreams implementation comes from that library.

[ameshkov]

Hm, I tried reproducing it and couldn't.

Here is what I did.

1. This is the configuration that I used:

   Nginx configuration

   ``` upstream dns_google { server dns.google:443; } server { # quic and http/3 listen 443 quic reuseport; # http/2 and http/1.1 listen 443 ssl reuseport; http2 on; server_name localhost; # customize to match your domain # you need to mount these files when running this container ssl_certificate /etc/nginx/ssl/certificate.crt; ssl_certificate_key /etc/nginx/ssl/certificate.key; # Enable all TLS versions (TLSv1.3 is required for QUIC). ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # 0-RTT QUIC connection resumption ssl_early_data on; # Add Alt-Svc header to negotiate HTTP/3. add_header alt-svc 'h3=":8443"; ma=2592000'; # Sent when QUIC was used # add_header QUIC-Status $quic; location / { return 200 'hello'; add_header Content-Type text/plain; add_header alt-svc 'h3=":8443"; ma=2592000'; } location /dns-query { proxy_pass https://dns_google/dns-query; proxy_set_header Host dns.google; add_header alt-svc 'h3=":8443"; ma=2592000'; } } ```

2. Used a docker image to run it locally:

   docker run -it --rm \
       -p 8443:443/tcp -p 8443:443/udp \
       -v ~/Downloads/nginx/nginx/conf.d:/etc/nginx/conf.d \
       -v ~/Downloads/nginx/nginx/ssl:/etc/nginx/ssl \
       macbre/nginx-http3

3. Here's the dnslookup output:

   VERIFY=0 dnslookup example.org h3://localhost:8443/dns-query
   dnslookup 1.9.2
   TLS verification has been disabled
   dnslookup result (elapsed 302.249125ms):
   ;; opcode: QUERY, status: NOERROR, id: 39506
   ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
   
   ;; QUESTION SECTION:
   ;example.org.   IN   A
   
   ;; ANSWER SECTION:
   example.org.    3295    IN  A   93.184.216.34