Tony Finch – blog

• home
• search
• archive
• recent
• feed
• links
• elsewhere

• https://fanf.livejournal.com/150983.html
• https://fanf.dreamwidth.org/123738.html

Yesterday, on IETF 101 hackathon day 1, I made a proof of concept DNS-over-HTTPS server. Today I worked on separating it from my prototyping repository, documenting it, and knocking out some interoperability bugs.

You can get doh101 from https://github.com/fanf2/doh101 and https://dotat.at/cgi/git/doh101.git, and you can send me feedback via GitHub or email to dot@dotat.at.

doh101 vs doh-proxy

Yesterday’s problem with the doh-proxy client turned out to be very simple: my server only did HTTP/1.1 whereas doh-proxy only does HTTP/2. The simple fix was to enable HTTP/2: I added http2 to the listen ssl line in my nginx.conf.

doh101 vs Firefox

Daniel Stenberg of cURL fame suggested I should try out doh101 with the DoH support in Firefox Nightly. It mysteriously did not work, for reasons that were not immediately obvious.

I could see Firefox making its initial probe query to check that my server worked, after which Firefox clearly decided that my server was broken. After some experimentation with Firefox debugging telemetry, and cURL tracing mode, and fiddling with my code to make sure it was doing the right thing with Content-Length etc. I noticed that I was sending the response with ngx.say() instead of ngx.print(): say appends a newline, so I had a byte of stray garbage after my DNS packet.

Once I fixed that, Firefox was happy! It’s useful to have such a pedantic client to test against :-)

doh101 vs HTTP

It became clear yesterday that the current DoH draft is a bit unclear about the dividing line between the DNS part and the HTTP part. I wasn’t the only person that noticed this lacuna: on the way into London this morning I wrote up some notes on error handling in DNS over HTTPS, and by the time I was ready to send my notes to the list I found that Ted Hardie and Patrick McManus had already started discussing the topic. I think my notes had some usefully concrete suggestions.

Still to do

The second item on yesterday’s TODO list was to improve the connection handling on the back end of my DoH proxy. I did not make any progress on that today; at the moment I don’t know if it is worth spending more time on this code, or whether it would be better to drop to C and help to make an even more light-weight NGINX DoH module.

Tony Finch <dot@dotat.at>