blackbox_exporter
blackbox_exporter copied to clipboard
prometheus
feature request: DNS-over-HTTPS support
blackbox_exporter got DNS-over-TLS support in #643, it would be great to have DNS-over-HTTPS - DoH (RFC8484) support as well.
Currently we just test via HTTP and check the return code, but that is very limited and does not detect any end-to-end issues, for example if the HTTP status code is 200 but there is no actual DNS payload within the HTTPS connection.
DoH support would be the combination of the HTTP (status codes, headers, basic auth, proxy, ..) and DNS (query name, rcodes, answer, ...) probes.
I think this may already be possible with the various header and body sending and receiving field matching in the http probe.
Sending is easy, for example this is a valid DoH request:
https://doh.applied-privacy.net/query?dns=l1sBAAABAAAAAAAAA3d3dw1rbm90LXJlc29sdmVyAmN6AAAcAAE
but how would I validate the DNS rcode or the response data?
Can fail_if_body_not_matches_regexp be used with non-text responses as well?
thanks!
The tricky bit with the http method is the regexp matching of the binary data.
modules:
doh:
prober: http
timeout: 5s
http:
method: GET
headers:
Content-Type: application/dns-message
fail_if_not_ssl: true
fail_if_body_not_matches_regexp:
- '.*knot-resolver.*'
tls_config:
insecure_skip_verify: false
The HTTP body of RFC8484 responses, is just plain DNS wire format send in an HTTPS connection https://tools.ietf.org/html/rfc8484#section-4.2.2 So it would be possible to parse the HTTP response body using the mentioned dns library?
I'm not going to duplicate the entire DNS/HTTP probe in the other. If upstream adds it we can consider it then.
https://github.com/miekg/dns/issues/1370#issuecomment-1274367744 has a comment by the miekg/dns maintainer about whether he will add DoH and DoQ support, does not look like it. Does that have any impact on this issue?
A tool written in go that supports DoH and DoQ: https://github.com/natesales/q