DNS-over-HTTP Issue

Ondřej Surý ondrej at isc.org
Mon Aug 4 17:12:56 UTC 2025 

Your DNS client needs to use HTTP/2-without-TLS, not plain HTTP/1.
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

> On 4. 8. 2025, at 18:53, Metin Akin <admin at metinakin.net> wrote:
> 
> 
> Hi all,
> 
> I'm trying to configure internetsystemsconsortium/bind9:9.21 docker image to act like a recursive DNS-over-HTTP server as a backend to another frontend application that handles all of the HTTPS work from the client, but I couldn't make the server work properly with even making direct requests.
> I activated the port 553 to test it as a regular DNS handler and it works, but DNS-over-HTTP feature does not work over 8080 port. I'm sending a GET request in RFC8484 format like this:
> 
> curl -H "Content-Type: application/dns-message" 'http://<MY_SERVER_IP>:8080/dns-query?dns=qqoBAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE'
> this returns "curl: (1) Received HTTP/0.9 when not allowed"
> 
> When I try this one:
> curl -H "Content-Type: application/dns-message" 'http://<MY_SERVER_IP>:8080/dns-query?dns=qqoBAAABAAAAAAAAB2V4YW1wbGUDY29tAAABAAE' --http0.9 --output -
> this returns d%
> 
> I have this named.conf file:
> 
> acl allowed_clients {
>   <MY_IP>/32;
> };
> 
> http doh {
>   endpoints { "/dns-query"; };
> };
> 
> options {
>   directory "/var/cache/bind";
> 
>   interface-interval 0;
> 
>   listen-on port 553 { any; };
> 
>   listen-on port 8080 tls none http doh { any; };
> 
>   allow-query { allowed_clients; };
>   allow-transfer { none; };
>   allow-notify { none; };
>   allow-update { none; };
>   allow-recursion { allowed_clients; };
> 
>   recursion yes;
> 
>   auth-nxdomain no;
> 
>   dnssec-validation no;
> };
> 
> logging{
>   channel simple_log {
>     stderr;
>     severity info;
>     print-time yes;
>     print-severity yes;
>     print-category yes;
>   };
>   category default{
>     simple_log;
>   };
> };
> 
> 
> Looking forward to your reply and thank you very much for your help in advance!
> Metin
> 
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250804/ce56a3ab/attachment-0001.htm>

More information about the bind-users mailing list