Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS Listener does not work at all (DoT) #397

Open
cbuijs opened this issue Jun 24, 2024 · 5 comments
Open

TLS Listener does not work at all (DoT) #397

cbuijs opened this issue Jun 24, 2024 · 5 comments

Comments

@cbuijs
Copy link
Contributor

cbuijs commented Jun 24, 2024

Using:

[listeners.dot]
address = "[::]:853" #TCP
protocol = "dot"
resolver = "dedup"
server-crt = "/opt/routedns-home/certs/fullchain.pem"
server-key = "/opt/routedns-home/certs/privkey.pem"

It listens on port 853, but does not respond to any DoT queries. No errors at all at RouteDNS side.

I use same certificates with DoH and DoQ, it works fine. Also when using DNSDIST, everything works fine. Guess the TLS implementation is not working.

DNS/TLS client errors (kdig):

kdig @192.168.1.32 -p 853 +tls www.paypal.com
;; WARNING: TLS, handshake failed (The TLS connection was non-properly terminated.)
;; ERROR: failed to query server 192.168.1.32@853(TCP)

It seems to send a EOF to any query.
@folbricht
Copy link
Owner

I tried that config and it seems to be working for me. Can you try a few things?

  1. Use :853 to rule out anything going on with ip6 there
  2. Use netstat -anl or similar to confirm it's actually listening
  3. openssl s_client -connect 192.168.1.32:853 to check if you can get a TLS handshake
    This looks like something in the network is blocking it, perhaps a firewall or a routing issue

@cbuijs
Copy link
Contributor Author

cbuijs commented Jul 3, 2024
edited
Loading

I did some combinations like :853 or 192.168.1.32:853 etc, and didn't fix it.

It does listen, and I see traffic, it just provides complete empty response.

tcp6       0      0 :::853                  :::*                    LISTEN      435/bin/routedns    
tcp6       0      0 :::53                   :::*                    LISTEN      435/bin/routedns    
tcp6       0      0 :::443                  :::*                    LISTEN      435/bin/routedns    
udp6       0      0 :::53                   :::*                                435/bin/routedns    
udp6       0      0 :::443                  :::*                                435/bin/routedns    
udp6       0      0 :::853                  :::*                                435/bin/routedns

The openssl connect output:

openssl s_client -connect 192.168.1.32:853
Connecting to 192.168.1.32
CONNECTED(00000003)
C0FAC7F901000000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:692:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 306 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

I use same certificates for doh and just works, the openssl connect provides all the info/data/etc (will not share as it is sensitive info).

@liang-hiwin
Copy link

I have the same problem, dns-over-tls doesn't work properly

@liang-hiwin liang-hiwin mentioned this issue Aug 25, 2024
Closed
@folbricht
Copy link
Owner

@liang-hiwin I'd need a bit more information. A snippet of your config and maybe a log would be good

@liang-hiwin
Copy link

@liang-hiwin I'd need a bit more information. A snippet of your config and maybe a log would be good

The log is fine, but dot does not work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@folbricht @cbuijs @liang-hiwin