Opening DoH 443/TCP without opening 443/UDP

Dominic_Preston · January 9, 2025, 3:22pm

Hi, I have an Unbound resolver serving standard DNS over 53/UDP and 53/TCP.

It also serves DNS-over-HTTPS queries over 443/TCP by way of this instruction:
interface: 2603:1c78:b7fa:b2df:8fad:3f52:0955:d930@443

In this configuration, standard DNS is still served over 443/UDP, despite 443/TCP not serving standard DNS. Is there any way to close 443/UDP without disabling anything else or invoking a firewall rule?

Thanks,
Dominic.

Yorgos · January 22, 2025, 4:06pm

Hi Dominic,

This wasn't possible as you may need for example to usually listen on both UDP and TCP on port 53.

However I think that for encrypted channels on single transport protocols, like your example, it is not desirable to have both encrypted and unencrypted traffic on the same port.

https://github.com/NLnetLabs/unbound/commit/f822042cd027d380a5050a48c7ac1c5073dbaad5 solves that specifically for encrypted transports where if one of DoT,DoH or DoQ are used on the interface, the other transport will only allow encrypted variants as well.

For your example only DoQ is allowed to open UDP next to DoH.

Best regards,
-- Yorgos

Dominic_Preston · January 24, 2025, 4:10am

Hi Yorgos,

Thank you for making the commit, I agree with your reasoning.

Kind regards,
Dominic.

A_Schulze · February 6, 2025, 8:06pm

Hello Yorgos,

could you please consider to port that patch for NSD? If DoT is configure on Port 853 (TCP),
Do53 is possible via UDP, which is unexpected.

Andreas

A_Schulze · February 6, 2025, 8:09pm

posted to the wrong (old) address of nsd-users, now to the correct list address ...

(attachments)

Re: Opening DoH 443/TCP without opening 443/UDP (NSD has similar issue on DoT).eml (1.29 KB)

Yorgos · March 7, 2025, 2:05pm

Hi Andreas,

The change is now merged.
tls-port implicitly turns off listening on UDP on that same port.

https://github.com/NLnetLabs/nsd/pull/428

Best regards,
-- Yorgos