TrueCloudLab/coredns
16
0
Fork 2
Code Issues Pull requests 4 Projects Releases Packages Wiki Activity Actions

support plain HTTP for DoH (#4997)

Browse source 
Signed-off-by: Ondřej Benkovský <ondrej.benkovsky@jamf.com>
This commit is contained in:
Ondřej Benkovský 2021-11-23 14:03:26 +01:00 committed by GitHub
parent 5f45ace89e
commit b8439789f4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 21 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
README.md
View file

@ -201,8 +201,15 @@ https://example.org {
tls mycert mykey
}
~~~
in this setup, the CoreDNS will be responsible for TLS termination
Note that you must have the *tls* plugin configured as DoH requires that to be setup.
you can also start DNS server serving DoH without TLS termination (plain HTTP), but beware that in such scenario there has to be some kind
of TLS termination proxy before CoreDNS instance, which forwards DNS requests otherwise clients will not be able to communicate via DoH with the server
~~~ corefile
https://example.org {
whoami
}
~~~
Specifying ports works in the same way:

8
core/dnsserver/server_https.go
View file

@ -39,12 +39,12 @@ func NewServerHTTPS(addr string, group []*Config) (*ServerHTTPS, error) {
// Should we error if some configs *don't* have TLS?
tlsConfig = conf.TLSConfig
}
if tlsConfig == nil {
return nil, fmt.Errorf("DoH requires TLS to be configured, see the tls plugin")
}
// http/2 is recommended when using DoH. We need to specify it in next protos
// or the upgrade won't happen.
tlsConfig.NextProtos = []string{"h2", "http/1.1"}
if tlsConfig != nil {
tlsConfig.NextProtos = []string{"h2", "http/1.1"}
}
// Use a custom request validation func or use the standard DoH path check.
var validator func(*http.Request) bool

10
plugin/tls/README.md
View file

@ -2,7 +2,7 @@
## Name
*tls* - allows you to configure the server certificates for the TLS and gRPC servers.
*tls* - allows you to configure the server certificates for the TLS, gRPC, DoH servers.
## Description
@ -57,6 +57,14 @@ grpc://. {
}
~~~
Start a DoH server on port 443 that is similar to the previous example, but using DoH for incoming queries.
~~~
https://. {
tls cert.pem key.pem ca.pem
forward . /etc/resolv.conf
}
~~~
Only Knot DNS' `kdig` supports DNS-over-TLS queries, no command line client supports gRPC making
debugging these transports harder than it should be.