[dnsdist] DoH issues after 1.8.3 -> 1.9.0 upgrade

Christoph cm at appliedprivacy.net
Tue Mar 19 21:04:00 UTC 2024


Remi Gacogne via dnsdist:
>> thanks for the pointer, really looking forward to the dnsdist version
>> that has this solved.
> 
> Sure, I expect to release 1.9.2 including this fix in the next couple 
> weeks.

thanks!

> Note that this metric (doh_http_version_queries) is incremented after 
> doing some sanity checks but before actually parsing the DNS query, so 
> unfortunately we cannot be sure these are valid DoH queries. At this 
> point they could be bots. Can you check doh_version_status_responses for 
> httpversion=1 and status=200 instead?

Thanks for pointing that out.
In our case these two graphs overlap very closely.
Maybe because only requests using the correct hostname in the SNI
actually reach dnsdist in the first place.


>> So the practical solution to use dnsdist 1.9.0 with nghttp2 and
>> still support HTTP/1.1 clients is to use a webserver like nginx in 
>> front of dnsdist?
> 
> Yes, a reverse proxy like nginx or HAProxy might be the best option to 
> keep HTTP/1.1 support at this point.

Turns out nginx does not speak HTTP/2 with upstream servers
but HAProxy does according to the documentation.

> I'm afraid we are currently not increasing any counter in this exact 
> case, I'll see what I can do about it.

Thanks, appreciated.

> You are correct, but in practice I am yet to see a DoH client using 
> HTTP/1.1 in production.

Would be interesting to know how much non-HTTP/2 traffic large DoH
service providers see in practice, maybe I'm going to reach out on the
dns-operations mailing list.

> I just don't want to increase the 
> code complexity and attack surface just to reply to crawlers..

Yes, that makes sense :)

best regards,
Christoph


More information about the dnsdist mailing list