search

0xERR0R / blocky

Fast and lightweight DNS proxy as ad-blocker for local network with many features
https://0xERR0R.github.io/blocky/
Apache License 2.0
4.71k stars 209 forks source link

DoH not working on android #419

Closed givemeaname77 closed 2 years ago

givemeaname77 commented 2 years ago

I am trying to setup a DNS server on the cloud for my private use. I think I have manged to set it up and the DNS is working but he DNS over HTTPS/TLS is no working

Here is my config

upstream:
  default:
    - 'tcp-tls:getdnsapi.net'
    - 'https://dns-family.adguard.com/dns-query'
    - 'https://security.cloudflare-dns.com/dns-query'
    - 'https://doh-de.blahdns.com/dns-query'
    - 'https://anycast.uncensoreddns.org/dns-query'
    - 'tcp-tls:fdns1.dismail.de:853'
    - 'https://dns.digitale-gesellschaft.ch/dns-query'
    - 'https://dns.google/dns-query'
blocking:
  blockType: nxDomain
  refreshPeriod: 60m
  blackLists:
    ads:
      - 'https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts'
      - 'https://adaway.org/hosts.txt'
      - 'https://v.firebog.net/hosts/AdguardDNS.txt'
      - 'https://v.firebog.net/hosts/Admiral.txt'
      - 'https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt'
      - 'https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt'
      - 'https://v.firebog.net/hosts/Easylist.txt'
      - 'https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext'
      - 'https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts'
      - 'https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts'
    suspiciousLinks:
      - 'https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt'
      - 'https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts'
      - 'https://v.firebog.net/hosts/static/w3kbl.txt'
    trackingAndTelemetry:
      - 'https://v.firebog.net/hosts/Easyprivacy.txt'
      - 'https://v.firebog.net/hosts/Prigent-Ads.txt'
      - 'https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts'
      - 'https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt'
      - 'https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt'
      - 'https://raw.githubusercontent.com/Zelo72/rpi/master/pihole/blocklists/kees1958.txt'
    maliciousList:
      - 'https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt'
      - 'https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt'
      - 'https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt'
      - 'https://v.firebog.net/hosts/Prigent-Crypto.txt'
      - 'https://bitbucket.org/ethanr/dns-blacklists/raw/8575c9f96e5b4a1308f2f12394abd86d0927a4a0/bad_lists/Mandiant_APT1_Report_Appendix_D.txt'
      - 'https://phishing.army/download/phishing_army_blocklist_extended.txt'
      - 'https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt'
      - 'https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt'
      - 'https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts'
      - 'https://urlhaus.abuse.ch/downloads/hostfile/'
    youtube:
      - 'https://raw.githubusercontent.com/kboghdady/youTube_ads_4_pi-hole/master/youtubelist.txt'
      - 'https://raw.githubusercontent.com/kboghdady/youTube_ads_4_pi-hole/master/crowed_list.txt'
    google:
      - 'https://raw.githubusercontent.com/nickspaargaren/no-google/master/pihole-google.txt'
    other:
      - 'https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser'
      - 'https://raw.githubusercontent.com/nickspaargaren/no-google/master/categories/analyticsparsed'
      - 'https://raw.githubusercontent.com/nickspaargaren/no-google/master/categories/doubleclickparsed'
  clientGroupsBlock:
    default:
      - ads
      - suspiciousLinks
      - trackingAndTelemetry
      - maliciousList
      - youtube
      - other
caching:
  minTime: 5m
  maxTime: -1
  maxItemsCount: 0
  prefetching: true
  prefetchExpires: 2h
  prefetchThreshold: 5
  prefetchMaxItemsCount: 0
port: 53
#httpPort: 4000
httpsPort: 443
tlsPort: 853
certFile: "/opt/blocky/certificate.crt"
keyFile: "/opt/blocky/key-file.key"

I don't know whats wrong with the config. Tried testing it using curl here is the output

➜ curl --doh-url https://blocky.duckdns.org/dns-query https://www.example.com
<!doctype html>
<html>
<head>
    <title>Example Domain</title>

    <meta charset="utf-8" />
    <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <style type="text/css">
    body {
        background-color: #f0f0f2;
        margin: 0;
        padding: 0;
        font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;

    }
    div {
        width: 600px;
        margin: 5em auto;
        padding: 2em;
        background-color: #fdfdff;
        border-radius: 0.5em;
        box-shadow: 2px 3px 7px 2px rgba(0,0,0,0.02);
    }
    a:link, a:visited {
        color: #38488f;
        text-decoration: none;
    }
    @media (max-width: 700px) {
        div {
            margin: 0 auto;
            width: auto;
        }
    }
    </style>
</head>

<body>
<div>
    <h1>Example Domain</h1>
    <p>This domain is for use in illustrative examples in documents. You may use this
    domain in literature without prior coordination or asking for permission.</p>
    <p><a href="https://www.iana.org/domains/example">More information...</a></p>
</div>
</body>
</html>

curl works on Linux but why is it not working on android when I set it up using private dns in network section

0xERR0R commented 2 years ago

Hi, did you create your certificate with letsencrypt? If yes, please try to recreate the certificate with "ISRG Root X1" as preferable chain.

givemeaname77 commented 2 years ago

Hi, did you create your certificate with letsencrypt?

Yes I did create it using lets letsencrypt. I followed your instruction over here https://github.com/0xERR0R/blocky/wiki/Configuration-of-HTTPS-for-DoH-and-Rest-API

please try to recreate the certificate with "ISRG Root X1" as preferable

and how do I do that. I have no idea regarding this

0xERR0R commented 2 years ago

Please add the following parameter: --preferred-chain 'ISRG Root X1'

givemeaname77 commented 2 years ago

Please add the following parameter: --preferred-chain 'ISRG Root X1'

there is no ---preferred-chain option in lego. I went though the documentation on lego and found nothing so I googled it and found this issue https://github.com/go-acme/lego/issues/1197

which intern says visit this https://community.letsencrypt.org/t/transition-to-isrgs-root-delayed-until-jan-11-2021/125516

0xERR0R commented 2 years ago

Do you use the latest version of lego? I had the same problem with android and could fix it. I used lego as docker container.

docker run -v /opt:/opt -e DUCKDNS_TOKEN=xxc09-879b-xxx  goacme/lego --path /opt --domains 'xxx'  --domains '*.xxx' --email xxx@gmail.com --dns duckdns -a run --preferred-chain 'ISRG Root X1'

0xERR0R commented 2 years ago

To summarise it: this is an android issue. Letsencrypt has changed the root certificate and some android version don't accept the new one.

0xERR0R commented 2 years ago

@givemeaname77 Did you try with "ISRG Root X1" chain?