How DoH settings should work

Vladimir_Lomov · May 16, 2023, 8:07am

Hello.

I have installed and configured unbound on some of my hosts and wanted to try
DNS-over-HTTPS provided by unbound.

I figured out how to configure unbound (`interface`, `outgoing-interface` and
`access-control`) to use it on the local host and from the local network.

To use DoH, I generated a certificate for DoH and put this in `unbound.conf`:

   tls-service-key: "/etc/cert/hosts/doh.key"
   tls-service-pem: "/etc/cert/hosts/doh.crt"
   https-port: 3053

But it didn't work, when I did

$ dig +https -p 3053 @::1 google.com

I got 'connection refused'.

I re-read the documentation carefully and found the following:

https-port: <number>

   The port number on which to provide DNS-over-HTTPS service. Only interfaces
   configured with that port number as @number get the HTTPS service.

   Default: 443

If get it right, then besides these lines (example!):

   interface: ::1
   interface: 127.0.0.1

I also need these

   interface: ::1@3053
   interface: 127.0.0.1@3053

I added the appropriate lines on three hosts and now `dig +https` works! But
on the fourth host it works even without these lines! This puzzles me. The
hosts have different network settings, but the fourth host doesn't have a
public IPv6 address, only a ULA one.

So how should DoH be configured? If I change `https-port`, I MUST add
something like

   interface: ::1@PORT

or is the `https-port` setting enough?

George_Yorgos_Thessa · May 16, 2023, 10:25am

Hi Vladimir,

'https-port:' makes sure that DoH is used for listening sockets using that specific port.

In order to use the port you need to explicitly define it with 'interface:'.

The port in 'interface:' is optional and will default to 53, or the value of 'port:' if that is changed.

For example, if you set 'https-port: 53', and don't define a port in 'interface:', Unbound will only listen for DoH.

In your case with the following configuration:
     interface: ::1
     interface: 127.0.0.1
     interface: ::1@3053
     interface: 127.0.0.1@3053
     https-port: 3053

Unbound will listen for plain DNS on port 53 and for DoH on port 3053 on 127.0.0.1 and ::1.

Best regards,
-- Yorgos

Vladimir_Lomov · May 16, 2023, 12:54pm

Hello,
** George (Yorgos) Thessalonikefs via Unbound-users <unbound-users@lists.nlnetlabs.nl> [2023-05-16 12:25:50 +0200]:

Hi Vladimir,

'https-port:' makes sure that DoH is used for listening sockets using that specific port.

In order to use the port you need to explicitly define it with 'interface:'.

The port in 'interface:' is optional and will default to 53, or the value of 'port:' if that is changed.

For example, if you set 'https-port: 53', and don't define a port in 'interface:', Unbound will only listen for DoH.

In your case with the following configuration:
    interface: ::1
    interface: 127.0.0.1
    interface: ::1@3053
    interface: 127.0.0.1@3053
    https-port: 3053

Unbound will listen for plain DNS on port 53 and for DoH on port 3053 on 127.0.0.1 and ::1.

Correct me if I'm wrong, but with

   interface: ::1
   interface: 127.0.0.1
   interface: ::1@3053
   interface: 127.0.0.1@3053

and the rest set to the default the unbound will serve for DNS on 53 AND 3053
ports.

On the other hand, with

   interface: ::1
   interface: 127.0.0.1
   interface: ::1@3053
   interface: 127.0.0.1@3053
   ...
   https-port: 3053

unbound will serve DNS requests on 53 port and do DoH on 3053.

P.S. As for the problem I was worried about... I was blind, the fourth host
was running dnscrypt-proxy (thanks ss!), after I stopped it and configured
unbound like the other hosts, everything works as expected.

[...]

George_Yorgos_Thessa · May 16, 2023, 1:19pm

Hello,
** George (Yorgos) Thessalonikefs via Unbound-users <unbound-users@lists.nlnetlabs.nl> [2023-05-16 12:25:50 +0200]:

Hi Vladimir,

'https-port:' makes sure that DoH is used for listening sockets using that specific port.

In order to use the port you need to explicitly define it with 'interface:'.

The port in 'interface:' is optional and will default to 53, or the value of 'port:' if that is changed.

For example, if you set 'https-port: 53', and don't define a port in 'interface:', Unbound will only listen for DoH.

In your case with the following configuration:
interface: ::1
interface: 127.0.0.1
interface: ::1@3053
interface: 127.0.0.1@3053
https-port: 3053

Unbound will listen for plain DNS on port 53 and for DoH on port 3053 on 127.0.0.1 and ::1.

Correct me if I'm wrong, but with
   interface: ::1
   interface: 127.0.0.1
   interface: ::1@3053
   interface: 127.0.0.1@3053
and the rest set to the default the unbound will serve for DNS on 53 AND 3053
ports.

Correct, 3053 is just another port for Unbound, so plain DNS.

On the other hand, with
   interface: ::1
   interface: 127.0.0.1
   interface: ::1@3053
   interface: 127.0.0.1@3053
   ...
   https-port: 3053
unbound will serve DNS requests on 53 port and do DoH on 3053.

Indeed. Here you define port 3053 as a DoH port.

Best regards,
-- Yorgos