Google Chrome not working with Knot Resolver via DoH - knot-resolver-users

16 Bře 2022

Hello,

at AS50242 we run two recursive resolvers for our ISP customers. Both
resolvers are listening for doh2 with ECDSA SSL certs from
Letsencrypt.

ns1r.levonet.sk
ns2r.levonet.sk

kdig +https is working correctly, however I'm unable to use these DoH
resolvers with Google Chrome (99.0.4844.74) browser on MacOS (12.2.1).
In settings I entered "https://ns2r.levonet.sk" as custom DoH resolver
and I got error: Please verify that this is a valid provider or try
again.

I have enabled Knot debugging for doh and tls and log is flooded with
messages about "incomplete, refusing".

Does anybody have an idea what's wrong? Has Chrome some specific
requirements for DoH servers?

Thanks
Blažej

Mar 15 19:47:44 ns2r kresd[1317767]: [doh   ] [0x215d1e0] h2 session
created for 2a02:6ca3:800:0:60c4:dcd1:0000:0000#57880
Mar 15 19:47:44 ns2r kresd[1317767]: [tls   ] TLS handshake with
2a02:6ca3:800:0:60c4:dcd1:0000:0000#57880 has completed
Mar 15 19:47:44 ns2r kresd[1317775]: [doh   ] [0x168d620] h2 session
created for 2a02:6ca3:800:0:60c4:dcd1:0000:0000#57881
Mar 15 19:47:44 ns2r kresd[1317775]: [tls   ] TLS handshake with
2a02:6ca3:800:0:60c4:dcd1:0000:0000#57881 has completed
Mar 15 19:47:45 ns2r kresd[1317771]: [doh   ] [0x1016940] h2 session
created for 2a02:6ca3:800:0:60c4:dcd1:0000:0000#57882
Mar 15 19:47:45 ns2r kresd[1317771]: [tls   ] TLS handshake with
2a02:6ca3:800:0:60c4:dcd1:0000:0000#57882 has completed
Mar 15 19:47:45 ns2r kresd[1317767]: [doh   ] [0x215d1e0] stream 7
incomplete, refusing (begin_headers_callback)
Mar 15 19:47:45 ns2r kresd[1317767]: [doh   ] [0x215d1e0] stream 7
incomplete, refusing (header_callback)
Mar 15 19:47:45 ns2r kresd[1317767]: [doh   ] [0x215d1e0] stream 7
incomplete, refusing (header_callback)
Mar 15 19:47:45 ns2r kresd[1317767]: [doh   ] [0x215d1e0] stream 7
incomplete, refusing (header_callback)
Mar 15 19:47:45 ns2r kresd[1317767]: [doh   ] [0x215d1e0] stream 7
incomplete, refusing (header_callback)
Mar 15 19:47:45 ns2r kresd[1317767]: [doh   ] [0x215d1e0] stream 7
incomplete, refusing (header_callback)
Mar 15 19:47:45 ns2r kresd[1317767]: [doh   ] [0x215d1e0] stream 7
incomplete, refusing (header_callback)
Mar 15 19:47:45 ns2r kresd[1317767]: [doh   ] [0x215d1e0] stream 7
incomplete, refusing (header_callback)
Mar 15 19:47:45 ns2r kresd[1317767]: [doh   ] [0x215d1e0] stream 7
incomplete, refusing (header_callback)
Mar 15 19:47:45 ns2r kresd[1317767]: [doh   ] [0x215d1e0] stream 7
incomplete, refusing (header_callback)
Mar 15 19:47:45 ns2r kresd[1317767]: [doh   ] [0x215d1e0] stream 7
incomplete, refusing (header_callback)
Mar 15 19:47:45 ns2r kresd[1317767]: [doh   ] [0x215d1e0] stream 15
incomplete, refusing (begin_headers_callback)
Mar 15 19:47:45 ns2r kresd[1317767]: [doh   ] [0x215d1e0] stream 15
incomplete, refusing (header_callback)
Mar 15 19:47:45 ns2r kresd[1317767]: [doh   ] [0x215d1e0] stream 15
incomplete, refusing (header_callback)
Mar 15 19:47:45 ns2r kresd[1317767]: [doh   ] [0x215d1e0] stream 15
incomplete, refusing (header_callback)
Mar 15 19:47:45 ns2r kresd[1317767]: [doh   ] [0x215d1e0] stream 15
incomplete, refusing (header_callback)
Mar 15 19:47:45 ns2r kresd[1317767]: [doh   ] [0x215d1e0] stream 15
incomplete, refusing (header_callback)
Mar 15 19:47:45 ns2r kresd[1317767]: [doh   ] [0x215d1e0] stream 15
incomplete, refusing (header_callback)
Mar 15 19:47:45 ns2r kresd[1317767]: [doh   ] [0x215d1e0] stream 15
incomplete, refusing (header_callback)
Mar 15 19:47:45 ns2r kresd[1317767]: [doh   ] [0x215d1e0] stream 15
incomplete, refusing (header_callback)
Mar 15 19:47:45 ns2r kresd[1317767]: [doh   ] [0x215d1e0] stream 15
incomplete, refusing (header_callback)
Mar 15 19:47:45 ns2r kresd[1317767]: [doh   ] [0x215d1e0] stream 15
incomplete, refusing (header_callback)
Mar 15 19:47:46 ns2r kresd[1317767]: [doh   ] [0x215d1e0] stream 23
incomplete, refusing (begin_headers_callback)