Hi, BIND 9 DoH implementation always uses HTTP/2, so you can't talk to it via HTTP/0.9, so your proxy balancer needs to talk HTTP/2.
curl --http2-prior-knowledge -v -H 'accept: application/dns-message' 'http://172.23.0.2:80/dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' should work if I am reading the curl man page correctly (I don't have bind with doh no-tls here) dig +http-plain @172.23.0.2 will definitely work. Ondřej -- Ondřej Surý (He/Him) ond...@isc.org My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 1. 1. 2024, at 13:35, r1wcp42w--- via bind-users > <bind-users@lists.isc.org> wrote: > > Hello, > > Hope you are having a great day. > > I am trying to setup a BIND9 DNS over HTTP (DoH but in plain HTTP) server > with the ubuntu/bind9:latest docker image behind a HTTPS load balancer > however I am unable to perform any DNS query with the newly installed BIND9 > server(not through the load balancer). > > I am getting the following when I try to perform the query: > > >> ➜ curl -v -H 'accept: application/dns-message' >> 'http://172.23.0.2:80/dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' >> * Trying 172.23.0.2:80... >> * Connected to 172.23.0.2 (172.23.0.2) port 80 >>> GET /dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB HTTP/1.1 >>> Host: 172.23.0.2 >>> User-Agent: curl/8.5.0 >>> accept: application/dns-message >> * Received HTTP/0.9 when not allowed >> * Closing connection >> curl: (1) Received HTTP/0.9 when not allowed > > > > and here is my named.conf.options > >> options { >> directory "/var/cache/bind"; >> // If there is a firewall between you and nameservers you want >> // to talk to, you may need to fix the firewall to allow multiple >> // ports to talk. See http://psrp.bbqporkmccity.com/vye5rn/iw5hSZ1O >> // If your ISP provided one or more IP addresses for stable >> // nameservers, you probably want to use them as forwarders. >> // Uncomment the following block, and insert the addresses replacing >> // the all-0's placeholder. >> // forwarders { >> // 0.0.0.0; >> // }; >> >> //======================================================================== >> // If BIND logs error messages about the root key being expired, >> // you will need to update your keys. See >> http://psrp.bbqporkmccity.com/vye5rn/nH13n27l >> >> //======================================================================== >> dnssec-validation auto; >> listen-on-v6 { any; }; >> // Custom Options From Here >> allow-query { any;}; >> allow-transfer { none; }; >> listen-on port 53 { any; }; >> listen-on port 80 tls none http default { any; }; >> }; > > Am I doing something wrong? > > Thank you very much and I am looking forward to a solution. > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users