Can you clarify what is the apache configuration

[grosjo]

Hello

How to setup apache to respond properly to requests from DOH client (firefox) , using your code as DOH server ?

Thank you

[grosjo]

THis is what I put in Apache, but the DNS (using Firefox DOH as client) does not work

    ProxyPass /dns-query http://127.0.0.1:8053/dns-query
    ProxyPassReverse /dns-query http://127.0.0.1:8053/dns-query

Is there a way to activate some log in your soft ?

[grosjo]

What I am actually wondering is how to find the IP of the server itself

Say I put in the client https://xxxx.com/dns-query as URL for DOH

From where it gets the IP of "xxxx.com" (as it has no way to guess it as the DNS is actually at the IP behing the xxxx.com) ?

Asking because it does work /sometimes/ and actually exactly the first request after I switch on DOH in firefox. Second request fails

[m13253]

Thank you for your report.

Firefox uses DNS configuration of the operating system to bootstrap DoH. I guess there are other reasons that cause request failures.

I have only tested against some earlier versions of Firefox. Please give me one day or two to investigate this problem.

[m13253]

Asking because it does work /sometimes/ and actually exactly the first request after I switch on DOH in firefox. Second request fails

I have found a solution to the problem.

Open about:config in Firefox, search for network.trr.bootstrapAddress. Type in the IP address of your DoH server, then restart Firefox.

[grosjo]

This works, but I am wondering then how the "default" value of Firefox (using CloudFlare) works : It does need to make the very first DNS request outside DOH in all cases, right ?

[m13253]

I am not sure how does Firefox find CloudFlare's server. Perhaps because it has fixed IP addresses of 1.1.1.1 and 1.0.0.1?

[grosjo]

Maybe.
Maybe can you put in your Readme.md the config of apache/nginx ?

[m13253]

Maybe can you put in your Readme.md the config of apache/nginx ?

I don't use Apache or Nginx, so I can't test them prior to publish them.

As far as I know, the default TLS settings of Nginx is insecure.
Would you please help me write a configuration with OCSP Must Staple turned on (which is necessary for DoH to work) and modern TLS configuration?

For reference, this is my Caddy configuration, with SSL Labs score of A:

https://doh.example.com {
        log     / syslog "{remote} - {user} [{when}] \"{method} {scheme}://{host}{uri} {proto}\" {status} {size} \"{>Referer}\" \"{>User-Agent}\" {>X-Forwarded-For}"
        errors  syslog
        gzip
        proxy   /dns-query      http://[::1]:18053 {
                header_upstream Host {host}
                header_upstream X-Real-IP {remote}
                header_upstream X-Forwarded-For {>X-Forwarded-For},{remote}
                header_upstream X-Forwarded-Proto {scheme}
        }
        root    /var/www
        tls {
                ciphers ECDHE-ECDSA-WITH-CHACHA20-POLY1305 ECDHE-RSA-WITH-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256
                curves  X25519 p384 p521
                must_staple
        }
}

[grosjo]

THis is what I have for Apache (getting A+ in ssllabs) :

SSLProtocol TLSv1.2
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!MD5:!DSS:!eNULL:!EXP:!LOW:!MD5
SSLStrictSNIVHostCheck off
SSLUseStapling on
SSLStaplingCache shmcb:/var/lib/apache2/stapling_cache(512000)

<VirtualHost *:443>
    ServerName MY_SERVER_NAME
    Protocols h2 http/1.1
    ProxyPass /dns-query http://127.0.0.1:8053/dns-query
    ProxyPassReverse /dns-query http://127.0.0.1:8053/dns-query
(...)
</VirtualHost>