Open karnauskas opened 3 years ago
Hello,
The idea of introducing DoH seems good, but I don't think that DoH must be use as a fallback when DNS queries fail.
I think the DoH must be introduced as a kind of optional replacement of the classic resolvers.
For now, I know neither what the options might look like nor the core implementation, I need to think about that.
If you have some ideas, please share it with us.
My code changes are just tiny bit of code which worked in my case. I don't see this working in generic situation. In my situation dns resolver address is on allow list, but auth name servers can't be reached directly via udp (who wants to expose dns queries to ISP, right?)
And yes, DoH should be configurable option. Perhaps each dns provider should have (un)supported fallback option, eg CloudFlare or Google providers, and perhaps some others.
Dns query failure over udp is also interesting, timeouts are reported just after 2min timeout, however they fail every attempt.
imho core/upstream dns library has options for using udp, tcp and tcp+tls for transport, I assume it would be easy to integrate DoH (well it's not always easy).
Dns is waiting for TXT propagation while trying connect directly to authoritative name servers over port 53 which could be blocked. Allow use DoH to solve dns01 challenge.
Rough idea can be seen here: https://github.com/go-acme/lego/compare/master...karnauskas:doh
Collaboration how to integrate this properly are welcome.