themagister
commented
1 year ago So far I have fixed a bug with content-type checking that allows dnsproxy to work, but I could not reproduce the socket already in use issue in my Linux test setup. I am not familiar with BSD so it will take me additional time to test.
nginx error log: 2023/01/14 18:28:34 [alert] 4214#0: 1 sendto() failed (56: Socket is already connected), client: 192.168.201.12, server: dns.example.net, request: "POST /dns-query HTTP/2.0", host: "dns.example.net" 2023/01/14 18:28:34 [alert] 4214#0: 1 send() failed, client: 192.168.201.12, server: dns.example.net, request: "POST /dns-query HTTP/2.0", host: "dns.example.net" 2023/01/14 18:28:34 [alert] 4214#0: 1 couldn't send query, client: 192.168.201.12, server: dns.example.net, request: "POST /dns-query HTTP/2.0", host: "dns.example.net" 2023/01/14 18:28:34 [alert] 58085#0: 2 sendto() failed (56: Socket is already connected), client: 192.168.201.12, server: dns.example.net, request: "POST /dns-query HTTP/2.0", host: "dns.example.net" 2023/01/14 18:28:34 [alert] 58085#0: 2 send() failed, client: 192.168.201.12, server: dns.example.net, request: "POST /dns-query HTTP/2.0", host: "dns.example.net" 2023/01/14 18:28:34 [alert] 58085#0: 2 couldn't send query, client: 192.168.201.12, server: dns.example.net, request: "POST /dns-query HTTP/2.0", host: "dns.example.net"
tested with curl: curl -v --doh-url https://dns.example.net/dns-query google.com
Other clients like dnsproxy or the windows buildin client cannot access my DNS over DoH too. Upstream DNS (unbound) have no request in the logs.
nginx..conf: worker_processes 2; load_module "modules/ngx_stream_module.so"; load_module "modules/ngx_http_doh_module.so"; error_log syslog:server=unix:/dev/log,severity=notice; worker_rlimit_nofile 1024; events { worker_connections 800; multi_accept on; } http { include mime.types; default_type application/octet-stream; index index.html index.htm; keepalive_timeout 65; server_tokens off; server { listen 192.168.201.182:80; server_name dns.example.net; access_log logs/acme-access.log; error_log logs/acme-error.log debug; location /.well-known/acme-challenge/ { rewrite ^/.well-known/acme-challenge/(.) /$1 break; root /acme; } location / { return 301 https://$server_name$request_uri; } } server { listen 192.168.201.182:443 ssl http2; server_name dns.example.net; ssl_certificate /etc/ssl/dns.example.net.l3chain.pem; ssl_certificate_key /etc/ssl/private/dns.example.net.key; ssl_session_timeout 1d; ssl_session_tickets off; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; ssl_session_cache shared:DoH:10m; access_log logs/doh-access.log; error_log logs/doh-error.log debug; location /dns-query { doh; doh_address 127.0.0.2; } location / { return 301 https://$server_name$request_uri; } } } stream { server { listen :853 ssl; proxy_pass 127.0.0.2:53; proxy_connect_timeout 1s; preread_timeout 2s; } ssl_certificate /etc/ssl/dns.example.net.l3chain.pem; ssl_certificate_key /etc/ssl/private/dns.example.net.key; ssl_session_timeout 1d; ssl_session_tickets off; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; ssl_session_cache shared:DoT:10m; error_log logs/dot-error.log debug; }
Operating System: OpenBSD 7.2 nginx version: 1.22.0 (OpenBSD ports)