[dnsdist] addDOHLocal has 'urls' parameter, but addDOH3Local has not?
Marco Davids (SIDN)
marco.davids at sidn.nl
Thu Oct 2 10:18:25 UTC 2025
Hi Remi,
On Thu, 2 Oct 2025 10:40:38 +0200 Remi Gacogne via dnsdist wrote:
> It seemed to us that the URLs parameter, which can be used to configure
> the HTTP paths dnsdist will accept DNS queries on, was causing a lot of
> confusion, so we decided to just accept DNS queries on all paths for DoH3.
Got it and that makes sense. Maybe worth updating the docs to mention
this important detail?
I never used that parameter to configure alternative paths for DNS
queries though,
but merely for the redirect, because I thought it was needed, based on
reading this:
https://mailman.powerdns.com/pipermail/dnsdist/2019-September/000685.html
> I don't think this is related to the urls parameter, wouldn't you rather
> happen to have a response map [1][2] for DoH handling the redirect?
Yes.
But isn't the urls parameter needed to make that work?
In my configuration I have this:
{ '/.well-known/security.txt', '/dns-query' }
When I leave out the '/.well-known/security.txt' part, the response map
I defined stops working.
I guess that’s where the confusion on my part arose, but in the case of
addDOH3Local,
where there is no longer a urls parameter things may be different.
So yes, Indeed the core of my question was the need for a response map
feature.
> Response map support hasn't been implemented for DoH3 yet, and seems
> there was no feature request for it in our tracker I just created it [3].
Oh, that's nice - many thanks!
I may have a suggestion for that as well:
Since newDOHResponseMapEntry accepts a regex I was wondering...
Wouldn't it be cool if we could reference the match from a regex (e.g.
$1) in the content string, if at all possible to do?
That way, we could use the dynamic part of the URL (e.g. the token in an
ACME challenge request)
in a response.
Like this for example:
`^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)$`
content string:
https://example.nl/.well-known/acme-challenge/$1
Perhaps there are other possible use cases as well.
Hope that makes sense.
--
Marco
More information about the dnsdist
mailing list