Hello everyone!
I am running CoreDNS as a Docker image in host mode and using DNS-over-HTTPS (DoH). DNS on port 53 works fine.
I believe I've followed the official documentation for the tls plugin correctly [https://github.com/coredns/coredns/tree/master/plugin/tls]
...but when I try to make a DoH request, I get the following:
Request:
curl -v -X GET "https://[REDACTED_DOMAIN]/dns-query?name=google.de&type=A" -H "accept: application/dns-json"Response:
curl -v -X GET "https://[REDACTED_DOMAIN]/dns-query?name=google.de&type=A" -H "accept: application/dns-json"Note: Unnecessary use of -X or --request, GET is already inferred.* Uses proxy env variable no_proxy == 'localhost,127.0.0.0/8,::1'* Host [REDACTED_DOMAIN]:443 was resolved.* IPv6: (none)* IPv4: [REDACTED_IP]* Trying [REDACTED_IP]:443...* Connected to [REDACTED_DOMAIN] ([REDACTED_IP]) port 443* ALPN: curl offers h2,http/1.1* TLSv1.3 (OUT), TLS handshake, Client hello (1):* CAfile: /etc/ssl/certs/ca-certificates.crt* CApath: /etc/ssl/certs* TLSv1.3 (IN), TLS handshake, Server hello (2):* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):* TLSv1.3 (IN), TLS handshake, Certificate (11):* TLSv1.3 (IN), TLS handshake, CERT verify (15):* TLSv1.3 (IN), TLS handshake, Finished (20):* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):* TLSv1.3 (OUT), TLS handshake, Finished (20):* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519 / id-ecPublicKey* ALPN: server accepted h2* Server certificate:* subject: CN=[REDACTED_DOMAIN]* start date: Feb 15 11:26:28 2025 GMT* expire date: May 16 11:26:27 2025 GMT* subjectAltName: host "[REDACTED_DOMAIN]" matched cert's "[REDACTED_DOMAIN]"* issuer: C=US; O=Let's Encrypt; CN=E5* SSL certificate verify ok.* Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384* Certificate level 1: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using sha256WithRSAEncryption* Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):* using HTTP/2* [HTTP/2] [1] OPENED stream for https://[REDACTED_DOMAIN]/dns-query?name=google.de&type=A* [HTTP/2] [1] [:method: GET]* [HTTP/2] [1] [:scheme: https]* [HTTP/2] [1] [:authority: [REDACTED_DOMAIN]]* [HTTP/2] [1] [:path: /dns-query?name=google.de&type=A]* [HTTP/2] [1] [user-agent: curl/8.5.0]* [HTTP/2] [1] [accept: application/dns-json]> GET /dns-query?name=google.de&type=A HTTP/2> Host: [REDACTED_DOMAIN]> User-Agent: curl/8.5.0> accept: application/dns-json> < HTTP/2 400 < content-type: text/plain; charset=utf-8< x-content-type-options: nosniff< content-length: 31< date: [date]< no 'dns' query parameter found* Connection #0 to host [REDACTED_DOMAIN] left intactProblem:
HTTP/2 400content-type: text/plain; charset=utf-8x-content-type-options: nosniffcontent-length: 31date: [date]no 'dns' query parameter foundCoreDNS Configuration:
Here is my Corefile:
.:53 { log errors forward . 8.8.8.8 1.1.1.1 cache 30}https://[REDACTED_DOMAIN]:443 { log tls /fullchain.pem /privkey.pem forward . 8.8.8.8 1.1.1.1 cache 30 health}To me, the configuration looks correct, and the Let's Encrypt certificates are valid, as the handshake was successfully completed.
Error Cause:
- The CoreDNS server is running smoothly and processes DNS requests on port 53.
- The error only occurs with DNS-over-HTTPS requests, not with regular DNS queries.
- The TLS certificates are correctly configured and validated.
- The server responds with HTTP Error Code 400.
- I’ve also tested with different clients, such as Firefox.
Has anyone experienced a similar issue with DNS-over-HTTPS in CoreDNS? Or does anyone have any suggestions as to why CoreDNS is not processing this request correctly?
I really hope you can help me. I’m new to CoreDNS and I’m stuck at this point, unable to move forward on my own.
Thank you very much!