Help with ISC-BIND 9.20.7 COPR package DOH support

Robert Paolucci robert.paolucci at cujo.com
Fri Mar 21 17:26:36 UTC 2025 

Hey Everyone,

Need help with the COPR packages for BIND, they don’t seem to have DOH enabled / working

sudo yum-config-manager --add-repo https://copr.fedorainfracloud.org/coprs/isc/bind/repo/epel-9/isc-bind-epel-9.repo
sudo yum --enablerepo="copr:copr.fedorainfracloud.org:isc:bind" install isc-bind-bind

This is an Amazon Linux 2023 server behind a load balancer so TLS is being handled by the load balancer and the server is listening on port 80… the port seems open:

[root at ip-172-31-19-151 ec2-user]# ss -tnlp | grep named
LISTEN 0   5              127.0.0.1:953    0.0.0.0:*  users:(("named",pid=28313,fd=31))
LISTEN 0   5              127.0.0.1:8053   0.0.0.0:*  users:(("named",pid=28313,fd=29))
LISTEN 0   10           172.31.19.151:80    0.0.0.0:*  users:(("named",pid=28313,fd=23))
LISTEN 0   10           172.31.19.151:53    0.0.0.0:*  users:(("named",pid=28313,fd=22))
LISTEN 0   10             127.0.0.1:53    0.0.0.0:*  users:(("named",pid=28313,fd=18))
LISTEN 0   10             127.0.0.1:80    0.0.0.0:*  users:(("named",pid=28313,fd=20))
LISTEN 0   10   [fe80::e6:80ff:fea7:1989]%enX0:53      [::]:*  users:(("named",pid=28313,fd=27))
LISTEN 0   10               [::1]:53      [::]:*  users:(("named",pid=28313,fd=25))
LISTEN 0   5                [::1]:953     [::]:*  users:(("named",pid=28313,fd=32))


named.conf:

# HTTP endpoint description

http local-http-server {
    # multiple paths can be specified
    endpoints { "/dns-query";  };
};

options {
    directory "/var/opt/isc/scls/isc-bind/named/data";
    listen-on port 53 { 127.0.0.1; any; };
#   listen-on-v6 port 53 { ::1; any; };
    recursion yes;
    allow-recursion {any;};
    minimal-responses yes;

    listen-on port 80 tls none http local-http-server {any;};
#   listen-on-v6 port 80 tls none http local-http-server {any;};


Should have:  compiled with DNS-over-HTTPS
It does not no?

/opt/isc/isc-bind/root/usr/sbin/named -V
BIND 9.20.7 (Stable Release) <id:305df58>
running on Linux x86_64 6.1.129-138.220.amzn2023.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Feb 25 22:18:43 UTC 2025
built by make with  '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/opt/isc/isc-bind/root/usr' '--exec-prefix=/opt/isc/isc-bind/root/usr' '--bindir=/opt/isc/isc-bind/root/usr/bin' '--sbindir=/opt/isc/isc-bind/root/usr/sbin' '--sysconfdir=/etc/opt/isc/scls/isc-bind' '--datadir=/opt/isc/isc-bind/root/usr/share' '--includedir=/opt/isc/isc-bind/root/usr/include' '--libdir=/opt/isc/isc-bind/root/usr/lib64' '--libexecdir=/opt/isc/isc-bind/root/usr/libexec' '--localstatedir=/var/opt/isc/scls/isc-bind' '--sharedstatedir=/var/opt/isc/scls/isc-bind/lib' '--mandir=/opt/isc/isc-bind/root/usr/share/man' '--infodir=/opt/isc/isc-bind/root/usr/share/info' '--enable-warn-error' '--disable-static' '--enable-dnstap' '--enable-geoip' '--with-pic' '--with-gssapi' '--with-json-c' '--with-libxml2' '--without-lmdb' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CC=gcc' 'CFLAGS=-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fno-omit-frame-pointer' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed  -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -L/opt/isc/isc-bind/root/usr/lib64' 'CPPFLAGS= -I/opt/isc/isc-bind/root/usr/include' 'LT_SYS_LIBRARY_PATH=/usr/lib64' 'PKG_CONFIG_PATH=:/opt/isc/isc-bind/root/usr/lib64/pkgconfig:/opt/isc/isc-bind/root/usr/share/pkgconfig' 'SPHINX_BUILD=/builddir/build/BUILD/bind-9.20.7/sphinx/bin/sphinx-build'
compiled by GCC 11.5.0 20240719 (Red Hat 11.5.0-5)
compiled with OpenSSL version: OpenSSL 3.2.2 4 Jun 2024
linked to OpenSSL version: OpenSSL 3.0.8 7 Feb 2023
compiled with libuv version: 1.49.2
linked to libuv version: 1.49.2
compiled with liburcu version: 0.12.1
compiled with jemalloc version: 5.3.0
compiled with libnghttp2 version: 1.43.0
linked to libnghttp2 version: 1.59.0
compiled with libxml2 version: 2.9.13
linked to libxml2 version: 21004
compiled with json-c version: 0.14
linked to json-c version: 0.14
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.5.2
compiled with protobuf-c version: 1.4.1
linked to protobuf-c version: 1.4.1
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): no
TKEY mode 3 support (GSS-API): yes


[root at ip-172-31-19-151 knot-3.1.7]# curl -H 'accept: application/dns-message'      -H 'content-type: application/dns-message'      --data-binary @query.bin      http://127.0.0.1/dns-query --output response.bin
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    29    0     0  100    29      0   3622 --:--:-- --:--:-- --:--:--  4142
curl: (1) Received HTTP/0.9 when not allowed

[root at ip-172-31-19-151 knot-3.1.7]# curl --http0.9 -H 'accept: application/dns-message'      -H 'content-type: application/dns-message'      --data-binary @query.bin      http://127.0.0.1/dns-query --output response.bin
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

100    44    0    15  100    29  27027  52252 --:--:-- --:--:-- --:--:-- 44000


It looks like BIND is:

  *   Receiving the request on port 80
  *   But not routing /dns-query to the DNS-over-HTTPS handler
  *   And instead replying with a default, empty (or internal error) response — possibly from the wrong handler entirely
Im guessing this is because DOH is not actually compiled into this build?   These builds had DOH compiled in the past, appreciate any insights.


This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250321/2279263a/attachment-0001.htm>

More information about the bind-users mailing list