feat(dns): support DoH, DoT, DoH3, DoQ

[EkkoG]

Background

dae lacks support for some encrypted DNS protocols, this PR adds support for DoH, DoT, DoH3, DoQ

TODO

• support config DoH and DoH3 url path
• dns.google.com compatible issue
• Reuse httpClient
• Set id to 0 when send DoH/DoQ request, set id back when send response to the client ^{1 2}

Checklist

• The Pull Request has been fully tested
• There's an entry in the CHANGELOGS
• There is a user-facing docs PR against https://github.com/daeuniverse/dae

Full Changelogs

• feat: support DoH, DoT, DoH3, DoQ

Issue Reference

Closes #321
Closes #583

Test Result

time="Sep 24 15:58:37" level=trace msg="Received UDP(DNS) 192.168.33.244:41532 <-> 192.168.33.1:53: wq.io. A"
time="Sep 24 15:58:37" level=trace msg="Request to DNS upstream" question=[{wq.io. 1 1}] upstream="tls://dns.google:853"
time="Sep 24 15:58:37" level=trace msg="Choose DNS path" choose="tcp+4" ipversions=[4 6] l4protos=[tcp] upstream="tls://dns.google:853" use="8.8.8.8:853"
time="Sep 24 15:58:37" level=trace msg=Accept question=[{wq.io. 1 1}] upstream="tls://dns.google:853"
time="Sep 24 15:58:37" level=info msg="192.168.33.244:41532 <-> 8.8.8.8:853" _qname=wq.io. dialer=direct dscp=0 mac="08:00:27:95:8e:32" network="tcp4(DNS)" outbound=direct pid=50022 pname=dig policy=fixed qtype=A
time="Sep 24 15:58:37" level=trace msg="Update DNS record cache" _qname=wq.io. ans="wq.io.(A): 107.170.234.66" rcode=0

time="Sep 24 15:57:36" level=trace msg="Received UDP(DNS) 192.168.33.244:50965 <-> 192.168.33.1:53: wq.io. A"
time="Sep 24 15:57:36" level=trace msg="Request to DNS upstream" question=[{wq.io. 1 1}] upstream="http3://dns.alidns.com:443"
time="Sep 24 15:57:36" level=trace msg="Choose DNS path" choose="udp+4" ipversions=[4 6] l4protos=[udp] upstream="http3://dns.alidns.com:443" use="223.5.5.5:443"
time="Sep 24 15:57:36" level=trace msg=Accept question=[{wq.io. 1 1}] upstream="http3://dns.alidns.com:443"
time="Sep 24 15:57:36" level=info msg="192.168.33.244:50965 <-> 223.5.5.5:443" _qname=wq.io. dialer=direct dscp=0 mac="08:00:27:95:8e:32" network="udp4(DNS)" outbound=direct pid=49833 pname=dig policy=fixed qtype=A
time="Sep 24 15:57:36" level=trace msg="Update DNS record cache" _qname=wq.io. ans="wq.io.(A): 107.170.234.66" rcode=0

time="Sep 24 15:56:57" level=trace msg="Received UDP(DNS) 192.168.33.244:39025 <-> 192.168.33.1:53: wq.io. A"
time="Sep 24 15:56:57" level=trace msg="Request to DNS upstream" question=[{wq.io. 1 1}] upstream="https://dns.alidns.com:443"
time="Sep 24 15:56:57" level=trace msg="Choose DNS path" choose="tcp+4" ipversions=[4 6] l4protos=[tcp] upstream="https://dns.alidns.com:443" use="223.5.5.5:443"
time="Sep 24 15:56:57" level=trace msg=Accept question=[{wq.io. 1 1}] upstream="https://dns.alidns.com:443"
time="Sep 24 15:56:57" level=info msg="192.168.33.244:39025 <-> 223.5.5.5:443" _qname=wq.io. dialer=direct dscp=0 mac="08:00:27:95:8e:32" network="tcp4(DNS)" outbound=direct pid=49693 pname=dig policy=fixed qtype=A
time="Sep 24 15:56:57" level=trace msg="Update DNS record cache" _qname=wq.io. ans="wq.io.(A): 107.170.234.66" rcode=0

Footnotes

1. https://datatracker.ietf.org/doc/html/rfc8484#section-4.1 ↩

2. https://www.rfc-editor.org/rfc/rfc9250.html#name-dns-message-ids ↩

[EkkoG]

UPDATE!

