Hi,
You would have additional difficulties since after the TLS handshake DoT
would expect DNS data and DoH would expect HTTP data.
Best regards,
-- Yorgos
On 06/01/2024 19:51, ch--- via Unbound-users wrote:
I have a working unbound server that answers DoH queries on tcp 443.
I use a letsencrypt SSL certificate and it passes properly with both
curl and firefox.
I was curious if I could query the exact same server with a DoT client:
# kdig -d @doh.mydomain.com:443 +tls-ca cnn.com
;; DEBUG: Querying for owner(cnn.com.), class(1), type(1),
server(doh.mydomain.com), port(443), protocol(TCP)
;; DEBUG: TLS, imported 145 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, CN=mydomain.com
;; DEBUG: SHA-256 PIN: XzzPRPTjAqSgKmDsYY/Oxxxxxxxxxx68Bldoxxxxxxxx
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is NOT trusted. The certificate issuer is
unknown.
;; WARNING: TLS, handshake failed (Error in the certificate.)
;; ERROR: failed to query server doh.mydomain.com@443(TCP)
So I can create a DoT query over port 443 and it appears this would work
but ... a TLS handshake failure ...
Is this just a problem specific to letsencrypt and this portion of the
error:
;; DEBUG: TLS, imported 145 system certificates
Or will I have additional difficulties in trying to answer *both* DoH
and DoT over port 443 from the same unbound instance ?
Thanks.