unbound icon indicating copy to clipboard operation
unbound copied to clipboard

Published 20 hours ago verified publisher icon NLnetLabs

[FR] Add Forward HTTPS feature

Open jeanseb6wind opened this issue 2 years ago • 6 comments

Current behavior

Currently, in a forward configuration, you can set a forward tls with forward-tls-upstream: yes.

Describe the desired feature

I would like the same feature for HTTPS, with a feature like forward-https-upstream: yes.

Potential use-case

It would allow to pass through rule firewall in some environment.

Thanks

jeanseb6wind avatar Feb 02 '23 09:02 jeanseb6wind

If bypassing the firewall is your only concern you can specify the port to forward to as forward-addr: <ip>@443. Then on the receiving side you can have your target resolver listen on port 443 as well. This will do DNS-over-TLS (I am assuming forward-tls-upstream: yes) and both ends need to support it.

If the feature request is for upstream DNS-over-HTTPS, that is a whole new feature indeed.

gthess avatar Feb 02 '23 09:02 gthess

Indeed setting the port could be a solution but will not work in practice because advanced firewall check the protocol and allows only HTTPS.

jeanseb6wind avatar Feb 02 '23 10:02 jeanseb6wind

DNS-over-TLS is still encrypted traffic. Have you tried and it doesn't work on your environment?

gthess avatar Feb 02 '23 10:02 gthess

HTTPS adds encapsulation that is detected by the firewall, that's why I specifically need DoH forwarding

jeanseb6wind avatar Feb 02 '23 13:02 jeanseb6wind

Does that mean that is used on device with some kind of security software, which uses trusted certificate on the host and the firewall re-encrypts the original encrypted session, so it can see also the insides of encrypted channel? What would be advantage of using DoH in such environment?

pemensik avatar May 22 '23 12:05 pemensik

I think this is a duplicate of https://github.com/NLnetLabs/unbound/issues/308

Mikaela avatar Jun 18 '23 11:06 Mikaela