DoH3 scheme is h3 now

time="Sep 24 17:15:26" level=trace msg="Received UDP(DNS) 192.168.33.244:52874 <-> 192.168.33.1:53: wq.io. A"
time="Sep 24 17:15:26" level=trace msg="Request to DNS upstream" question=[{wq.io. 1 1}] upstream="h3://dns.alidns.com:443"
time="Sep 24 17:15:26" level=trace msg="Choose DNS path" choose="udp+4" ipversions=[4 6] l4protos=[udp] upstream="h3://dns.alidns.com:443" use="223.5.5.5:443"
time="Sep 24 17:15:26" level=trace msg=Accept question=[{wq.io. 1 1}] upstream="h3://dns.alidns.com:443"
time="Sep 24 17:15:26" level=info msg="192.168.33.244:52874 <-> 223.5.5.5:443" _qname=wq.io. dialer=direct dscp=0 mac="08:00:27:95:8e:32" network="udp4(DNS)" outbound=direct pid=51456 pname=dig policy=fixed qtype=A
time="Sep 24 17:15:26" level=trace msg="Update DNS record cache" _qname=wq.io. ans="wq.io.(A): 107.170.234.66" rcode=0

And I will try to make both h3 and http3 work

[mzz2017]

This is turely an exciting job! I will take the time to review it.

[EkkoG]

Both h3 and http3 can be DoH3's scheme now

[douglarek]

Finally, someone has taken action on DNS. Awesome. By the way, can you also support DoQ, like Ali's quic://223.5.5.5? It seems to be there, haha. By the way, currently only TLS and HTTPS are working; it seems that TCP is also broken.

[EkkoG]

I do not change the behavior of TCP dns and I just tested it works well

time="Sep 25 02:59:13" level=trace msg="Received UDP(DNS) 192.168.33.244:50348 <-> 192.168.33.1:53: wq.io. A"
time="Sep 25 02:59:13" level=trace msg="Request to DNS upstream" question=[{wq.io. 1 1}] upstream="tcp://dns.google:53"
time="Sep 25 02:59:13" level=trace msg="Choose DNS path" choose="tcp+4" ipversions=[4 6] l4protos=[tcp] upstream="tcp://dns.google:53" use="8.8.4.4:53"
time="Sep 25 02:59:13" level=trace msg=Accept question=[{wq.io. 1 1}] upstream="tcp://dns.google:53"
time="Sep 25 02:59:13" level=info msg="192.168.33.244:50348 <-> 8.8.4.4:53" _qname=wq.io. dialer=direct dscp=0 mac="08:00:27:95:8e:32" network="tcp4(DNS)" outbound=direct pid=59922 pname=dig policy=fixed qtype=A
time="Sep 25 02:59:13" level=trace msg="Update DNS record cache" _qname=wq.io. ans="wq.io.(A): 107.170.234.66" rcode=0

DoQ is working in process

ODoH is on the plan

[douglarek]

I understand that this debug level check is not necessary.

[mzz2017]

It is for performance optimization

[douglarek]

It is for performance optimization

I don't see where the performance optimization is here. In fact, the debugln method internally calls: https://github.com/sirupsen/logrus/blob/v1.9.3/entry.go#L303

[EkkoG]

Since DoH3 is broken by FakeNetPacketConn's implementation, I have forked the outbound package and temporary disable some code about quic.OOBCapablePacketConn implement, If you have any conclusions about this issue, please let me know. cc @mzz2017

