| View previous topic :: View next topic |
| Author |
Message |
Nreal
Apprentice
Joined: 06 Jan 2009
Posts: 289
|
 Posted: Wed Nov 20, 2024 7:29 am Post subject: Unbound 1.20 & 1.22 is there http support? |
 |
|
### Subject: Help with Apache Proxy for DNS-over-HTTPS and Unbound Configuration Issue
Hi,
I'm trying to set up **DNS-over-HTTPS (DoH)** with **Unbound** and **Apache Proxy** on my Gentoo system, but I've encountered several issues.
#### My Setup:
1. **Gentoo** Linux system using **Apache 2.4.62** with the following `APACHE2_MODULES` enabled:
```
proxy proxy_http proxy_http2 rewrite ssl
```
2. **Unbound 1.22.0** installed with the following USE flags:
```
http2 ssl threads
```
3. Apache is configured as a reverse proxy to pass `/dns-query` requests to Unbound on port 8053.
#### Issues:
1. **Unbound Configuration Problem:**
When I try to add `http-port: 8053` to my `/etc/unbound/unbound.conf`, Unbound fails to start with the following error:
```
/etc/unbound/unbound.conf: error: unknown keyword 'http-port'
```
This suggests that Unbound does not support HTTP endpoints in my build, even though the `http2` USE flag is enabled.
2. **Apache Proxy Issue:**
Without `http-port` support in Unbound, I cannot verify whether Apache is correctly forwarding `/dns-query` requests. When I use `curl` to send a test request, it hangs or returns a 404 error:
```
curl -H "Content-Type: application/dns-message" --data-binary @query.bin https://dns.kuleksii.com/dns-query
```
#### Questions:
1. Is the `http-port` feature disabled by default in Gentoo's Unbound package, even with the `http2` USE flag enabled? Do I need to manually recompile Unbound to enable DNS-over-HTTPS support?
2. If the Gentoo package does not support DNS-over-HTTPS natively, is Apache Proxy a viable alternative for passing requests to Unbound, and how should it be configured in this case?
Any guidance on configuring Apache Proxy for DoH with Unbound or enabling HTTP support in Unbound would be greatly appreciated!
Thanks in advance for your help![/code]
| Code: | # equery uses net-dns/unbound
[ Legend : U - final flag setting for installation]
[ : I - package is installed with flag ]
[ Colors : set, unset ]
* Found these USE flags for net-dns/unbound-1.22.0:
U I
+ + abi_x86_32 : 32-bit (x86) libraries
- - debug : Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful backtraces see
https://wiki.gentoo.org/wiki/Project:Quality_Assurance/Backtraces
+ + dnscrypt : Enable DNSCrypt support
+ + dnstap : Enable dnstap support
+ + ecdsa : Enable ECDSA support
- - ecs : Enable EDNS client subnet support
- - gost : Enable GOST support
+ + http2 : Enable HTTP/2 support for DoHnet-libs/nghttp2
+ + python : Add optional support/bindings for the Python language
- - python_single_target_python3_10 : Build for Python 3.10 only
+ + python_single_target_python3_11 : Build for Python 3.11 only
- - python_single_target_python3_12 : Build for Python 3.12 only
- - redis : Enable cache db backend which usesdev-libs/hiredis
- - static-libs : Build static versions of dynamic libraries as well
- - systemd : Enable use of systemd-specific libraries and features like socket activation or session tracking
- - test : Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently)
+ + tfo : Enable TCP Fast Open client+server
+ + threads : Add threads support for various packages. Usually pthreads
+ + verify-sig : Verify upstream signatures on distfiles
|
| Code: | # unbound -h | grep -i http
Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues
|
| Code: | # emerge --info
Portage 3.0.66.1 (python 3.13.0-final-0, default/linux/amd64/23.0/split-usr/desktop, gcc-13, glibc-2.40-r5, 6.12.0-gentoo x86_64)
=================================================================
