starred/hickory-dns

Fork 0

mirror of https://github.com/hickory-dns/hickory-dns.git synced 2026-04-26 03:35:52 +03:00

[GH-ISSUE #1925] Configuring trust-dns behind Traefik as a DOH server? #819

New issue

Closed

opened 2026-03-16 00:24:26 +03:00 by kerem · 15 comments

kerem commented

2026-03-16 00:24:26 +03:00

Owner

Originally created by @Gontier-Julien on GitHub (May 2, 2023).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/1925

What is the question?

I wanted to know if it would be possible to have trust-dns as a DOH server behind Traefik? ^^
If so could you help me to have an example config file to have it working behind Traefik ^^?

Originally created by @Gontier-Julien on GitHub (May 2, 2023). Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/1925 What is the question? I wanted to know if it would be possible to have trust-dns as a DOH server behind Traefik? ^^ If so could you help me to have an example config file to have it working behind Traefik ^^?

kerem

2026-03-16 00:24:26 +03:00

closed this issue
added the
question
label

kerem commented

2026-03-16 00:24:42 +03:00

Author

Owner

@djc commented on GitHub (May 4, 2023):

It's probably possible. I don't think it's likely that the trust-dns maintainers will write a specific example for your use case, but if you write up some things you've tried which haven't worked as expected we might be able to point you in the right direction.

@djc commented on GitHub (May 4, 2023): It's probably possible. I don't think it's likely that the trust-dns maintainers will write a specific example for your use case, but if you write up some things you've tried which haven't worked as expected we might be able to point you in the right direction.

kerem commented

2026-03-16 00:24:47 +03:00

Author

Owner

@Gontier-Julien commented on GitHub (May 5, 2023):

I don't really know where to start to use trust-dns tho

@Gontier-Julien commented on GitHub (May 5, 2023): I don't really know where to start to use trust-dns tho

kerem commented

2026-03-16 00:24:52 +03:00

Author

Owner

@bluejekyll commented on GitHub (May 8, 2023):

This should be possible. The current best example for DoH is here: https://github.com/bluejekyll/trust-dns/blob/main/tests/test-data/test_configs/dns_over_https.toml

You'd want to combine that with a more complete configuration like this: https://github.com/bluejekyll/trust-dns/blob/main/tests/test-data/test_configs/example.toml

@bluejekyll commented on GitHub (May 8, 2023): This should be possible. The current best example for DoH is here: https://github.com/bluejekyll/trust-dns/blob/main/tests/test-data/test_configs/dns_over_https.toml You'd want to combine that with a more complete configuration like this: https://github.com/bluejekyll/trust-dns/blob/main/tests/test-data/test_configs/example.toml

kerem commented

2026-03-16 00:24:57 +03:00

Author

Owner

@Gontier-Julien commented on GitHub (May 8, 2023):

This should be possible. The current best example for DoH is here: https://github.com/bluejekyll/trust-dns/blob/main/tests/test-data/test_configs/dns_over_https.toml

You'd want to combine that with a more complete configuration like this: https://github.com/bluejekyll/trust-dns/blob/main/tests/test-data/test_configs/example.toml

Thank! I'll try that ^^
Also it is possible without using any cert? Since it would be handled by Traefik

@Gontier-Julien commented on GitHub (May 8, 2023): > This should be possible. The current best example for DoH is here: https://github.com/bluejekyll/trust-dns/blob/main/tests/test-data/test_configs/dns_over_https.toml > > You'd want to combine that with a more complete configuration like this: https://github.com/bluejekyll/trust-dns/blob/main/tests/test-data/test_configs/example.toml Thank! I'll try that ^^ Also it is possible without using any cert? Since it would be handled by Traefik

kerem commented

2026-03-16 00:25:02 +03:00

Author

Owner

@bluejekyll commented on GitHub (May 15, 2023):

DoH is designed to run over HTTPS only, so it's not an option to run without a cert. Can you self-sign and register the public key with Traefik? I'm not familiar with that service.

@bluejekyll commented on GitHub (May 15, 2023): DoH is designed to run over HTTPS only, so it's not an option to run without a cert. Can you self-sign and register the public key with Traefik? I'm not familiar with that service.

kerem commented

2026-03-16 00:25:08 +03:00

Author

Owner

@Gontier-Julien commented on GitHub (May 15, 2023):

Alright, well i can tell treafik to not encrypt the traffic and let trust-dns to do it with the cert from traefik that no problem!
Thank for the info tho!

@Gontier-Julien commented on GitHub (May 15, 2023): Alright, well i can tell treafik to not encrypt the traffic and let trust-dns to do it with the cert from traefik that no problem! Thank for the info tho!

kerem commented

2026-03-16 00:25:13 +03:00

Author

Owner

@Gontier-Julien commented on GitHub (Jun 24, 2023):

So as i have some time to finally try this, i have a suggestion, it would be great to have this project support acme.json ^^

@Gontier-Julien commented on GitHub (Jun 24, 2023): So as i have some time to finally try this, i have a suggestion, it would be great to have this project support acme.json ^^

kerem commented

2026-03-16 00:25:18 +03:00

Author

Owner

@Gontier-Julien commented on GitHub (Jun 24, 2023):