[EkkoG]

time="Sep 25 17:03:19" level=trace msg="Request to DNS upstream" question=[{wq.io. 1 1}] upstream="quic://dns-unfiltered.adguard.com:853"
time="Sep 25 17:03:19" level=trace msg="Choose DNS path" choose="udp+4" ipversions=[4 6] l4protos=[udp] upstream="quic://dns-unfiltered.adguard.com:853" use="94.140.14.140:853"
time="Sep 25 17:03:21" level=trace msg=Accept question=[{wq.io. 1 1}] upstream="quic://dns-unfiltered.adguard.com:853"
time="Sep 25 17:03:21" level=info msg="192.168.33.244:58565 <-> 94.140.14.140:853" _qname=wq.io. dialer=direct dscp=0 mac="08:00:27:95:8e:32" network="udp4(DNS)" outbound=direct pid=9110 pname=dig policy=fixed qtype=A
time="Sep 25 17:03:21" level=trace msg="Update DNS record cache" _qname=wq.io. ans="wq.io.(A): 107.170.234.66" rcode=0

time="Sep 25 17:11:04" level=trace msg="Received UDP(DNS) 192.168.33.244:58042 <-> 192.168.33.1:53: wq.io. A"
time="Sep 25 17:11:04" level=trace msg="Request to DNS upstream" question=[{wq.io. 1 1}] upstream="quic://dns-unfiltered.adguard.com:853"
time="Sep 25 17:11:04" level=trace msg="Choose DNS path" choose="udp+4" ipversions=[4 6] l4protos=[udp] upstream="quic://dns-unfiltered.adguard.com:853" use="94.140.14.140:853"
time="Sep 25 17:11:06" level=trace msg=Accept question=[{wq.io. 1 1}] upstream="quic://dns-unfiltered.adguard.com:853"
time="Sep 25 17:11:06" level=info msg="192.168.33.244:58042 <-> 94.140.14.140:853" _qname=wq.io. dialer="香港 IEPL [02] [Air]" dscp=0 mac="08:00:27:95:8e:32" network="udp4(DNS)" outbound=proxy pid=10400 pname=dig policy=min_moving_avg qtype=A
time="Sep 25 17:11:06" level=trace msg="Update DNS record cache" _qname=wq.io. ans="wq.io.(A): 107.170.234.66" rcode=0

DoQ support has been added

[douglarek]

Cool!

• alidns: 'tcp://dns.alidns.com:53' ✅
• alidns: 'h3://dns.alidns.com' ✅
• alidns: 'http3://dns.alidns.com' ✅
• alidns: 'quic://dns.alidns.com' # I remember using it before, not sure why it doesn't work now.
• alidns: 'tls://dns.alidns.com' ✅
• adguard: 'quic://dns.adguard.com:784' ✅
• adguard: 'quic://dns-unfiltered.adguard.com' ✅

[EkkoG]

@douglarek DoQ should work with alidns now

[tkszhzy]

dae version unstable-20240926.pr-649.r17.bc5204
x86_64

Doh upstream https://cloudflare-dns.com/dns-query

[Sep 26 03:14:38] WARN handlePkt: Post "https://104.16.248.249:443/dns-query": tls: failed to verify certificate: x509: certificate is valid for 1.0.0.1, 1.1.1.1, 162.159.36.1, 162.159.46.1, 2606:4700:4700::1001, 2606:4700:4700::1111, 2606:4700:4700::64, 2606:4700:4700::6400, not 104.16.248.249

[MarksonHon]

@tkszhzy Please run curl -v https://cloudflare-dns.com/dns-query on your computer and upload the outputs

[tkszhzy]

@tkszhzy Please run curl -v https://cloudflare-dns.com/dns-query on your computer and upload the outputs

root@debian:~# curl -v https://cloudflare-dns.com/dns-query

• Trying 104.16.248.249:443...
• Connected to cloudflare-dns.com (104.16.248.249) port 443 (#0)
• ALPN: offers h2,http/1.1
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• CAfile: /etc/ssl/certs/ca-certificates.crt
• CApath: /etc/ssl/certs
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
• TLSv1.3 (IN), TLS handshake, Certificate (11):
• TLSv1.3 (IN), TLS handshake, CERT verify (15):
• TLSv1.3 (IN), TLS handshake, Finished (20):
• TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
• TLSv1.3 (OUT), TLS handshake, Finished (20):
• SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
• ALPN: server accepted h2
• Server certificate:
• subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=cloudflare-dns.com
• start date: Jul 30 00:00:00 2024 GMT
• expire date: Jan 21 23:59:59 2025 GMT
• subjectAltName: host "cloudflare-dns.com" matched cert's "cloudflare-dns.com"
• issuer: C=US; O=DigiCert Inc; CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
• SSL certificate verify ok.
• using HTTP/2
• h2h3 [:method: GET]
• h2h3 [:path: /dns-query]
• h2h3 [:scheme: https]
• h2h3 [:authority: cloudflare-dns.com]
• h2h3 [user-agent: curl/7.88.1]
• h2h3 [accept: /]
• Using Stream ID: 1 (easy handle 0x55af1632cce0)

