<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Aptos;
panose-1:2 11 0 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:12.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#467886;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:8259925;
mso-list-template-ids:1248918490;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7 ;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7 ;
mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7 ;
mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7 ;
mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7 ;
mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7 ;
mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7 ;
mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7 ;
mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style>
</head>
<body lang="EN-CA" link="#467886" vlink="#96607D" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">Hey Everyone, <br>
<br>
Need help with the COPR packages for BIND, they don’t seem to have DOH enabled / working<br>
<br>
sudo yum-config-manager --add-repo <a href="https://copr.fedorainfracloud.org/coprs/isc/bind/repo/epel-9/isc-bind-epel-9.repo">
https://copr.fedorainfracloud.org/coprs/isc/bind/repo/epel-9/isc-bind-epel-9.repo</a><br>
sudo yum --enablerepo="copr:copr.fedorainfracloud.org:isc:bind" install isc-bind-bind<br>
<br>
This is an Amazon Linux 2023 server behind a load balancer so TLS is being handled by the load balancer and the server is listening on port 80… the port seems open:<br>
<br>
[root@ip-172-31-19-151 ec2-user]# ss -tnlp | grep named<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">LISTEN 0 5 127.0.0.1:953 0.0.0.0:* users:(("named",pid=28313,fd=31))<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">LISTEN 0 5 127.0.0.1:8053 0.0.0.0:* users:(("named",pid=28313,fd=29))<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">LISTEN 0 10 172.31.19.151:80 0.0.0.0:* users:(("named",pid=28313,fd=23))<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">LISTEN 0 10 172.31.19.151:53 0.0.0.0:* users:(("named",pid=28313,fd=22))<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">LISTEN 0 10 127.0.0.1:53 0.0.0.0:* users:(("named",pid=28313,fd=18))<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">LISTEN 0 10 127.0.0.1:80 0.0.0.0:* users:(("named",pid=28313,fd=20))<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">LISTEN 0 10 [fe80::e6:80ff:fea7:1989]%enX0:53 [::]:* users:(("named",pid=28313,fd=27))<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">LISTEN 0 10 [::1]:53 [::]:* users:(("named",pid=28313,fd=25))<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">LISTEN 0 5 [::1]:953 [::]:* users:(("named",pid=28313,fd=32))<br>
<br>
<br>
named.conf:<br>
<br>
# HTTP endpoint description<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">http local-http-server {<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> # multiple paths can be specified<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> endpoints { "/dns-query"; };<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">};<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">options {<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> directory "/var/opt/isc/scls/isc-bind/named/data";<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> listen-on port 53 { 127.0.0.1; any; };<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"># listen-on-v6 port 53 { ::1; any; };<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> recursion yes;<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> allow-recursion {any;};<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> minimal-responses yes;<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> listen-on port 80 tls none http local-http-server {any;};<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"># listen-on-v6 port 80 tls none http local-http-server {any;};<br>
<br>
<br>
Should have: compiled with DNS-over-HTTPS<br>
It does not no?<br>
<br>
/opt/isc/isc-bind/root/usr/sbin/named -V<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">BIND 9.20.7 (Stable Release) <id:305df58><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">running on Linux x86_64 6.1.129-138.220.amzn2023.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Feb 25 22:18:43 UTC 2025<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/opt/isc/isc-bind/root/usr' '--exec-prefix=/opt/isc/isc-bind/root/usr'
'--bindir=/opt/isc/isc-bind/root/usr/bin' '--sbindir=/opt/isc/isc-bind/root/usr/sbin' '--sysconfdir=/etc/opt/isc/scls/isc-bind' '--datadir=/opt/isc/isc-bind/root/usr/share' '--includedir=/opt/isc/isc-bind/root/usr/include' '--libdir=/opt/isc/isc-bind/root/usr/lib64'
'--libexecdir=/opt/isc/isc-bind/root/usr/libexec' '--localstatedir=/var/opt/isc/scls/isc-bind' '--sharedstatedir=/var/opt/isc/scls/isc-bind/lib' '--mandir=/opt/isc/isc-bind/root/usr/share/man' '--infodir=/opt/isc/isc-bind/root/usr/share/info' '--enable-warn-error'
'--disable-static' '--enable-dnstap' '--enable-geoip' '--with-pic' '--with-gssapi' '--with-json-c' '--with-libxml2' '--without-lmdb' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CC=gcc' 'CFLAGS=-O2 -flto=auto -ffat-lto-objects
-fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2
-mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fno-omit-frame-pointer' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -L/opt/isc/isc-bind/root/usr/lib64'
'CPPFLAGS= -I/opt/isc/isc-bind/root/usr/include' 'LT_SYS_LIBRARY_PATH=/usr/lib64' 'PKG_CONFIG_PATH=:/opt/isc/isc-bind/root/usr/lib64/pkgconfig:/opt/isc/isc-bind/root/usr/share/pkgconfig' 'SPHINX_BUILD=/builddir/build/BUILD/bind-9.20.7/sphinx/bin/sphinx-build'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">compiled by GCC 11.5.0 20240719 (Red Hat 11.5.0-5)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">compiled with OpenSSL version: OpenSSL 3.2.2 4 Jun 2024<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">linked to OpenSSL version: OpenSSL 3.0.8 7 Feb 2023<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">compiled with libuv version: 1.49.2<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">linked to libuv version: 1.49.2<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">compiled with liburcu version: 0.12.1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">compiled with jemalloc version: 5.3.0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">compiled with libnghttp2 version: 1.43.0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">linked to libnghttp2 version: 1.59.0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">compiled with libxml2 version: 2.9.13<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">linked to libxml2 version: 21004<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">compiled with json-c version: 0.14<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">linked to json-c version: 0.14<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">compiled with zlib version: 1.2.11<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">linked to zlib version: 1.2.11<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">linked to maxminddb version: 1.5.2<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">compiled with protobuf-c version: 1.4.1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">linked to protobuf-c version: 1.4.1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">threads support is enabled<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">DS algorithms: SHA-1 SHA-256 SHA-384<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">TKEY mode 2 support (Diffie-Hellman): no<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">TKEY mode 3 support (GSS-API): yes<br>
<br>
<br>
[root@ip-172-31-19-151 knot-3.1.7]# curl -H 'accept: application/dns-message' -H 'content-type: application/dns-message' --data-binary @query.bin http://127.0.0.1/dns-query --output response.bin<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> % Total % Received % Xferd Average Speed Time Time Time Current<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> Dload Upload Total Spent Left Speed<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">100 29 0 0 100 29 0 3622 --:--:-- --:--:-- --:--:-- 4142<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">curl: (1) Received HTTP/0.9 when not allowed<br>
<br>
[root@ip-172-31-19-151 knot-3.1.7]# curl --http0.9 -H 'accept: application/dns-message' -H 'content-type: application/dns-message' --data-binary @query.bin http://127.0.0.1/dns-query --output response.bin<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> % Total % Received % Xferd Average Speed Time Time Time Current<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> Dload Upload Total Spent Left Speed<o:p></o:p></span></p>
<p><span style="font-size:11.0pt">100 44 0 15 100 29 27027 52252 --:--:-- --:--:-- --:--:-- 44000<br>
<br>
<br>
</span>It looks like BIND is:<o:p></o:p></p>
<ul type="disc">
<li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
<span style="mso-ligatures:none">Receiving the request on port </span><span style="font-size:10.0pt;font-family:"Courier New";mso-ligatures:none">80</span><span style="mso-ligatures:none"><o:p></o:p></span></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
<span style="mso-ligatures:none">But <b>not routing </b></span><b><span style="font-size:10.0pt;font-family:"Courier New";mso-ligatures:none">/dns-query</span></b><b><span style="mso-ligatures:none"> to the DNS-over-HTTPS handler</span></b><span style="mso-ligatures:none"><o:p></o:p></span></li><li class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
<span style="mso-ligatures:none">And instead replying with a default, empty (or internal error) response —
<i>possibly from the wrong handler entirely</i><o:p></o:p></span></li></ul>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="mso-ligatures:none">Im guessing this is because DOH is not actually compiled into this build? These builds had DOH compiled in the past, appreciate any insights.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
</div>
<p style="font-size:8pt; line-height:10pt; font-family: 'Calibri', sans-serif;">This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email
in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this
information is strictly prohibited. </p>
<div></div>
<br>
</body>
</html>