From c1f287528bebf028b68cf1dd85ea13649adedcbe Mon Sep 17 00:00:00 2001
From: Shreyas Zare <shreyas@technitium.com>
Date: Sun, 26 Feb 2023 17:26:55 +0530
Subject: [PATCH] DnsServer: fixed issue in DNS-over-HTTP private IP check
 causing 403 with reverse proxy.

---
 DnsServerCore/Dns/DnsServer.cs | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/DnsServerCore/Dns/DnsServer.cs b/DnsServerCore/Dns/DnsServer.cs
index a0423ea5..8629add2 100644
--- a/DnsServerCore/Dns/DnsServer.cs
+++ b/DnsServerCore/Dns/DnsServer.cs
@@ -768,13 +768,19 @@ namespace DnsServerCore.Dns
                     return;
                 }
 
-                if (!request.IsHttps && !NetUtilities.IsPrivateIP(remoteEP.Address))
+                if (!request.IsHttps)
                 {
-                    //intentionally blocking public IP addresses from using DNS-over-HTTP (without TLS)
-                    //this feature is intended to be used with an SSL terminated reverse proxy like nginx on private network
-                    response.StatusCode = 403;
-                    await response.WriteAsync("DNS-over-HTTPS (DoH) queries are supported only on HTTPS.");
-                    return;
+                    //get the actual connection remote EP
+                    IPEndPoint connectionEp = context.GetRemoteEndPoint(true);
+
+                    if (!NetUtilities.IsPrivateIP(connectionEp.Address))
+                    {
+                        //intentionally blocking public IP addresses from using DNS-over-HTTP (without TLS)
+                        //this feature is intended to be used with an SSL terminated reverse proxy like nginx on private network
+                        response.StatusCode = 403;
+                        await response.WriteAsync("DNS-over-HTTPS (DoH) queries are supported only on HTTPS.");
+                        return;
+                    }
                 }
 
                 switch (request.Method)