Bind9' doh & traefik - curl: (6) Couldn't resolve host name

hello world

I run bind9 via docker w/ doh configured:

$ docker compose ps
NAME      IMAGE                                  COMMAND                  SERVICE   CREATED         STATUS         PORTS
bind9     internetsystemsconsortium/bind9:9.20   "/usr/sbin/named -u …"   bind      5 minutes ago   Up 5 minutes   80/tcp, 443/tcp, 853/tcp, X.X.X.X:53->53/tcp, X.X.X.X:53->53/udp, 953/tcp
$ 

direct request via curl w/ --doh-url to GET HEAD (headers) from www.google.com over https:

$ curl --doh-insecure --doh-url https://172.18.0.4:443/dns-query https://www.google.com/ -I
HTTP/2 200 
content-type: text/html; charset=ISO-8859-1
content-security-policy-report-only: object-src 'none';base-uri 'self';script-src 'nonce-8gj0P7f8zdPdgNOCp1-7Fg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
accept-ch: Sec-CH-Prefers-Color-Scheme
p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
date: Fri, 04 Oct 2024 01:52:47 GMT
server: gws
x-xss-protection: 0
x-frame-options: SAMEORIGIN
expires: Fri, 04 Oct 2024 01:52:47 GMT
cache-control: private
set-cookie: AEC=AVYB7cq4K1AWq9dT_avyC6k0qXHG_eqDuQsjln6k7xhcZixXsLdyKbUIvcM; expires=Wed, 02-Apr-2025 01:52:47 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
set-cookie: NID=518=uYjlnncgoQM0d5GOigc_LHLf2qw3zQ3jA4SMFV7PdkY77HBWVbMSdHu71hLYHpoDiY-ZFl3kgQp1wn7d-sMpdyjFZf98zcmbHZZ4KiaVhrqr5ljexN97UzC0rFXi74MfYQKu2SR47ibQAtGLfn8Jy2qf-sPLbxYepCopJzKccxdAIzaSYox3aeEL79zYb0uz; expires=Sat, 05-Apr-2025 01:52:47 GMT; path=/; domain=.google.com; HttpOnly
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

$ 

yet whenever I try to make same doh request, however over Traefik, I'm getting the following error:

$ curl --doh-url https://doh.X.org/dns-query https://www.google.com -v
* Found bundle for host: 0x55e51f21e1d0 [serially]
* Server doesn't support multiplex (yet)
*   Trying X.X.X.X:443...
* Hostname 'doh.X.org' was found in DNS cache
*   Trying X.X.X.X:443...
* Connected to doh.X.org (X.X.X.X) port 443 (#1)
* ALPN: offers h2,http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* Connected to doh.X.org (X.X.X.X) port 443 (#2)
* ALPN: offers h2,http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=doh.X.org
*  start date: Sep 30 20:43:45 2024 GMT
*  expire date: Dec 29 20:43:44 2024 GMT
*  subjectAltName: host "doh.X.org" matched cert's "doh.X.org"
*  issuer: C=US; O=Let's Encrypt; CN=R11
*  SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: POST]
* h2h3 [:path: /dns-query]
* h2h3 [:scheme: https]
* h2h3 [:authority: doh.X.org]
* h2h3 [accept: */*]
* h2h3 [content-type: application/dns-message]
* h2h3 [content-length: 32]
* Using Stream ID: 1 (easy handle 0x55e51f23e6f0)
> POST /dns-query HTTP/2
Host: doh.X.org
accept: */*
content-type: application/dns-message
content-length: 32

* We are completely uploaded and fine
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=doh.X.org
*  start date: Sep 30 20:43:45 2024 GMT
*  expire date: Dec 29 20:43:44 2024 GMT
*  subjectAltName: host "doh.X.org" matched cert's "doh.X.org"
*  issuer: C=US; O=Let's Encrypt; CN=R11
*  SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: POST]
* h2h3 [:path: /dns-query]
* h2h3 [:scheme: https]
* h2h3 [:authority: doh.X.org]
* h2h3 [accept: */*]
* h2h3 [content-type: application/dns-message]
* h2h3 [content-length: 32]
* Using Stream ID: 1 (easy handle 0x55e51f23fbf0)
> POST /dns-query HTTP/2
Host: doh.X.org
accept: */*
content-type: application/dns-message
content-length: 32

* old SSL session ID is stale, removing
* We are completely uploaded and fine
< HTTP/2 500 
< content-length: 21
< date: Fri, 04 Oct 2024 01:50:45 GMT
< 
* Connection #1 to host doh.X.org left intact
* a DoH request is completed, 1 to go
< HTTP/2 500 
< content-length: 21
< date: Fri, 04 Oct 2024 01:50:45 GMT
< 
* Connection #2 to host doh.X.org left intact
* a DoH request is completed, 0 to go
* DoH: Bad ID type A for www.google.com
* DoH: Bad ID type AAAA for www.google.com
* Closing connection 0
curl: (6) Couldn't resolve host name
$ 

labels that I use w/ bind/bind9 container

$ grep -A 8 labels docker-compose.yml
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=traefik_traefik"
      - "traefik.http.routers.bind.entrypoints=websecure"
      - "traefik.http.routers.bind.rule=Host(`doh.X.org`)"
      - "traefik.http.routers.bind.tls.certresolver=myresolver"
      - "traefik.http.routers.bind.service=bind@docker"
      - "traefik.http.services.bind.loadbalancer.server.port=443"
      - "traefik.http.services.bind.loadbalancer.server.scheme=https"
$ 

please advise.

Enable and check Traefik debug log (doc) and Traefik access log in JSON format (doc).

i appreciate your reply)
the following are relevant traefik' log entries:

traefik         | 2024-11-13T22:16:32Z DBG github.com/traefik/traefik/v3/pkg/proxy/httputil/proxy.go:113 > 500 Internal Server Error error="tls: failed to verify certificate: x509: cannot validate certificate for 172.18.0.9 because it doesn't contain any IP SANs"
traefik         | 2024-11-13T22:16:32Z DBG github.com/traefik/traefik/v3/pkg/proxy/httputil/proxy.go:113 > 500 Internal Server Error error="tls: failed to verify certificate: x509: cannot validate certificate for 172.18.0.9 because it doesn't contain any IP SANs"

with a bit from previous thread, i was able to solve my issue