diff options
| -rw-r--r-- | README.md | 9 | ||||
| -rw-r--r-- | core/dnsserver/server_https.go | 8 | ||||
| -rw-r--r-- | plugin/tls/README.md | 10 |
3 files changed, 21 insertions, 6 deletions
@@ -201,8 +201,15 @@ https://example.org { tls mycert mykey } ~~~ +in this setup, the CoreDNS will be responsible for TLS termination -Note that you must have the *tls* plugin configured as DoH requires that to be setup. +you can also start DNS server serving DoH without TLS termination (plain HTTP), but beware that in such scenario there has to be some kind +of TLS termination proxy before CoreDNS instance, which forwards DNS requests otherwise clients will not be able to communicate via DoH with the server +~~~ corefile +https://example.org { + whoami +} +~~~ Specifying ports works in the same way: diff --git a/core/dnsserver/server_https.go b/core/dnsserver/server_https.go index 5962a5f09..b8bdbc66d 100644 --- a/core/dnsserver/server_https.go +++ b/core/dnsserver/server_https.go @@ -39,12 +39,12 @@ func NewServerHTTPS(addr string, group []*Config) (*ServerHTTPS, error) { // Should we error if some configs *don't* have TLS? tlsConfig = conf.TLSConfig } - if tlsConfig == nil { - return nil, fmt.Errorf("DoH requires TLS to be configured, see the tls plugin") - } + // http/2 is recommended when using DoH. We need to specify it in next protos // or the upgrade won't happen. - tlsConfig.NextProtos = []string{"h2", "http/1.1"} + if tlsConfig != nil { + tlsConfig.NextProtos = []string{"h2", "http/1.1"} + } // Use a custom request validation func or use the standard DoH path check. var validator func(*http.Request) bool diff --git a/plugin/tls/README.md b/plugin/tls/README.md index da33c0951..9d945b83e 100644 --- a/plugin/tls/README.md +++ b/plugin/tls/README.md @@ -2,7 +2,7 @@ ## Name -*tls* - allows you to configure the server certificates for the TLS and gRPC servers. +*tls* - allows you to configure the server certificates for the TLS, gRPC, DoH servers. ## Description @@ -57,6 +57,14 @@ grpc://. { } ~~~ +Start a DoH server on port 443 that is similar to the previous example, but using DoH for incoming queries. +~~~ +https://. { + tls cert.pem key.pem ca.pem + forward . /etc/resolv.conf +} +~~~ + Only Knot DNS' `kdig` supports DNS-over-TLS queries, no command line client supports gRPC making debugging these transports harder than it should be. |