Package: unbound
Version: 1.22.0-2
Severity: normal
Forwarding dot (dns over tls) by port 853 and serving doh (dns over https) is
working. Unless https-port is set to 853.
How to reproduce?
1. Have an appropriate certificate, and the follwoing configuration file:
# cat
/etc/unbound/unbound.conf.d/listening_doh_at_port_854_and_forwarding_dot_at_port_853.conf
server:
chroot: ""
directory: "/etc/unbound"
do-daemonize: no
interface: lo@53
interface: lo@854
https-port: 854
tls-service-key: "doh.key"
tls-service-pem: "doh.pem"
tls-system-cert: yes
forward-zone:
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-tcp-upstream: yes
forward-tls-upstream: yes
name: "."
2. Restart unbound.
3. Test. For example with
$ dig @localhost -p 854 +https cnn.com a
it is working.
4. But when changing the configuration file to have
interface: lo@853
https-port: 853
and restarting unbound, unbound fails.
$ dig @localhost -p 853 +https cnn.com a
;; communications error to ::1#853: timed out
;; communications error to ::1#853: timed out
;; communications error to ::1#853: timed out
;; communications error to 127.0.0.1#853: timed out
; <<>> DiG 9.20.11-4-Debian <<>> @localhost -p 853 +https cnn.com a
; (2 servers found)
;; global options: +cmd
;; no servers could be reached
It is not a network issue because the results are consistent over time.
Resolution succeeds with the 854 settings, and fails with the 853 settings. In
addition, with both the 853 and 854 setting, the above configuration file can
do only dot forwarding. And that, for example
$ dig @localhost cnn.com a
is always working.
