[dnsdist] DoH issues after 1.8.3 -> 1.9.0 upgrade

Christoph cm at appliedprivacy.net
Mon Mar 18 21:00:20 UTC 2024 

Otto Moerbeek wrote:
> This might be related:https://github.com/PowerDNS/pdns/issues/13850, 
> not backported yet

thanks for the pointer, really looking forward to the dnsdist version
that has this solved.

Remi wrote:
> In addition to the issue mentioned by Otto, it might also be that the
> monitoring does not support HTTP/2.

yes, that appears to be the case uptimerobot does not support HTTP/2 and 
was affected, our blackbox_exporter appears to support HTTP/2 and was 
not affected.

> The new nghttp2 provider for
> incoming DNS over HTTPS does not support HTTP/1.1. In 1.9.x it's
> still possible to switch back to the legacy h2o provider but note
> that it will likely go away in the next major version of DNSdist. In
> our testing the lack of HTTP/1.1 support was not an issue for actual
> DNS over HTTPS clients, with most of HTTP/1.1 queries coming from
> crawlers/bots, but of course we will reconsider if you find out that
> legitimate DoH clients are impacted.

we see about 5-10% of non-version 2 DoH requests by looking at:

sum by (version)
(irate(dnsdist_frontend_doh_http_version_queries{job="$job"}[$__rate_interval]))

So the practical solution to use dnsdist 1.9.0 with nghttp2 and
still support HTTP/1.1 clients is to use a webserver like nginx in front 
of dnsdist?

I expected an increase of this metric during our partial outage but
this value did not increase, is this expected?

irate(dnsdist_frontend_doh_version_status_responses{httpversion="1",status="400",job="$job"}[$__rate_interval])

dnsdist_frontend_noncompliantqueries also didn't increase.
Which value is expected to increase?


btw:
dnsdist's v1.9.0 answer to HTTP requests not using HTTP/2:

> This server implements RFC 8484 - DNS Queries over HTTP, and
> requires HTTP/2 in accordance with section 5.2 of the RFC.

but RFC8484 does not actually require HTTP/2, right?

https://www.rfc-editor.org/rfc/rfc8484.html#section-5.2
 > 5.2.  HTTP/2
> 
> HTTP/2 [RFC7540] is the minimum RECOMMENDED version of HTTP for use 
> with DoH.

It is recommended but not a "MUST".

best regards,
Christoph

More information about the dnsdist mailing list