feature request: DNS-over-HTTPS support

[appliedprivacy]

blackbox_exporter got DNS-over-TLS support in #643,
it would be great to have DNS-over-HTTPS - DoH (RFC8484) support as well.

Currently we just test via HTTP and check the return code, but that is very limited and does not
detect any end-to-end issues, for example if the HTTP status code is 200 but there is no actual DNS payload within the HTTPS connection.

DoH support would be the combination of the HTTP (status codes, headers, basic auth, proxy, ..) and DNS (query name, rcodes, answer, ...) probes.

[SuperQ]

I think this may already be possible with the various header and body sending and receiving field matching in the http probe.

[appliedprivacy]

Sending is easy, for example this is a valid DoH request:

https://doh.applied-privacy.net/query?dns=l1sBAAABAAAAAAAAA3d3dw1rbm90LXJlc29sdmVyAmN6AAAcAAE

but how would I validate the DNS rcode or the response data?

Can fail_if_body_not_matches_regexp be used with non-text responses as well?

thanks!

[brian-brazil]

If the library we use makes it easy, we could add it.

[SuperQ]

The tricky bit with the http method is the regexp matching of the binary data.

modules:
  doh:
    prober: http
    timeout: 5s
    http:
      method: GET
      headers:
        Content-Type: application/dns-message
      fail_if_not_ssl: true
      fail_if_body_not_matches_regexp:
        - '.*knot-resolver.*'
      tls_config:
        insecure_skip_verify: false

[SuperQ]

It doesn't look like https://github.com/miekg/dns supports RFC8484 yet.

[appliedprivacy]

The HTTP body of RFC8484 responses, is just plain DNS wire format send in an HTTPS connection
https://tools.ietf.org/html/rfc8484#section-4.2.2
So it would be possible to parse the HTTP response body using the mentioned dns library?

[brian-brazil]

I'm not going to duplicate the entire DNS/HTTP probe in the other. If upstream adds it we can consider it then.