Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DoH is working even if deactivated #6994

Open
4 tasks done
OniriCorpe opened this issue May 13, 2024 · 3 comments
Open
4 tasks done

DoH is working even if deactivated #6994

OniriCorpe opened this issue May 13, 2024 · 3 comments
Labels
waiting for data Waiting for users to provide more data.
Milestone
v0.107.51

Comments

@OniriCorpe
Copy link

OniriCorpe commented May 13, 2024
edited

Prerequisites

Platform (OS and CPU architecture)

Linux, AMD64 (aka x86_64)

Installation

Custom package (OpenWrt, HomeAssistant, etc; please mention in the description)

Setup

On one machine

AdGuard Home version

0.107.48

Action

even when tls: enabled: false, the AGH server reply to DoH requests:

q example.com MX @https://adguard.example.com
example.com. 21h57m8s MX 0 .

full TLS config section:

tls:
  enabled: false
  server_name: adguard.example.com
  force_https: false
  port_https: 13120
  port_dns_over_tls: 853
  port_dns_over_quic: 784
  port_dnscrypt: 0
  dnscrypt_config_file: ""
  allow_unencrypted_doh: true
  certificate_chain: ""
  private_key: ""
  certificate_path: /etc/yunohost/certs/adguard.example.com/crt.pem
  private_key_path: /etc/yunohost/certs/adguard.example.com/key.pem
  strict_sni_check: false

Expected result

if tls: enabled: false, AGH should refuse any DoH requests, as stated in the interface:

a screenshot of the 'Encryption settings' page of AGH. The 'Enable Encryption (HTTPS, DNS-over-HTTPS, and DNS-over-TLS)' setting is followed by this sentence: 'If encryption is enabled, AdGuard Home admin interface will work over HTTPS, and the DNS server will listen for requests over DNS-over-HTTPS and DNS-over-TLS.'

Actual result

Instead of refusing the DoH request, AGH reply with the right answer

The setting is working properly for DoT and DoQ

Additional information and/or screenshots

The installation is using the YunoHost package
I'm one of its maintainers, btw
@OniriCorpe OniriCorpe mentioned this issue May 13, 2024
Merged
20 tasks
@OniriCorpe OniriCorpe changed the title DoH is working even is deactivated DoH is working even if deactivated May 13, 2024
@ainar-g
Copy link
Contributor

ainar-g commented May 17, 2024

Thanks for the report. This seems to be an unintended consequence of allow_unencrypted_doh: true. DoH on port 443 doesn't work, but on port 80 does.

@ainar-g ainar-g added this to the v0.107.49 milestone May 17, 2024
@OniriCorpe
Copy link
Author

just in case: the nginx config for the /dns-query path:

location /dns-query {
  proxy_set_header Host $host;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_bind 127.0.0.1;
  proxy_pass http://127.0.0.1:3002/dns-query;
}

@ainar-g
Copy link
Contributor

ainar-g commented May 30, 2024

On a second thought, I'm not sure whether this is an issue. Enabling the DoH server over plain HTTP is precisely what the setting is supposed to do. @OniriCorpe, what's the expected behavior here from your point of view? As in, why wasn't the connection between allow_unencrypted_doh and serving DNS over plain HTTP isn't obvious?

@ainar-g ainar-g added waiting for data Waiting for users to provide more data. and removed bug P3: Medium labels May 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
waiting for data Waiting for users to provide more data.
Projects
None yet
Milestone
v0.107.51
Development

No branches or pull requests
3 participants
@ainar-g @OniriCorpe @schzhn