Also i've been struggling to get pass this point:

thread 'main' panicked at 'could not register TLS listener: Custom { kind: Other, error: "error creating TLS acceptor: unexpected error: invalid private key" }', bin/src/named.rs:617:14

i've been using this to get the necessary cert and key:

https://github.com/ldez/traefik-certs-dumper

@Gontier-Julien commented on GitHub (Jun 24, 2023): Also i've been struggling to get pass this point: `thread 'main' panicked at 'could not register TLS listener: Custom { kind: Other, error: "error creating TLS acceptor: unexpected error: invalid private key" }', bin/src/named.rs:617:14` i've been using this to get the necessary cert and key: https://github.com/ldez/traefik-certs-dumper

kerem commented

2026-03-16 00:25:23 +03:00

Author

Owner

@Gontier-Julien commented on GitHub (Jun 24, 2023):

The current config

listen_addrs_ipv4 = ["0.0.0.0"]

## listen_port: port on which to list, default 53
listen_port = 8053

tls_cert = { path = "/ssl-certs/certs/certs/domain.cert.pem", endpoint_name = "domain", cert_type = "pem", private_key = "/ssl-certs/certs/private/domain.key" }

## if true, looks to see if a chained pem file exists at $file.pem (see
## supported_algorithms below).
## these keys will also be registered as authorities for update,
## meaning that SIG(0) updates can be established by initially using these
## keys. the zone will be signed with all specified keys, it may be desirable
## to limit this set for performance reasons.
enable_dnssec = false

[[zones]]
## zone: this is the ORIGIN of the zone, aka the base name, '.' is implied on the end
##  specifying something other than '.' here, will restrict this forwarder to only queries
##  where the search name is a subzone of the name, e.g. if zone is "example.com.", then
##  queries for "www.example.com" or "example.com" would be forwarded.
zone = "."

## zone_type: Primary, Secondary, Hint, Forward
zone_type = "Forward"

## remember the port, defaults: 53 for Udp & Tcp, 853 for Tls and 443 for Https.
##   Tls and/or Https require features dns-over-tls and/or dns-over-https
stores = { type = "forward", name_servers = [{ socket_addr = "8.8.8.8:53", protocol = "udp", trust_nx_responses = false },
                                             { socket_addr = "8.8.8.8:53", protocol = "tcp", trust_nx_responses = false }] }

@Gontier-Julien commented on GitHub (Jun 24, 2023): The current config ``` listen_addrs_ipv4 = ["0.0.0.0"] ## listen_port: port on which to list, default 53 listen_port = 8053 tls_cert = { path = "/ssl-certs/certs/certs/domain.cert.pem", endpoint_name = "domain", cert_type = "pem", private_key = "/ssl-certs/certs/private/domain.key" } ## if true, looks to see if a chained pem file exists at $file.pem (see ## supported_algorithms below). ## these keys will also be registered as authorities for update, ## meaning that SIG(0) updates can be established by initially using these ## keys. the zone will be signed with all specified keys, it may be desirable ## to limit this set for performance reasons. enable_dnssec = false [[zones]] ## zone: this is the ORIGIN of the zone, aka the base name, '.' is implied on the end ## specifying something other than '.' here, will restrict this forwarder to only queries ## where the search name is a subzone of the name, e.g. if zone is "example.com.", then ## queries for "www.example.com" or "example.com" would be forwarded. zone = "." ## zone_type: Primary, Secondary, Hint, Forward zone_type = "Forward" ## remember the port, defaults: 53 for Udp & Tcp, 853 for Tls and 443 for Https. ## Tls and/or Https require features dns-over-tls and/or dns-over-https stores = { type = "forward", name_servers = [{ socket_addr = "8.8.8.8:53", protocol = "udp", trust_nx_responses = false }, { socket_addr = "8.8.8.8:53", protocol = "tcp", trust_nx_responses = false }] } ```

kerem commented

2026-03-16 00:25:28 +03:00

Author

Owner

@Gontier-Julien commented on GitHub (Jun 24, 2023):

I'm also just trying to have a DOH server and not a DOT one.

But in the log it keep trying to have a DOT one:

1687631578:INFO:named:593:loading cert for DNS over TLS: "/ssl-certs/certs/certs/domain.cert.pem"

@Gontier-Julien commented on GitHub (Jun 24, 2023): I'm also just trying to have a DOH server and not a DOT one. But in the log it keep trying to have a DOT one: `1687631578:INFO:named:593:loading cert for DNS over TLS: "/ssl-certs/certs/certs/domain.cert.pem"`

kerem commented

2026-03-16 00:25:33 +03:00

Author

Owner

@Gontier-Julien commented on GitHub (Jul 6, 2023):

Any news on the situation?

@Gontier-Julien commented on GitHub (Jul 6, 2023): Any news on the situation?

kerem commented

2026-03-16 00:25:38 +03:00

Author

Owner

@djc commented on GitHub (Jul 24, 2023):

DoH also needs TLS -- DoH requires HTTP 2, which in practice requires TLS.

@djc commented on GitHub (Jul 24, 2023): DoH also needs TLS -- DoH requires HTTP 2, which in practice requires TLS.

kerem commented

2026-03-16 00:25:43 +03:00

Author

Owner

@Gontier-Julien commented on GitHub (Jul 24, 2023):

Could you help me on this situation? I don't really what am i missing here

@Gontier-Julien commented on GitHub (Jul 24, 2023): Could you help me on this situation? I don't really what am i missing here

kerem commented

2026-03-16 00:25:48 +03:00

Author

Owner

@djc commented on GitHub (Jul 24, 2023):

Sorry, I don't really have time to provide support for this.

@djc commented on GitHub (Jul 24, 2023): Sorry, I don't really have time to provide support for this.

kerem commented

2026-03-16 00:25:53 +03:00

Author

Owner

@Gontier-Julien commented on GitHub (Jul 24, 2023):