support plain HTTP for DoH (#4997)

Signed-off-by: Ondřej Benkovský <ondrej.benkovsky@jamf.com>

support plain HTTP for DoH (#4997)
Signed-off-by: Ondřej Benkovský <ondrej.benkovsky@jamf.com>
b8439789 · Ondřej Benkovský · GitHub · 5f45ace8 · b8439789 · b8439789
Commit b8439789 authored Nov 23, 2021 by Ondřej Benkovský Committed by GitHub Nov 23, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 21 additions and 6 deletions

README.md README.md +8 -1

core/dnsserver/server_https.go core/dnsserver/server_https.go +4 -4

plugin/tls/README.md plugin/tls/README.md +9 -1

No files found.
--- a/README.md
+++ b/README.md
@@ -201,8 +201,15 @@ https://example.org {
    tls mycert mykey
 }
 ~~~
+in this setup, the CoreDNS will be responsible for TLS termination

-Note that you must have the *tls* plugin configured as DoH requires that to be setup.
+you can also start DNS server serving DoH without TLS termination (plain HTTP), but beware that in such scenario there has to be some kind
+of TLS termination proxy before CoreDNS instance, which forwards DNS requests otherwise clients will not be able to communicate via DoH with the server
+~~~ corefile
+https://example.org {
+    whoami
+}
+~~~

 Specifying ports works in the same way:


--- a/core/dnsserver/server_https.go
+++ b/core/dnsserver/server_https.go
@@ -39,12 +39,12 @@ func NewServerHTTPS(addr string, group []*Config) (*ServerHTTPS, error) {
 		// Should we error if some configs *don't* have TLS?
 		tlsConfig = conf.TLSConfig
 	}
-	if tlsConfig == nil {
-		return nil, fmt.Errorf("DoH requires TLS to be configured, see the tls plugin")
-	}
+
 	// http/2 is recommended when using DoH. We need to specify it in next protos
 	// or the upgrade won't happen.
-	tlsConfig.NextProtos = []string{"h2", "http/1.1"}
+	if tlsConfig != nil {
+		tlsConfig.NextProtos = []string{"h2", "http/1.1"}
+	}

 	// Use a custom request validation func or use the standard DoH path check.
 	var validator func(*http.Request) bool

--- a/plugin/tls/README.md
+++ b/plugin/tls/README.md
@@ -2,7 +2,7 @@

 ## Name

-*tls* - allows you to configure the server certificates for the TLS and gRPC servers.
+*tls* - allows you to configure the server certificates for the TLS, gRPC, DoH servers.

 ## Description

@@ -57,6 +57,14 @@ grpc://. {
 }
 ~~~

+Start a DoH server on port 443 that is similar to the previous example, but using DoH for incoming queries.
+~~~
+https://. {
+	tls cert.pem key.pem ca.pem
+	forward . /etc/resolv.conf
+}
+~~~
+
 Only Knot DNS' `kdig` supports DNS-over-TLS queries, no command line client supports gRPC making
 debugging these transports harder than it should be.