Can unbound answer both DoH and DoT on the same port ?

user3 · January 6, 2024, 6:51pm

I have a working unbound server that answers DoH queries on tcp 443.

I use a letsencrypt SSL certificate and it passes properly with both curl and firefox.

I was curious if I could query the exact same server with a DoT client:

# kdig -d @doh.mydomain.com:443 +tls-ca cnn.com

;; DEBUG: Querying for owner(cnn.com.), class(1), type(1), server(doh.mydomain.com), port(443), protocol(TCP)
;; DEBUG: TLS, imported 145 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, CN=mydomain.com
;; DEBUG: SHA-256 PIN: XzzPRPTjAqSgKmDsYY/Oxxxxxxxxxx68Bldoxxxxxxxx
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is NOT trusted. The certificate issuer is unknown.
;; WARNING: TLS, handshake failed (Error in the certificate.)
;; ERROR: failed to query server doh.mydomain.com@443(TCP)

So I can create a DoT query over port 443 and it appears this would work but ... a TLS handshake failure ...

Is this just a problem specific to letsencrypt and this portion of the error:

;; DEBUG: TLS, imported 145 system certificates

Or will I have additional difficulties in trying to answer *both* DoH and DoT over port 443 from the same unbound instance ?

Thanks.

Yorgos · January 8, 2024, 10:59am

Hi,

You would have additional difficulties since after the TLS handshake DoT would expect DNS data and DoH would expect HTTP data.

Best regards,
-- Yorgos

user3 · January 11, 2024, 6:22pm

I guess that is part of my question ...

I wonder if unbound is flexible enough to discern that a request is either DoH or DoT and then answer with the matching protocol ?

Is that a silly idea ?

Thank you.

Peter_Hessler · January 11, 2024, 6:26pm

:
:> You would have additional difficulties since after the TLS handshake DoT
:> would expect DNS data and DoH would expect HTTP data.
:
:
:I guess that is part of my question ...
:
:I wonder if unbound is flexible enough to discern that a request is either
:DoH or DoT and then answer with the matching protocol ?
:
:Is that a silly idea ?
:
:
:Thank you.
:

That isn't possible. The clients would expect different behaviour than
what the server is providing.

Not to mention, the clients would be connecting to different ports.
DoT uses 853, and DoH uses 443.

Philip · January 11, 2024, 7:58pm

In theory it should be possible to run DoT and DoH on the same port. The reason is that HTTP/2 requires an ALPN with the string 'h2'. The DoT RFC does not require a specific ALPN. But this should be enough. If the ALPN is h2, the server uses HTTP/2, for anything else, the server does DoT.

Note that at this time, unbound does not do this. However some proxies may be able to split TLS traffic based on ALPN.