System uname: Linux-6.12.0-gentoo-x86_64-Intel-R-_Xeon-R-_CPU_E5-2699A_v4_@_2.40GHz-with-glibc2.40
KiB Mem: 263973384 total, 230765916 free
KiB Swap: 76137464 total, 76137464 free
Timestamp of repository gentoo: Tue, 19 Nov 2024 15:00:00 +0000
Head commit of repository gentoo: 5cedf200f6b56c1a58b384069e95e50e441ff84a
Head commit of repository brave-overlay: 6a67124032b662bedc2a2858ce2f925639feab64
Timestamp of repository guru: Tue, 19 Nov 2024 20:33:14 +0000
Head commit of repository guru: 98b9e50ae3824286333f2dd865d31e7486d73d54
Timestamp of repository src_prepare-overlay: Tue, 19 Nov 2024 05:03:39 +0000
Head commit of repository src_prepare-overlay: fb9414f7b3e42a5b1651e543e5f7b8c6a8a4c5a6
Timestamp of repository steam-overlay: Sun, 17 Nov 2024 05:33:32 +0000
Head commit of repository steam-overlay: 443e064b607a92dbad15243732698edc0b411b43
Timestamp of repository xira: Sun, 17 Nov 2024 05:33:42 +0000
Head commit of repository xira: 615b15b8407323a1c38cecec004b1ef6696f8c89
sh bash 5.2_p37
ld GNU ld (Gentoo 2.42 p6) 2.42.0
ccache version 4.10.2 [enabled]
app-misc/pax-utils: 1.3.7::gentoo
app-shells/bash: 5.2_p37::gentoo
dev-build/autoconf: 2.13-r8::gentoo, 2.72-r1::gentoo
dev-build/automake: 1.16.5-r2::gentoo
dev-build/cmake: 3.30.5::gentoo
dev-build/libtool: 2.4.7-r4::gentoo
dev-build/make: 4.4.1-r100::gentoo
dev-build/meson: 1.5.2::gentoo
dev-java/java-config: 2.3.4::gentoo
dev-lang/perl: 5.40.0::gentoo
dev-lang/python: 3.10.15_p2::gentoo, 3.11.10_p1::gentoo, 3.12.7_p1::gentoo, 3.13.0::gentoo
dev-lang/rust: 1.77.1-r100::gentoo, 1.79.0-r100::gentoo, 1.81.0-r100::gentoo
dev-lang/rust-bin: 1.77.1-r100::gentoo, 1.79.0-r100::gentoo, 1.81.0-r100::gentoo
dev-util/ccache: 4.10.2-r1::gentoo
sys-apps/baselayout: 2.17::gentoo
sys-apps/openrc: 0.54.2::gentoo
sys-apps/sandbox: 2.39::gentoo
sys-devel/binutils: 2.42-r2::gentoo
sys-devel/binutils-config: 5.5.2::gentoo
sys-devel/clang: 18.1.8::gentoo
sys-devel/gcc: 12.5.9999::gentoo, 13.3.1_p20241025::gentoo
sys-devel/gcc-config: 2.11::gentoo
sys-devel/lld: 18.1.8::gentoo
sys-devel/llvm: 18.1.8-r1::gentoo
sys-kernel/linux-headers: 6.6-r1::gentoo (virtual/os-headers)
sys-libs/glibc: 2.40-r5::gentoo
Repositories:
gentoo
location: /var/db/repos/gentoo
sync-type: rsync
sync-uri: rsync://rsync.gentoo.org/gentoo-portage
priority: -1000
volatile: False
sync-rsync-verify-jobs: 1
sync-rsync-extra-opts:
sync-rsync-verify-max-age: 3
sync-rsync-verify-metamanifest: yes
brave-overlay
location: /var/db/repos/brave-overlay
sync-type: git
sync-uri: https://gitlab.com/jason.oliveira/brave-overlay.git
masters: gentoo
volatile: False
guru
location: /var/db/repos/guru
sync-type: git
sync-uri: https://github.com/gentoo-mirror/guru.git
masters: gentoo
volatile: False
src_prepare-overlay
location: /var/db/repos/src_prepare-overlay
sync-type: git
sync-uri: https://github.com/gentoo-mirror/src_prepare-overlay.git
masters: gentoo
volatile: False
steam-overlay
location: /var/db/repos/steam-overlay
sync-type: git
sync-uri: https://github.com/gentoo-mirror/steam-overlay.git
masters: gentoo
volatile: False
xira
location: /var/db/repos/xira
sync-type: git
sync-uri: https://github.com/gentoo-mirror/xira.git
masters: gentoo
volatile: False
Binary Repositories:
gentoobinhost
priority: 1
sync-uri: https://gentoo.osuosl.org/releases/amd64/binpackages/17.1/x86-64
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/gnupg/qualified.txt /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php8.1/ext-active/ /etc/php/apache2-php8.2/ext-active/ /etc/php/apache2-php8.3/ext-active/ /etc/php/cgi-php8.1/ext-active/ /etc/php/cgi-php8.2/ext-active/ /etc/php/cgi-php8.3/ext-active/ /etc/php/cli-php8.1/ext-active/ /etc/php/cli-php8.2/ext-active/ /etc/php/cli-php8.3/ext-active/ /etc/php/fpm-php8.1/ext-active/ /etc/php/fpm-php8.2/ext-active/ /etc/php/fpm-php8.3/ext-active/ /etc/php/phpdbg-php8.1/ext-active/ /etc/php/phpdbg-php8.2/ext-active/ /etc/php/phpdbg-php8.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/var/cache/distfiles"
ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GDK_PIXBUF_MODULE_FILE GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR XDG_STATE_HOME"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs binpkg-multi-instance buildpkg-live ccache config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync merge-wait multilib-strict network-sandbox news parallel-fetch pid-sandbox pkgdir-index-trusted preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-backup unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://ftp.agdsn.de/gentoo https://ftp.agdsn.de/gentoo rsync://ftp.agdsn.de/gentoo https://mirror.yandex.ru/gentoo-distfiles/ http://mirror.yandex.ru/gentoo-distfiles/ ftp://mirror.yandex.ru/gentoo-distfiles/ https://ftp.lysator.liu.se/gentoo/"
LANG="C.UTF8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,-z,pack-relative-relocs"
LEX="flex"
LINGUAS="fi en"
MAKEOPTS="-j72"
PKGDIR="/var/cache/binpkgs"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
SHELL="/bin/bash"
USE="X a52 aac access_compat acl acpi activities addressbook alsa amd64 animation-rtl apache aptx asis auth_digest auth_form authn_dbd authn_socache authz_dbd base berkdb blueray bluetooth bluray branding brave brotli bzip2 cache_disk cache_socache cairo caja cdda cddb cdr cern_meta cet cgi cgrypt charset_lite color-management colord corefonts cron crypt cue cups custom-modes d3d9 dbd dbus declarative discid dns dri dts dumpio dvd dvdr egl elogind encode exif extra extras fastcgi fdk ffmpeg fileinfo fingerprints firefox flac freeimage ftp fullscreen gdbm geoip geolocation gif gimp git gles2 gnuplot gphoto2 gpm gps graphite graphviz grimshot grub gstreamer gtk gui handbrake haptic hcitop hddtemp hpijs hplip http i18n icons iconv icu ident imagemagick imagemap inspector intel ipv6 jack java javascript joystick jpeg jpeg2 jpeg2k jpg kde kernel-install kf6compat lame lcms lensfun libav-aac libnotify libtirpc lm-sensors lvm lzip lzma lzo mad marble mate matroska minizip mmap mms mng mono mount mp3 mp4 mpeg mpg123 mplayer mtp multilib musicbrainz mypaint-brush-engine mysql mysqli ncurses networkmanager nls numa nvenc nvidia ocr odbc ofono ogg openal opencl opengl openmp opus oss pam pango panorama pcre pdf perl php png policykit positioning postproc postscript ppds pulseaudio python qml qrcode qt5 qt6 qtdiag qtmedia qtplugininfo raw rdp readline rss rustfmt scanner scp sdl seccomp semantic-desktop server sockets sound spell split-usr spyder ssl startup-notification static-ppds streamtuner svg swig szip tcl test-rust themes theora tiff tray truetype twolame udev udisks unicode upower usb vhosts vlc vorbis vpx vulkan wallpapers wavpack waydroid wayland webkit webp wifi wxwidgets x264 x265 xattr xcb xft xine xml xpm xv xvfb xvid xwayland zip zlib zstd" ABI_X86="64 32" ADA_TARGET="gcc_12" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_anon authn_dbm authn_file authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir env expires ext_filter file_cache filter headers include info log_config logio mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias proxy_html xml2enc proxy_wstunnel proxy proxy_connect http2 proxy_http proxy_http2 rewrite access_compat userdir" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt rdrand sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax navcom oceanserver oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 tsip tripmate tnt