What happens if a DNS over HTTPS server responds with status 5xx or 4xx on iOS?

Question

Looking at this example mobileconfig, I am trying to find out what happens if a DoH server responds with a status of 4xx or 5xx in responds to a DoH query on iOS. For example, if NGINX is broken or for whatever reason, the DoH server responds with any status other than 200. Does the DNS request completely fail and I will get an error message in Safari? Does the iOS device automatically try another DNS?

Answer 1

The specifications are quite clear, see RFC 8484 " DNS Queries over HTTPS (DoH)", section 4.2.1 "Handling DNS and HTTP Errors":

HTTP responses with non-successful HTTP status codes do not contain replies to the original DNS question in the HTTP request. DoH clients need to use the same semantic processing of non-successful HTTP status codes as other HTTP clients. This might mean that the DoH client retries the query with the same DoH server, such as if there are authorization failures (HTTP status code 401; see Section 3.1 of [RFC7235]). It could also mean that the DoH client retries with a different DoH server, such as for unsupported media types (HTTP status code 415; see Section 6.5.13 of [RFC7231]), or where the server cannot generate a representation suitable for the client (HTTP status code 406; see Section 6.5.6 of [RFC7231]), and so on.

Then the exact behavior will depend on the client used obviously, but that means the question not being really on-topic here as not related to programming.