GET /dns-query HTTP/2
Host: cloudflare-dns.com
user-agent: curl/7.88.1
accept: /

• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
• old SSL session ID is stale, removing
  < HTTP/2 400
  < server: cloudflare
  < date: Thu, 26 Sep 2024 08:18:58 GMT
  < access-control-allow-origin: *
  < cf-ray: 8c91d38aeac0d1f5-ICN
  <
• Connection #0 to host cloudflare-dns.com left intact

[tkszhzy]

by dns testing tool:

root@debian:~# dnslookup www.yahoo.com https://cloudflare-dns.com/dns-query
dnslookup master
Server: https://cloudflare-dns.com/dns-query

dnslookup result (elapsed 238.519706ms):
;; opcode: QUERY, status: NOERROR, id: 34483
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.yahoo.com. IN A

;; ANSWER SECTION:
www.yahoo.com. 39 IN CNAME me-ycpi-cf-www.g06.yahoodns.net.
me-ycpi-cf-www.g06.yahoodns.net. 39 IN A 180.222.106.12
me-ycpi-cf-www.g06.yahoodns.net. 39 IN A 180.222.106.11
me-ycpi-cf-www.g06.yahoodns.net. 39 IN A 180.222.109.252
me-ycpi-cf-www.g06.yahoodns.net. 39 IN A 180.222.109.251

[EkkoG]

dae version unstable-20240926.pr-649.r17.bc5204 x86_64

Doh upstream https://cloudflare-dns.com/dns-query

[Sep 26 03:14:38] WARN handlePkt: Post "https://104.16.248.249:443/dns-query": tls: failed to verify certificate: x509: certificate is valid for 1.0.0.1, 1.1.1.1, 162.159.36.1, 162.159.46.1, 2606:4700:4700::1001, 2606:4700:4700::1111, 2606:4700:4700::64, 2606:4700:4700::6400, not 104.16.248.249

This is because current DoH request not set the SNI, 104.16.248.249 is not just host DNS server, and CloudFlare does not provide a valid IP cert for this IP, so the cert check is fail, you can use IP URL like https://1.1.1.1/dns-query to avoid this issue.

Also I have fix the issue, you can keep this usage.

For this case and user who want use a self-host DoH server and user can get a IP certificate, set SNI is required.

When SNI and HTTP host is mismatch, Cloudflare will return a 403

echo -n 'q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | base64 --decode | curl --header 'content-type: application/dns-message' --header 'Host: 1.1.1.1' --data-binary @- https://one.one.one.one/dns-query -v -4
*   Trying 1.0.0.1:443...
* Connected to one.one.one.one (1.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=one.one.one
*  start date: Jul 30 03:28:47 2024 GMT
*  expire date: Oct 28 03:28:46 2024 GMT
*  subjectAltName: host "one.one.one.one" matched cert's "*.one.one.one"
*  issuer: C=US; O=Google Trust Services; CN=WE1
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55a39ec621c0)
> POST /dns-query HTTP/2
> Host: 1.1.1.1
> user-agent: curl/7.74.0
> accept: */*
> content-type: application/dns-message
> content-length: 33
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
* We are completely uploaded and fine
< HTTP/2 403 
< server: cloudflare
< date: Thu, 26 Sep 2024 09:47:20 GMT
< content-type: text/html
< content-length: 151
< cf-ray: 8c9254fd5f67ce0d-SIN
< 
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>cloudflare</center>
</body>
</html>
* Connection #0 to host one.one.one.one left intact

