Tony Finch – blog
Yesterday, on IETF 101 hackathon day 1, I made a proof of concept DNS-over-HTTPS server. Today I worked on separating it from my prototyping repository, documenting it, and knocking out some interoperability bugs.
You can get doh101 from https://github.com/fanf2/doh101 and
https://dotat.at/cgi/git/doh101.git, and you can send me feedback via
GitHub or email to dot@dotat.at.
doh101 vs doh-proxy
Yesterday’s problem with the
doh-proxy client
turned out to be very simple: my server only did HTTP/1.1 whereas
doh-proxy only does HTTP/2. The simple fix was to enable HTTP/2: I
added http2 to the listen ssl line in my nginx.conf.
doh101 vs Firefox
Daniel Stenberg of cURL fame suggested I
should try out doh101 with the
DoH support in Firefox Nightly.
It mysteriously did not work, for reasons that were not immediately
obvious.
I could see Firefox making its initial probe query to check that my
server worked, after which Firefox clearly decided that my server was
broken. After some experimentation with Firefox debugging telemetry,
and cURL tracing mode, and fiddling with my code to make sure it was
doing the right thing with Content-Length etc. I noticed that I was
sending the response with ngx.say() instead of ngx.print(): say
appends a newline, so I had a byte of stray garbage after my DNS
packet.
Once I fixed that, Firefox was happy! It’s useful to have such a pedantic client to test against :-)
doh101 vs HTTP
It became clear yesterday that the current DoH draft is a bit unclear about the dividing line between the DNS part and the HTTP part. I wasn’t the only person that noticed this lacuna: on the way into London this morning I wrote up some notes on error handling in DNS over HTTPS, and by the time I was ready to send my notes to the list I found that Ted Hardie and Patrick McManus had already started discussing the topic. I think my notes had some usefully concrete suggestions.
Still to do
The second item on yesterday’s TODO list was to improve the connection handling on the back end of my DoH proxy. I did not make any progress on that today; at the moment I don’t know if it is worth spending more time on this code, or whether it would be better to drop to C and help to make an even more light-weight NGINX DoH module.