Yesterday, on IETF 101 hackathon day 1, I made a proof of concept DNS-over-HTTPS server. Today I worked on separating it from my prototyping repository, documenting it, and knocking out some interoperability bugs.
doh101 vs doh-proxy
Yesterday’s problem with the
turned out to be very simple: my server only did HTTP/1.1 whereas
doh-proxy only does HTTP/2. The simple fix was to enable HTTP/2: I
http2 to the
listen ssl line in my
doh101 vs Firefox
I could see Firefox making its initial probe query to check that my
server worked, after which Firefox clearly decided that my server was
broken. After some experimentation with Firefox debugging telemetry,
and cURL tracing mode, and fiddling with my code to make sure it was
doing the right thing with
Content-Length etc. I noticed that I was
sending the response with
ngx.say() instead of
appends a newline, so I had a byte of stray garbage after my DNS
Once I fixed that, Firefox was happy! It’s useful to have such a pedantic client to test against :-)
doh101 vs HTTP
It became clear yesterday that the current DoH draft is a bit unclear about the dividing line between the DNS part and the HTTP part. I wasn't the only person that noticed this lacuna: on the way into London this morning I wrote up some notes on error handling in DNS over HTTPS, and by the time I was ready to send my notes to the list I found that Ted Hardie and Patrick McManus had already started discussing the topic. I think my notes had some usefully concrete suggestions.
Still to do
The second item on yesterday's TODO list was to improve the connection handling on the back end of my DoH proxy. I did not make any progress on that today; at the moment I don't know if it is worth spending more time on this code, or whether it would be better to drop to C and help to make an even more light-weight NGINX DoH module.