Example config for typical DNS-over-HTTPS architecture

[deshmukhrajvardhan]

Hi,

I am trying to create an Example for typical DNS-over-HTTPS architecture with following topology. nslookup or curl application<->doh-client<->nginx-proxy<->doh-server<->dns-resolver

Help needed

case 1

after using this command nslookup https://dns.example.com/dns-query 127.0.0.1 doh-client sends GET /?ct=application/dns-message&dns=AAABAAABAAAAAAABD2h0dHBzOi8vZXhhbXBsZQ1jb20vZG5zLXF1ZXJ5AAABAAEAACkQAAAAAAAAAA to nginx proxy and the nginx proxy has only one pathlocation /dns-query. Therefore, nginx returns 404 Not Found.

case 2

after using this command SSLKEYLOGFILE=/etc/doh-standalone/shared/curl_key.log curl -k https://127.0.0.1:8443/dns-query the application talks to the nginx proxy directly GET /dns-query proxy talks to the doh-server that reply's

HTTP/1.1 415 Unsupported Media Type
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: GET, HEAD, OPTIONS, POST
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 3600
Content-Type: application/json; charset=UTF-8
Server: DNS-over-HTTPS/2.3.1 (+https://github.com/m13253/dns-over-https)
X-Powered-By: DNS-over-HTTPS/2.3.1 (+https://github.com/m13253/dns-over-https)
Date: Mon, 22 Nov 2021 21:26:48 GMT
Content-Length: 62
Connection: close

Would appreciate help in configuration Let me know if you need more information.

Highlights of the configurations:

1. doh-client.conf

   
   # DNS listen port
   listen = [
   "127.0.0.1:53",
   "127.0.0.1:5380",
   "[::1]:53",
   "[::1]:5380",
   
   ## To listen on both 0.0.0.0:53 and [::]:53, use the following line
   # ":53",
   ]
   [[upstream.upstream_ietf]]
   url = "https://127.0.0.1:8443" # to nginx proxy #"https://cloudflare-dns.com/dns-query"
   weight = 50

insecure_tls_skip_verify = true

2. nginx.conf

    upstream dns-backend {
        server 127.0.0.1:8053;
    }
    server {
        listen 8443 ssl http2;
        ssl_certificate     /etc/nginx/ssl/example.com.crt;
        ssl_certificate_key /etc/nginx/ssl/example.com.key;
        ssl_dhparam /etc/nginx/ssl/dhparam.pem;
        ssl_protocols       TLSv1.3;

        # listen 80;
        server_name dns.example.com;
        root /var/www/html/dns;
        location /dns-query {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $http_host;
                proxy_set_header X-NginX-Proxy true;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_redirect off;
                proxy_set_header        X-Forwarded-Proto $scheme;
                proxy_read_timeout 86400;
                proxy_pass http://dns-backend/dns-query ;
        }
   }

3. doh-server.conf

listen = [ "127.0.0.1:8053", "[::1]:8053",

## To listen on both 0.0.0.0:8053 and [::]:8053, use the following line
# ":8053",

] path = "/dns-query" upstream = [ "udp:127.0.2.1:53", ]

4. dns-resolver: Dnscrypt-Proxy as used here https://www.aaflalo.me/2018/10/tutorial-setup-dns-over-https-server/#DNS-over-HTTPS_server

[m13253]

In doh-client.conf, change

url = "https://127.0.0.1:8443"

to

url = "https://127.0.0.1:8443/dns-query"

[deshmukhrajvardhan]

Thanks @m13253 ! this was one of the main config problems. Additionally, i had to change the dns-resolver: Dnscrypt-Proxy config

# Empty listen_addresses to use systemd socket activation
listen_addresses = ['127.0.2.1:9001']

ask the doh-server to talk with it

upstream = [
    "udp:127.0.2.1:9001",
    "tcp:127.0.2.1:9001",
]

I have it up and working Let me know if this project/repository could benefit from the example i have. If that's the case, i can document it (have scripts that can trigger it) so that others can use it? Also, i have this setup in a container. Could supply that code as well.

Thanks again!

[m13253]

Yes, Dnscrypt-Proxy is compatible with my software, partially.

There were in the past, and could be in the future, some issues while connecting Dnscrypt-Proxy with doh-client/doh-server though. I tried to reach their developers to fix some issues in the past, but got turned down. So don't expect the compatibility to be perfect.

Since I can't guarantee the compatibility with Dnscrypt-Proxy, neither am I willing to promote Dnscrypt-Proxy in my software, I am not going to officially document “How to connect doh-client/doh-server to Dnscrypt-Proxy”.

[deshmukhrajvardhan]

Thanks @m13253 for the background and explanation. It makes sense. Do you recommend any other DNS proxy resolver that could be used with the DoH server? Just for future reference, for people that would like to have the full setup (application<->doh-client<->nginx-proxy<->doh-server<->dns-resolver)

I am marking this issue as resolved as it solved my problem. Thanks again!