I'm experiencing an issue with the doh-proxy from https://github.com/facebookarchive/doh-proxy, which provides DNS-over-HTTPS functionality. In fact, I use its "doh-stub" feature, which uses a service that listens to DNS requests and forwards them to a DoH server. In my test environment, the DoH server is simulated using DNSDist. So when a DNS query is sent to the doh-proxy "doh-stub" service, it is forwarded using DoH to my server. When the service is launched, I pass a self-signed certificate as an argument to initiate the HTTPS connection.
My specific problem is that the doh-proxy tool establishes an initial HTTPS connection. Then, about 1000 seconds later, it establishes a new HTTPS connection and all the traffic from the previous connection now passes into the new HTTPS connection. But I would like it to maintain a single connection without creating a new one and shifting traffic to it.
The log output tells me that after 998 streams, it establishes this new connection. Unfortunately, I don't know why it's making this new connection.
Log of the doh-proxy tool when it initiates a new connection after 998 streams.
Here are the relevant details of my setup:
- Operating systems of machines using the doh-proxy tool: Debian 11 / Windows 10
- Version of doh-proxy: 0.0.9 (installed with pip with Python 3.5)
Do you know if there's any way of setting up a single HTTPS connection? Do you know how to modify the code to achieve this?
Any guidance or insights would be greatly appreciated. Thanks in advance!
The "doh-proxy" tool is responsible for setting up a new connection, thanks to the Priority library (https://github.com/python-hyper/priority), used to manage HTTP/2 streams, which has undergone a security patch concerning a flaw enabling attackers to use the library to perpetrate DoS attacks [1]. As a result, in Priority version 1.2.0, the maximum number of streams that can be inserted into the tree has been set to 1000 by default. However, this can be configured by the user.
So, to maintain a single HTTPS connection using the "doh-proxy" tool, the solution is to increase the maximum number of streams allowed by the Priority library. This would mean manually modifying the parameter and having your own version of the library.