Re: Help with ISC-BIND 9.20.7 COPR package DOH support

Robert Paolucci via bind-users Sat, 22 Mar 2025 23:31:42 -0700

Hey Everyone,

Need help with the COPR packages for BIND, they don’t seem to have DOH enabled 
/ working


sudo yum-config-manager --add-repo 
https://copr.fedorainfracloud.org/coprs/isc/bind/repo/epel-9/isc-bind-epel-9.repo
sudo yum --enablerepo="copr:copr.fedorainfracloud.org:isc:bind" install 
isc-bind-bind

This is an Amazon Linux 2023 server behind a load balancer so TLS is being 
handled by the load balancer and the server is listening on port 80… the port 
seems open:

[root@ip-172-31-19-151 ec2-user]# ss -tnlp | grep named
LISTEN 0   5              127.0.0.1:953    0.0.0.0:*  
users:(("named",pid=28313,fd=31))
LISTEN 0   5              127.0.0.1:8053   0.0.0.0:*  
users:(("named",pid=28313,fd=29))
LISTEN 0   10           172.31.19.151:80    0.0.0.0:*  
users:(("named",pid=28313,fd=23))
LISTEN 0   10           172.31.19.151:53    0.0.0.0:*  
users:(("named",pid=28313,fd=22))
LISTEN 0   10             127.0.0.1:53    0.0.0.0:*  
users:(("named",pid=28313,fd=18))
LISTEN 0   10             127.0.0.1:80    0.0.0.0:*  
users:(("named",pid=28313,fd=20))
LISTEN 0   10   [fe80::e6:80ff:fea7:1989]%enX0:53      [::]:*  
users:(("named",pid=28313,fd=27))
LISTEN 0   10               [::1]:53      [::]:*  
users:(("named",pid=28313,fd=25))
LISTEN 0   5                [::1]:953     [::]:*  
users:(("named",pid=28313,fd=32))


named.conf:

# HTTP endpoint description

http local-http-server {
    # multiple paths can be specified
    endpoints { "/dns-query";  };
};

options {
    directory "/var/opt/isc/scls/isc-bind/named/data";
    listen-on port 53 { 127.0.0.1; any; };
#   listen-on-v6 port 53 { ::1; any; };
    recursion yes;
    allow-recursion {any;};
    minimal-responses yes;

    listen-on port 80 tls none http local-http-server {any;};
#   listen-on-v6 port 80 tls none http local-http-server {any;};


Should have:  compiled with DNS-over-HTTPS
It does not no?

/opt/isc/isc-bind/root/usr/sbin/named -V
BIND 9.20.7 (Stable Release) <id:305df58>
running on Linux x86_64 6.1.129-138.220.amzn2023.x86_64 #1 SMP PREEMPT_DYNAMIC 
Tue Feb 25 22:18:43 UTC 2025
built by make with  '--build=x86_64-redhat-linux-gnu' 
'--host=x86_64-redhat-linux-gnu' '--program-prefix=' 
'--disable-dependency-tracking' '--prefix=/opt/isc/isc-bind/root/usr' 
'--exec-prefix=/opt/isc/isc-bind/root/usr' 
'--bindir=/opt/isc/isc-bind/root/usr/bin' 
'--sbindir=/opt/isc/isc-bind/root/usr/sbin' 
'--sysconfdir=/etc/opt/isc/scls/isc-bind' 
'--datadir=/opt/isc/isc-bind/root/usr/share' 
'--includedir=/opt/isc/isc-bind/root/usr/include' 
'--libdir=/opt/isc/isc-bind/root/usr/lib64' 
'--libexecdir=/opt/isc/isc-bind/root/usr/libexec' 
'--localstatedir=/var/opt/isc/scls/isc-bind' 
'--sharedstatedir=/var/opt/isc/scls/isc-bind/lib' 
'--mandir=/opt/isc/isc-bind/root/usr/share/man' 
'--infodir=/opt/isc/isc-bind/root/usr/share/info' '--enable-warn-error' 
'--disable-static' '--enable-dnstap' '--enable-geoip' '--with-pic' 
'--with-gssapi' '--with-json-c' '--with-libxml2' '--without-lmdb' 
'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 
'CC=gcc' 'CFLAGS=-O2 -flto=auto -ffat-lto-objects -fexceptions -g 
-grecord-gcc-switches -pipe -Wall -Werror=format-security 
-Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS 
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong 
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64 -march=x86-64-v2 
-mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection 
-fcf-protection -fno-omit-frame-pointer' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed  
-Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld 
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  
-L/opt/isc/isc-bind/root/usr/lib64' 'CPPFLAGS= 
-I/opt/isc/isc-bind/root/usr/include' 'LT_SYS_LIBRARY_PATH=/usr/lib64' 
'PKG_CONFIG_PATH=:/opt/isc/isc-bind/root/usr/lib64/pkgconfig:/opt/isc/isc-bind/root/usr/share/pkgconfig'
 'SPHINX_BUILD=/builddir/build/BUILD/bind-9.20.7/sphinx/bin/sphinx-build'
compiled by GCC 11.5.0 20240719 (Red Hat 11.5.0-5)
compiled with OpenSSL version: OpenSSL 3.2.2 4 Jun 2024
linked to OpenSSL version: OpenSSL 3.0.8 7 Feb 2023
compiled with libuv version: 1.49.2
linked to libuv version: 1.49.2
compiled with liburcu version: 0.12.1
compiled with jemalloc version: 5.3.0
compiled with libnghttp2 version: 1.43.0
linked to libnghttp2 version: 1.59.0
compiled with libxml2 version: 2.9.13
linked to libxml2 version: 21004
compiled with json-c version: 0.14
linked to json-c version: 0.14
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
linked to maxminddb version: 1.5.2
compiled with protobuf-c version: 1.4.1
linked to protobuf-c version: 1.4.1
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 
ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 
HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): no
TKEY mode 3 support (GSS-API): yes


[root@ip-172-31-19-151 knot-3.1.7]# curl -H 'accept: application/dns-message'   
   -H 'content-type: application/dns-message'      --data-binary @query.bin     
 http://127.0.0.1/dns-query --output response.bin
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    29    0     0  100    29      0   3622 --:--:-- --:--:-- --:--:--  4142
curl: (1) Received HTTP/0.9 when not allowed

[root@ip-172-31-19-151 knot-3.1.7]# curl --http0.9 -H 'accept: 
application/dns-message'      -H 'content-type: application/dns-message'      
--data-binary @query.bin      http://127.0.0.1/dns-query --output response.bin
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

100    44    0    15  100    29  27027  52252 --:--:-- --:--:-- --:--:-- 44000


It looks like BIND is:

  *   Receiving the request on port 80
  *   But not routing /dns-query to the DNS-over-HTTPS handler
  *   And instead replying with a default, empty (or internal error) response — 
possibly from the wrong handler entirely
Im guessing this is because DOH is not actually compiled into this build?   
These builds had DOH compiled in the past, appreciate any insights.


This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. If 
you have received this email in error please notify the system manager. This 
message contains confidential information and is intended only for the 
individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and delete 
this e-mail from your system. If you are not the intended recipient you are 
notified that disclosing, copying, distributing or taking any action in 
reliance on the contents of this information is strictly prohibited.

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Help with ISC-BIND 9.20.7 COPR package DOH support

Reply via email to