Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for ignoring certificate errors from upstream DNS servers #7086

Open
3 tasks done
HX-Technology-LLC opened this issue Jun 19, 2024 · 7 comments
Open
3 tasks done

Support for ignoring certificate errors from upstream DNS servers #7086

HX-Technology-LLC opened this issue Jun 19, 2024 · 7 comments
Labels
waiting for data Waiting for users to provide more data.

Comments

@HX-Technology-LLC
Copy link

Prerequisites

  • I have checked the Wiki and Discussions and found no answer

  • I have searched other issues and found no duplicates

  • I want to request a feature or enhancement and not ask a question

The problem

When running adguardhome on Windows 7/8.1 and configuring the upstream dns as DOH and DOT of IP type, the certificate validity cannot be verified properly.

Proposed solution

Ignore SSL certificate checking or use non-systematic SSL certificate validity checking like Firefox

Alternatives considered and additional information

No response
@Cebeerre
Copy link

Could you please elaborate on what are you trying to achieve ? Using secured SSL/TLS endpoints with the proper domain and checking that everything makes sense is actually the point to ensure nobody is "on the wire ..."

@Cebeerre Cebeerre added the waiting for data Waiting for users to provide more data. label Jun 25, 2024
@HX-Technology-LLC
Copy link
Author

Could you please elaborate on what are you trying to achieve ? Using secured SSL/TLS endpoints with the proper domain and checking that everything makes sense is actually the point to ensure nobody is "on the wire ..."

I deployed adguardhome in my Windows 7 VM, I set up the upstream servers for tls:/8.8.4.4 and tls:/1.1.1.1, and found that there were a lot of certificate validation errors, and that using the ie browser (because it uses the schannel component that comes with the system) to access https://1.1.1.1 The prompts for certificate errors are consistent with those of adguardhome, and I'm wondering if I can skip the certificate errors and query them directly

Translated with DeepL.com (free version)

@Cebeerre
Copy link

Cebeerre commented Jul 9, 2024

Could you please elaborate on what are you trying to achieve ? Using secured SSL/TLS endpoints with the proper domain and checking that everything makes sense is actually the point to ensure nobody is "on the wire ..."

I deployed adguardhome in my Windows 7 VM, I set up the upstream servers for tls:/8.8.4.4 and tls:/1.1.1.1, and found that there were a lot of certificate validation errors, and that using the ie browser (because it uses the schannel component that comes with the system) to access https://1.1.1.1 The prompts for certificate errors are consistent with those of adguardhome, and I'm wondering if I can skip the certificate errors and query them directly

Translated with DeepL.com (free version)

Why don't you just set up the upstream servers as:

tls://dns.google
https://dns.google/dns-query
tls://1dot1dot1dot1.cloudflare-dns.com
https://dns.cloudflare.com/dns-query

So the certificates are actually validated ?

@samlux04
Copy link

Sometimes even when using https://dns.cloudflare.com/dns-query or https://one.one.one.one/dns-query also give certificate error under cloudflare wrap VPN or other VPN. Which is kinda funny considered it's a cloudflare product.

@HX-Technology-LLC
Copy link
Author

Could you please elaborate on what are you trying to achieve ? Using secured SSL/TLS endpoints with the proper domain and checking that everything makes sense is actually the point to ensure nobody is "on the wire ..."

I deployed adguardhome in my Windows 7 VM, I set up the upstream servers for tls:/8.8.4.4 and tls:/1.1.1.1, and found that there were a lot of certificate validation errors, and that using the ie browser (because it uses the schannel component that comes with the system) to access https://1.1.1.1 The prompts for certificate errors are consistent with those of adguardhome, and I'm wondering if I can skip the certificate errors and query them directly
Translated with DeepL.com (free version)

Why don't you just set up the upstream servers as:

tls://dns.google
https://dns.google/dns-query
tls://1dot1dot1dot1.cloudflare-dns.com
https://dns.cloudflare.com/dns-query

So the certificates are actually validated ?

The certificate is verified and if it's set to a domain name it's fine, but I'd like to reduce the time it takes to query the encrypted dns domain for the first time and also reduce the information leakage because of the sni

@HX-Technology-LLC
Copy link
Author

Sometimes even when using https://dns.cloudflare.com/dns-query or https://one.one.one.one/dns-query also give certificate error under cloudflare wrap VPN or other VPN. Which is kinda funny considered it's a cloudflare product.

Maybe there are some issues with processing the certificates?

@samlux04
Copy link

Sometimes even when using https://dns.cloudflare.com/dns-query or https://one.one.one.one/dns-query also give certificate error under cloudflare wrap VPN or other VPN. Which is kinda funny considered it's a cloudflare product.

Maybe there are some issues with processing the certificates?

I have no idea. It just often/always give bad certificate when using cloudflare wrap.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
waiting for data Waiting for users to provide more data.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Cebeerre @HX-Technology-LLC @samlux04 @overwatch3560