0

I am making a custom DoH server that should resolve some TLDs differently. I am using NodeJS to implement it. For most domains, it just proxies them to Google's DoH and it works. But when I try to resolve some custom domains, for example

mydomain.customtld

I want it to point to

bafybeie5nqv6kd3qnfjupgvz34woh3oksc3iau6abmyajn7qvtf6d2ho34.ipfs.dweb.link

I tried formating DNS response myself and it fails. So, I resorted to resolving the mentioned link (i.e. bafybeie5nqv6kd3qnfjupgvz34woh3oksc3iau6abmyajn7qvtf6d2ho34.ipfs.dweb.link) over Google DoH or some other DoH server and forwarding it to the client as a response.

So, I did the following:

  • I use dohjs nodejs library
  • I resolve mentioned link like this:
const doh = require('dohjs');
const resolver = new doh.DohResolver('https://dns.google/dns-query');

let dnsAnswer = await resolver.query(`bafybeie5nqv6kd3qnfjupgvz34woh3oksc3iau6abmyajn7qvtf6d2ho34.ipfs.dweb.link`, 'A');

And I get the following response:

{
  id: 0,
  type: 'response',
  flags: 384,
  flag_qr: true,
  opcode: 'QUERY',
  flag_aa: false,
  flag_tc: false,
  flag_rd: true,
  flag_ra: true,
  flag_z: false,
  flag_ad: false,
  flag_cd: false,
  rcode: 'NOERROR',
  questions: [
    {
      name: 'bafybeie5nqv6kd3qnfjupgvz34woh3oksc3iau6abmyajn7qvtf6d2ho34.ipfs.dweb.link',
      type: 'A',
      class: 'IN'
    }
  ],
  answers: [
    {
      name: 'bafybeie5nqv6kd3qnfjupgvz34woh3oksc3iau6abmyajn7qvtf6d2ho34.ipfs.dweb.link',
      type: 'A',
      ttl: 59,
      class: 'IN',
      flush: false,
      data: '209.94.90.1'
    }
  ],
  authorities: [],
  additionals: []
}

This seems like a valid DNS packet, but after encoding it and forwarding it to the client (Chrome in this case), it fails to resolve it.

The only thing I could think of is that response is missing additionals, but I am not sure... Specific error I get is DNS_PROBE_FINISHED_NXDOMAIN.

So, how could I solve this?

ajaleksa
  • 324
  • 1
  • 6
  • 20
  • 1
    "I tried formating DNS response myself and it fails." + "This seems like a valid DNS packet" No it is not, as you show some JSON value. DOH does not use JSON by default, what is exchanged is still DNS messages as they happen on the wire with the core DNS protocol on port 53. To get any further you will need to show 1) specific code where you prepare the reply and 2) specific tests you do, like with `dig` testing your endpoint. – Patrick Mevzek Aug 19 '21 at 18:33
  • 1
    "The only thing I could think of is that response is missing additionals" That is most certainly not where your problems will be. As the name of the section says, this exist just to help resolvers take some shortcuts but as such is not needed/is not part of the answer (otherwise it would be in the ANSWER section), so their absence should never trigger an error. – Patrick Mevzek Aug 19 '21 at 18:34

1 Answers1

0

So, as it turns out, my DNS response packet was valid. The problem was that the URL in the browser URL bar was not the same as the one being returned in the question and answer sections of the DNS packet and it presents a problem to the browser. It is probably due to security, but when I changed the name in the answer and question sections, my DNS packet was accepted by the browser. The question is definitely wrong and out of line, but I will be keeping it, since this answer may help someone having the same problem while writing custom DoH for browsers to use.

Cheers and thanks for the helpful comments which eventually helped me figure out that packet is okay and that the problem was somewhere else

ajaleksa
  • 324
  • 1
  • 6
  • 20