Testing DoH

chriscroome · December 8, 2025, 2:28pm

Hi

I have development NSD server running on Debian Trixie (using the Debian
package) with the following server section in /etc/nsd/nsd.conf:

  server:
    hide-identity: yes
    hide-version: yes
    log-only-syslog: yes
    ip-address: 81.95.52.27
    interface: 81.95.52.27@853
    tls-port: 853
    tls-service-key: /etc/nsd/dns5.webarch.org.uk.privkey.secp384r1.pem
    tls-service-pem: /etc/nsd/dns5.webarch.org.uk.pubcert.secp384r1.pem

I have used ip-address and interface rather than either using interface
twice or ip-address twice in order that the config is parsable as YAML.

Everything is fine with queries to port 53, I'm struggling to get a
response on port 853, the server don't have a firewall running for
either of these two ports.

dig @dns5.webarch.org.uk webarch.org.uk A +short
81.95.52.56

I have installed doh-cli [1] are tried testing using that:

doh-cli --verbose --url https://dns5.webarch.org.uk:853 webarch.org.uk A
('Connection aborted.', RemoteDisconnected('Remote end closed connection without response'))

This fails after a while with the above error.

Is there another CLI tool that anyone would suggest I try test the
service with or have I not configured the server correctly or is there
an issue with the TLS cert and key?

The cert and key are the same ones that Apache is using:

- https://www.ssllabs.com/ssltest/analyze.html?d=dns5.webarch.org.uk

All the best

Chris

[1] https://pypi.org/project/doh-cli/

anandb · December 8, 2025, 2:40pm

Hi Chris,

doh-cli --verbose --url https://dns5.webarch.org.uk:853 webarch.org.uk A
('Connection aborted.', RemoteDisconnected('Remote end closed connection without response'))

This fails after a while with the above error.

Is there another CLI tool that anyone would suggest I try test the
service with or have I not configured the server correctly or is there
an issue with the TLS cert and key?

You need to look at the server log, because that may reveal something such as a permissions issue, or some other conflict or mismatch. You may also want to set "verbosity: 2" to get as much detailed logging as possible from the server.

Regards,
Anand

Peter_Hessler · December 8, 2025, 2:44pm

: tls-service-key: /etc/nsd/dns5.webarch.org.uk.privkey.secp384r1.pem
: tls-service-pem: /etc/nsd/dns5.webarch.org.uk.pubcert.secp384r1.pem

Double check yor key file is the correct one, it should not normally
have a .pem extension.

chriscroome · December 8, 2025, 3:16pm

Hi Anand

You need to look at the server log, because that may reveal something such
as a permissions issue, or some other conflict or mismatch. You may also
want to set "verbosity: 2" to get as much detailed logging as possible from
the server.

Thanks, I have set the verbosity to 2 but nothing is being written to
/var/log/syslog (I have syslog-ng installed).

The default Debian systemd unit file,
/usr/lib/systemd/system/nsd.service doesn't have a nsd user specified:

  [Unit]
  Description=Name Server Daemon
  Documentation=man:nsd(8)
  After=network.target

  [Service]
  Type=notify
  Restart=always
  ExecStart=/usr/sbin/nsd -d -P ""
  ExecReload=+/bin/kill -HUP $MAINPID
  # CAP_NET_ADMIN and CAP_NET_RAW required for IP_TRANSPARENT
  CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
  KillMode=mixed
  MemoryDenyWriteExecute=true
  NoNewPrivileges=true
  PrivateDevices=true
  PrivateTmp=true
  ProtectHome=true
  ProtectControlGroups=true
  ProtectKernelModules=true
  ProtectKernelTunables=true
  ProtectSystem=strict
  ReadWritePaths=/var/lib/nsd /etc/nsd /run
  RuntimeDirectory=nsd
  RestrictRealtime=true
  SystemCallArchitectures=native
  SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @resources

[Install]
WantedBy=multi-user.target

So I was assuming that the service was running as root and that does eem to be the case:

  systemctl show --property=User,DynamicUser,MainPID,Group nsd
  MainPID=2349
  User=
  Group=
  DynamicUser=no

However there is a nsd user and group:

grep nsd /etc/passwd
nsd:x:103:105::/var/lib/nsd:/usr/sbin/nologin

grep nsd /etc/group
nsd:x:105:

So I have chowned and chmodded the key and cert so that the nsd user can read them:

-rw-r----- 1 root nsd 306 Nov 28 13:23 dns5.webarch.org.uk.privkey.secp384r1.pem
-rw-r----- 1 root nsd 2.9K Nov 28 13:23 dns5.webarch.org.uk.pubcert.secp384r1.pem

I have also checked that these are the same files that Apache is using:

diff /etc/nsd/dns5.webarch.org.uk.privkey.secp384r1.pem /etc/apache2/md/domains/dns5.webarch.org.uk/privkey.secp384r1.pem
diff /etc/nsd/dns5.webarch.org.uk.pubcert.secp384r1.pem /etc/apache2/md/domains/dns5.webarch.org.uk/pubcert.secp384r1.pem

I have restarted the service, I have tried to test using doh-cli again and
nothing has been written to /var/log/syslog by nsd.

I'm tempted to simply give up since I'm also not sure if any service will
actually use DoH -- I only tried to enable it since it looked like an easy
option to switch on...

All the best

Chris

wytze · December 8, 2025, 3:21pm

Hi

I have development NSD server running on Debian Trixie (using the Debian
package) with the following server section in /etc/nsd/nsd.conf:

   server:
     hide-identity: yes
     hide-version: yes
     log-only-syslog: yes
     ip-address: 81.95.52.27
     interface: 81.95.52.27@853
     tls-port: 853
     tls-service-key: /etc/nsd/dns5.webarch.org.uk.privkey.secp384r1.pem
     tls-service-pem: /etc/nsd/dns5.webarch.org.uk.pubcert.secp384r1.pem

I have used ip-address and interface rather than either using interface
twice or ip-address twice in order that the config is parsable as YAML.

Everything is fine with queries to port 53, I'm struggling to get a
response on port 853, the server don't have a firewall running for
either of these two ports.

   dig @dns5.webarch.org.uk webarch.org.uk A +short
   81.95.52.56

I have installed doh-cli [1] are tried testing using that:

   doh-cli --verbose --url https://dns5.webarch.org.uk:853 webarch.org.uk A
   ('Connection aborted.', RemoteDisconnected('Remote end closed connection without response'))

This fails after a while with the above error.

NSD does not support DoH (DNS-over-HTTPS). But it does support DoT (DNS-over-TLS), which runs indeed on port 853 normally. To check it, you could configure unbound to query your DNS server only over TLS.

Kind regards,
Wytze van der Raay

chriscroome · December 8, 2025, 3:30pm

Hi Wytze