Yesterday, on IETF 101 hackathon day 1, I made a proof of concept DNS-over-HTTPS server. Today I worked on separating it from my prototyping repository, documenting it, and knocking out some interoperability bugs.
You can get doh101
from https://github.com/fanf2/doh101 and
https://dotat.at/cgi/git/doh101.git, and you can send me feedback via
GitHub or email to dot@dotat.at.
Yesterday’s problem with the
doh-proxy client
turned out to be very simple: my server only did HTTP/1.1 whereas
doh-proxy only does HTTP/2. The simple fix was to enable HTTP/2: I
added http2
to the listen ssl
line in my nginx.conf
.
Daniel Stenberg of cURL fame suggested I
should try out doh101
with the
DoH support in Firefox Nightly.
It mysteriously did not work, for reasons that were not immediately
obvious.
I could see Firefox making its initial probe query to check that my
server worked, after which Firefox clearly decided that my server was
broken. After some experimentation with Firefox debugging telemetry,
and cURL tracing mode, and fiddling with my code to make sure it was
doing the right thing with Content-Length
etc. I noticed that I was
sending the response with ngx.say()
instead of ngx.print()
: say
appends a newline, so I had a byte of stray garbage after my DNS
packet.
Once I fixed that, Firefox was happy! It’s useful to have such a pedantic client to test against :-)
It became clear yesterday that the current DoH draft is a bit unclear about the dividing line between the DNS part and the HTTP part. I wasn’t the only person that noticed this lacuna: on the way into London this morning I wrote up some notes on error handling in DNS over HTTPS, and by the time I was ready to send my notes to the list I found that Ted Hardie and Patrick McManus had already started discussing the topic. I think my notes had some usefully concrete suggestions.
The second item on yesterday’s TODO list was to improve the connection handling on the back end of my DoH proxy. I did not make any progress on that today; at the moment I don’t know if it is worth spending more time on this code, or whether it would be better to drop to C and help to make an even more light-weight NGINX DoH module.