[dnsdist] dnsdist 1.5.1 doh + options bug ?

Dave Knight dave at knig.ht
Fri Oct 9 21:34:55 UTC 2020

> On Oct 6, 2020, at 3:05 AM, Remi Gacogne via dnsdist <dnsdist at mailman.powerdns.com> wrote:
> Hi Dave,
> On 10/6/20 2:14 AM, Dave Knight via dnsdist wrote:
>> Hello all,
>> Recently started exploring dnsdist and joined the mail list just today.
>> I'd been playing with DoT and DoH in 1.4.0 without problems. Since switching to 1.5.0 and now 1.5.1 I have problems with DoH.
>> I did some fiddling in the config and found that DoH doesn't work for a listener configured where addDOHLocal has { options }.
>> [...]
>> addDOHLocal( '[::1]:443',
>>            '/etc/ssl/certs/bigalsfancydns.com.pem',
>>            '/etc/ssl/private/bigalsfancydns.com.key',
>>            { reusePort=True } )
> If you look at the documentation for addDOHLocal[1] you'll see that the
> fourth parameter is a path, or a list of paths, and not the options that
> you are trying to set. These come in the fifth parameter. Basically all
> your configurations except for the '4' one do not accept HTTP(S) queries
> on any path, hence your issue.
> [1]: https://dnsdist.org/reference/config.html#addDOHLocal

Seems the consensus is on me doing something stupid :p

<https://urldefense.com/v3/__https://dnsdist.org/reference/config.htmlhttps:/*dnsdist.org/reference/config.html__;Lw!!N14HnBHF!oORs_u7wMd2W68JgnlaS6wqOoF1HZEF_zf24PDs5I2yD94V45yHcbghFGCQ$ >

addDOHLocal(address[, certFile(s)[, keyFile(s)[, urls[, options]]]])
Changed in version 1.5.0:
url now defaults to /dns-query instead of /

I interpreted ‘there is a default’ as ‘i can omit this’ and didn’t bother to consider that the changed position of subsequent parameters was important.

What is the right way to signal that I want to use the default value? This seems to work…

addDOHLocal( '[::1]:443',
            { reusePort=True } )

but is it the correct way to do it?

In addition to that, I was getting the case wrong as I’m generating it with ansible and jinja2

            { reusePort={{ item.reuse_port | default(false) }} } )

needed to add a |string|lower to that.

I suppose the real issue is that neither of these bits of broken config were logged, or caught by an explicit check

# dnsdist --check-config 
Configuration '/usr/local/etc/dnsdist.conf' OK!

Thanks everyone who replied!

Kind regards,

More information about the dnsdist mailing list