Can unbound answer both DoH and DoT on the same port ?
Yorgos Thessalonikefs
yorgos at nlnetlabs.nl
Mon Jan 8 10:59:08 UTC 2024
Hi,
You would have additional difficulties since after the TLS handshake DoT
would expect DNS data and DoH would expect HTTP data.
Best regards,
-- Yorgos
On 06/01/2024 19:51, ch--- via Unbound-users wrote:
>
>
> I have a working unbound server that answers DoH queries on tcp 443.
>
> I use a letsencrypt SSL certificate and it passes properly with both
> curl and firefox.
>
> I was curious if I could query the exact same server with a DoT client:
>
>
>
> # kdig -d @doh.mydomain.com:443 +tls-ca cnn.com
>
> ;; DEBUG: Querying for owner(cnn.com.), class(1), type(1),
> server(doh.mydomain.com), port(443), protocol(TCP)
> ;; DEBUG: TLS, imported 145 system certificates
> ;; DEBUG: TLS, received certificate hierarchy:
> ;; DEBUG: #1, CN=mydomain.com
> ;; DEBUG: SHA-256 PIN: XzzPRPTjAqSgKmDsYY/Oxxxxxxxxxx68Bldoxxxxxxxx
> ;; DEBUG: TLS, skipping certificate PIN check
> ;; DEBUG: TLS, The certificate is NOT trusted. The certificate issuer is
> unknown.
> ;; WARNING: TLS, handshake failed (Error in the certificate.)
> ;; ERROR: failed to query server doh.mydomain.com at 443(TCP)
>
>
> So I can create a DoT query over port 443 and it appears this would work
> but ... a TLS handshake failure ...
>
> Is this just a problem specific to letsencrypt and this portion of the
> error:
>
>
> ;; DEBUG: TLS, imported 145 system certificates
>
>
> Or will I have additional difficulties in trying to answer *both* DoH
> and DoT over port 443 from the same unbound instance ?
>
>
> Thanks.
More information about the Unbound-users
mailing list