我已经构建了一个具有 unbound 的 DoH 解析器,并且我的简单配置测试正确:
unbound-checkconf: no errors in /unbound/unbound.conf
我的下一个测试是使用附带的 dohclient:
dohclient -s 10.10.10.10 cnn.com AAAA IN
Request headers
:method: GET
:path: /dns-query?dns=AAABAAABAAAAAAABhswwyy2hbn0AABwAAQAAKRAAAACAAAAA
:scheme: https
:authority: 10.10.10.10
content-type: application/dns-message
:status 200
content-type application/dns-message
content-length 260
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
;; flags: qr rd ra ; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
cnn.com. IN AAAA
;; ANSWER SECTION:
cnn.com. 300 IN AAAA 2a04:4e42:a00::773
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
; EDNS: version: 0; flags: do ; udp: 1232
;; MSG SIZE rcvd: 260
所以...看上去一切进展顺利。
但随后我尝试用 curl 进行类似的测试:
curl --doh-url https://doh.mydomain.com cnn.com
我得到:
curl: (6) Couldn't resolve host name
...在未绑定的日志中我看到:
debug: http2 request invalid, returning :status=404
如果我尝试使用 Firefox 访问未绑定的服务器,则会失败,并且未绑定的日志会显示:
debug: http2 request invalid, returning :status=404
我的“curl --version”显示:
Features: alt-svc AsynchDNS GSS-API HSTS HTTP2 HTTPS-proxy IPv6 Kerberos Largefile libz NTLM NTLM_WB SPNEGO SSL TLS-SRP UnixSockets
... 所以我确实支持 http2,并且我的 Firefox 是昨晚全新更新的。
以下是失败的 curl 命令的详细输出:
* We are completely uploaded and fine
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=mydomain.com
* start date: Nov 24 00:00:00 2023 GMT
* expire date: Feb 22 23:59:59 2024 GMT
* subjectAltName: host "doh.mydomain.com" matched cert's "*.mydomain.com"
* issuer: C=AT; O=ZeroSSL; CN=ZeroSSL ECC Domain Secure Site CA
* SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x13980cc00)
> POST / HTTP/2
Host: doh.mydomain.com
accept: */*
content-type: application/dns-message
content-length: 25
* We are completely uploaded and fine
< HTTP/2 404
<
* Connection #1 to host doh.mydomain.com left intact
* a DoH request is completed, 1 to go
< HTTP/2 404
<
* Connection #2 to host doh.mydomain.com left intact
* a DoH request is completed, 0 to go
* DoH: Too small type A for cnn.com
* DoH: Too small type AAAA for cnn.com
* Closing connection 0
curl: (6) Couldn't resolve host name
为什么 curl 会失败并出现 404 错误?
为什么 dohclient 成功而这些“正常”客户端(curl 和 firefox)失败?
答案1
作为文档说如果您没有指定正确的路径,unbound 将返回 404,该路径默认为/dns-query,您可能没有更改。dohclient输出显示它使用此路径——而您的curl输出显示它这样做只是POST /因为这是您所指定的并curl处理任何URL。虽然您没有显示 Firefox 配置,但它可能具有相同的灵活性。