DNS-over-HTTP/3 support in Cloudflare Gateway

Recently Google and Cloudflare announced (security.googleblog.com/2022/07/dns-over-http3-in-android.html) DNS-over-HTTP/3 (DoH3) support. So, Cloudflare public DNS now supports DoH3.
Does Cloudflare Gateway (YOUR_DOH_SUBDOMAIN.cloudflare-gateway.com/dns-query) also support DoH3?

2 Likes

My experiment with curl+quiche shows that cloudflare-dns.com/dns-query indeed supports both HTTP/2 and HTTP/3. However, cloudflare-gateway.com/dns-query does not support HTTP/3. The connection times out if I add the --http3 flag, while it does work with --http2.

See the full console output
$ curl -4 --http2 -m 5 https://123abcdefg.cloudflare-gateway.com/dns-query?name=cloudflare.com -H "accept: application/dns-json"
{"Status":0,"TC":false,"RD":true,"RA":true,"AD":true,"CD":false,"Question":[{"name":"cloudflare.com","type":1}],"Answer":[{"name":"cloudflare.com","type":1,"TTL":257,"data":"104.16.132.229"},{"name":"cloudflare.com","type":1,"TTL":257,"data":"104.16.133.229"}]}


$ curl -4 -v --http3 -m 5 https://123abcdefg.cloudflare-gateway.com/dns-query?name=cloudflare.com -H "accept: application/dns-json"
*   Trying 162.159.36.20:443...
* Connect socket 5 over QUIC to 162.159.36.20:443
* Sent QUIC client Initial, ALPN: h3,h3-29,h3-28,h3-27
* After 2492ms connect time, move on!
* connect to 162.159.36.20 port 443 failed: Connection timed out
*   Trying 162.159.36.5:443...
* Connect socket 6 over QUIC to 162.159.36.5:443
* Sent QUIC client Initial, ALPN: h3,h3-29,h3-28,h3-27
* After 1246ms connect time, move on!
* connect to 162.159.36.5 port 443 failed: Connection timed out
* Failed to connect to 123abcdefg.cloudflare-gateway.com port 443 after 3753 ms: Connection timed out
* Closing connection 0
curl: (28) Failed to connect to 123abcdefg.cloudflare-gateway.com port 443 after 3753 ms: Connection timed out


$ curl -4 --http2 -m 5 https://cloudflare-dns.com/dns-query?name=cloudflare.com -H "accept: application/dns-json"
{"Status":0,"TC":false,"RD":true,"RA":true,"AD":true,"CD":false,"Question":[{"name":"cloudflare.com","type":1}],"Answer":[{"name":"cloudflare.com","type":1,"TTL":295,"data":"104.16.132.229"},{"name":"cloudflare.com","type":1,"TTL":295,"data":"104.16.133.229"}]}


$ curl -4 --http3 -m 5 https://cloudflare-dns.com/dns-query?name=cloudflare.com -H "accept: application/dns-json" -v > /dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 104.16.248.249:443...
* Connect socket 5 over QUIC to 104.16.248.249:443
* Sent QUIC client Initial, ALPN: h3,h3-29,h3-28,h3-27
* Connected to cloudflare-dns.com () port 443 (#0)
* h3 [:method: GET]
* h3 [:path: /dns-query?name=cloudflare.com]
* h3 [:scheme: https]
* h3 [:authority: cloudflare-dns.com]
* h3 [user-agent: curl/7.78.0-DEV]
* h3 [accept: application/dns-json]
* Using HTTP/3 Stream ID: 0 (easy handle 0x1648910)
> GET /dns-query?name=cloudflare.com HTTP/3
> Host: cloudflare-dns.com
> user-agent: curl/7.78.0-DEV
> accept: application/dns-json
>
< HTTP/3 200
< server: nginx
< date: Fri, 21 Oct 2022 13:58:01 GMT
< content-type: application/dns-json
< access-control-allow-origin: *
< content-length: 261
< cf-ray: 75da8171fc7bb8de-AMS
<
{ [261 bytes data]
100   261  100   261    0     0   5926      0 --:--:-- --:--:-- --:--:--  6069
* Connection #0 to host cloudflare-dns.com left intact