echo -n 'q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | base64 --decode | curl --header 'content-type: application/dns-message' --data-binary @- https://one.one.one.one/dns-query -v -4 --output - | hexdump
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 1.0.0.1:443...
* Connected to one.one.one.one (1.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2528 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [79 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=one.one.one
*  start date: Jul 30 03:28:47 2024 GMT
*  expire date: Oct 28 03:28:46 2024 GMT
*  subjectAltName: host "one.one.one.one" matched cert's "*.one.one.one"
*  issuer: C=US; O=Google Trust Services; CN=WE1
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x55812b3cf1c0)
} [5 bytes data]
> POST /dns-query HTTP/2
> Host: one.one.one.one
> user-agent: curl/7.74.0
> accept: */*
> content-type: application/dns-message
> content-length: 33
> 
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [238 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [238 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
} [5 bytes data]
* We are completely uploaded and fine
{ [5 bytes data]
< HTTP/2 200 
< server: cloudflare
< date: Thu, 26 Sep 2024 09:55:06 GMT
< content-type: application/dns-message
< access-control-allow-origin: *
< content-length: 49
< cf-ray: 8c92605f2c864c95-SIN
< alt-svc: h3=":443"; ma=86400
< 
{ [5 bytes data]
100    82  100    49  100    33   1814   1222 --:--:-- --:--:-- --:--:--  3153
* Connection #0 to host one.one.one.one left intact
0000000 cdab 8081 0100 0100 0000 0000 7703 7777
0000010 6507 6178 706d 656c 6303 6d6f 0000 0001
0000020 c001 000c 0001 0001 0400 00bb 5d04 d7b8
0000030 000e                                   
0000031

And for AliDNS, it return 200

echo -n 'q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | base64 --decode | curl --header 'content-type: application/dns-message' --header 'Host: 223.5.5.5' --data-binary @- https://dns.alidns.com/dns-query -v -4 --output - | hexdump
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 223.5.5.5:443...
* Connected to dns.alidns.com (223.5.5.5) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [15 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2238 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [78 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=CN; ST=\U6D59\U6C5F\U7701; L=\U676D\U5DDE\U5E02; O=\U963F\U91CC\U5DF4\U5DF4\UFF08\U4E2D\U56FD\UFF09\U7F51\U7EDC\U6280\U672F\U6709\U9650\U516C\U53F8; CN=*.alidns.com
*  start date: Jan  5 06:41:06 2024 GMT
*  expire date: Feb  5 06:41:05 2025 GMT
*  subjectAltName: host "dns.alidns.com" matched cert's "*.alidns.com"
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign ECC OV SSL CA 2018
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x55b8e1dc6820)
} [5 bytes data]
> POST /dns-query HTTP/2
> Host: 223.5.5.5
> user-agent: curl/7.74.0
> accept: */*
> content-type: application/dns-message
> content-length: 33
> 
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [130 bytes data]
* We are completely uploaded and fine
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
} [5 bytes data]
< HTTP/2 200 
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
< cache-control: max-age=1.000000
< content-type: application/dns-message
< content-length: 64
< date: Thu, 26 Sep 2024 09:56:27 GMT
< 
{ [5 bytes data]
100    97  100    64  100    33    659    340 --:--:-- --:--:-- --:--:--  1000
* Connection #0 to host dns.alidns.com left intact
0000000 cdab 0081 0100 0100 0000 0000 7703 7777
0000010 6507 6178 706d 656c 6303 6d6f 0000 0001
0000020 0301 7777 0777 7865 6d61 6c70 0365 6f63
0000030 006d 0100 0100 0000 0100 0400 b85d 0ed7
0000040

So we also need to keep the SNI and HTTP host same, also keep them same is best, so I implement it. You can try the latest build.

Feel free to report any issues or feedback.

[tkszhzy]

So we also need to keep the SNI and HTTP host same, also keep them same is best, so I implement it. You can try the latest build.

Feel free to report any issues or feedback.

Latest build is cool .

Thanks to all of dae team !

[EkkoG]

ODoH is too hard to find a proxy server, I give up to implement it, for guys who interest in DNS protocol like ODoH or DNS protocol has similar approach, you can have a look at https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v3/relays.md , it has more relay server available.

[dae-prow]

🧪 Since the PR has been fully tested, please consider merging it.

[mzz2017]

Thanks for your awesome work!