ublox" GRUB_PLATFORMS="efi-64" GUILE_SINGLE_TARGET="3-0" GUILE_TARGETS="3-0" INPUT_DEVICES="libinput synaptics evdev joystick" KERNEL="linux" L10N="fi en en-GB en-US" LCD_DEVICES="bayrad cfontz glk hd44780 lb216 lcdm001 mtxorb text" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php8-3 php8-2" POSTGRES_TARGETS="postgres16" PYTHON_SINGLE_TARGET="python3_11" PYTHON_TARGETS="python3_13 python3_12 python3_11 python3_10 python2_7" RUBY_TARGETS="ruby32" VIDEO_CARDS="i915 intel nvidia vmware" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipp2p iface geoip fuzzy condition tarpit sysrq proto logmark ipmark dhcpmac delude chaos account"
Unset: ADDR2LINE, AR, ARFLAGS, AS, ASFLAGS, CC, CCLD, CONFIG_SHELL, CPP, CPPFLAGS, CTARGET, CXX, CXXFILT, ELFEDIT, EMERGE_DEFAULT_OPTS, EXTRA_ECONF, F77FLAGS, FC, GCOV, GPROF, INSTALL_MASK, LC_ALL, LD, LFLAGS, LIBTOOL, MAKE, MAKEFLAGS, NM, OBJCOPY, OBJDUMP, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PYTHONPATH, RANLIB, READELF, RUSTFLAGS, SIZE, STRINGS, STRIP, YACC, YFLAGS
|
| Code: | [ebuild R ~] net-dns/unbound-1.22.0:0/8::gentoo USE="dnscrypt dnstap ecdsa http2 python tfo threads verify-sig -debug -ecs -gost -redis (-selinux) -static-libs -systemd -test" ABI_X86="32 (64) (-x32)" PYTHON_SINGLE_TARGET="python3_11 -python3_10 -python3_12" 0 KiB
|
|
|
| Back to top |
|
 |
flexibeast
Guru
Joined: 04 Apr 2022
Posts: 473
Location: Naarm/Melbourne, Australia
|
|
| Back to top |
|
|
Nreal
Apprentice
Joined: 06 Jan 2009
Posts: 289
|
| Posted: Wed Nov 20, 2024 11:00 am Post subject: |
|
|
Unbound works but not with http, wwww is not the real domain
| Code: | # curl -k -H "Content-Type: application/dns-message" --data-binary @query.bin https://127.0.0.1:8053/dns-query
curl: (16) Error in the HTTP2 framing layer
|
| Code: | # curl -k -H "Content-Type: application/dns-message" --data-binary @query.bin https://dns.wwwww.com/dns-query
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache Server at dns.wwwww.com Port 443</address>
</body></html>
|
| Code: |
<VirtualHost *:80>
ServerName dns.wwww.com
DocumentRoot /var/www/htdocs/dns.wwww.com/
ErrorLog /var/log/apache2/dns.wwwww.com-error.log
CustomLog /var/log/apache2/dns.wwwww.com-access.log combined
RewriteEngine on
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
ServerName dns.wwwww.com
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/dns.wwwww.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/dns.wwwwww.com/privkey.pem
SSLProtocol TLSv1.2 TLSv1.3
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:!aNULL:!MD5:!DSS
SSLUseStapling On
Protocols h2 http/1.1
ProxyPass /dns-query https://127.0.0.1:8053/dns-query
ProxyPassReverse /dns-query https://127.0.0.1:8053/dns-query
<Location "/dns-query">
ProxyPreserveHost On
Require all granted
</Location>
ErrorLog /var/log/apache2/dns.wwwww.com-ssl-error.log
CustomLog /var/log/apache2/dns.wwwww.com-ssl-access.log combined
</VirtualHost>
|
| Code: | # grep -v -E '^\s*#|^\s*$' /etc/unbound/unbound.conf
server:
verbosity: 5
do-udp: yes
do-tcp: yes
access-control: 127.0.0.1/8 allow
access-control: ::1 allow
access-control: 0.0.0.0/0 allow
access-control: ::/0 allow
access-control: 0.0.0.0/0 allow
logfile: "/var/log/unbound.log"
log-queries: yes
do-not-query-localhost: no
tls-service-key: "/etc/unbound/ssl/privkey.pem"
tls-port: 853
https-port: 8053
tls-service-pem: "/etc/unbound/ssl/fullchain.pem"
http-endpoint: "/dns-query"
http-query-buffer-size: 4m
http-response-buffer-size: 4m
http-notls-downstream: no
python:
dynlib:
remote-control:
forward-zone:
name: "."
forward-addr: 127.0.0.1@53
server:
interface: 0.0.0.0@853
interface: 0.0.0.0@8053
interface: ::0@8053
interface: 127.0.0.1@8053
|
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
