In order to use the DoH feature, Unbound needs to be compiled with the nghttp2 library (./configure --with-libnghttp2) and requires an OpenSSL version that supports ALPN for the HTTP/2 support negotiation (starting from OpenSSL 1.0.2).

The DoH implementation requires an encrypted connection, and only works over HTTP/2 as query pipelining and out-of-order processing using HTTP/2 streams is needed to be able to provide performance that is on par with DNS-over-TLS.

To enable DoH in Unbound the certificate and corresponding key to use need to be configured, and Unbound needs to listen on the HTTPS port:

server:
   interface: 127.0.0.1@443
   tls-service-key "key.pem"
   tls-service-pem: "cert.pem"

The HTTPS port (default 443) can be changed using the 'https-port' configuration option.

The DoH endpoint (default /dns-query) can be changed using the 'http-endpoint' configuration option.

The maximum number of streams (default 100, as per HTTP/2 RFC) can be adjusted using the 'http-max-streams' configuration option.

In order to prevent abuse of Unbound servers running DoH, this PR adds counters to limit the total size of buffers used to store (partial) DNS queries and responses. The size of these limits can be adjusted using the 'http-query-buffer-size' and 'http-response-buffer-size' configuration options.

In order to provide a well-performing HTTP/2 service is might be good to set the TCP_NODELAY socket option. This PR will, by default, set this option for the sockets used for the HTTP/2 connection. Setting this option can be disabled using the 'http-nodelay' configuration option.

Three DoH stats are added to Unbound; 'num.query.https' keeps statistics for the number of queries that are serviced using DoH. The 'mem.http.query_buffer', and 'mem.http.response_buffer' stats keep track of the memory used for the query and response buffers used for DoH.