search

0xERR0R / blocky

Fast and lightweight DNS proxy as ad-blocker for local network with many features
https://0xERR0R.github.io/blocky/
Apache License 2.0
4.82k stars 210 forks source link

Interesting upstream server failed warning on dns.surfshark.com #873

Open PeterDaveHello opened 1 year ago

PeterDaveHello commented 1 year ago

The warning:

[2023-02-10 15:27:56]  WARN parallel resolver: test resolve of upstream server failed: can't resolve request via upstream server https://92.249.39.1:443/dns-query: http return content type should be 'application/dns-message', but was ''

When I use curl to test it, the result looks no problem:

$ curl -sD- -o /dev/null https://dns.surfshark.com/dns-query?dns=AAABAAABAAAAAAABBmRuc2xvdwJtZQAAAQABAAApAgAAAAAAAFoADABWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
HTTP/2 200 
access-control-allow-headers: Content-Type
access-control-allow-methods: GET, HEAD, OPTIONS, POST
access-control-allow-origin: *
access-control-max-age: 3600
cache-control: private, max-age=3593
content-type: application/dns-message
date: Fri, 10 Feb 2023 15:40:39 GMT
expires: Fri, 10 Feb 2023 16:40:32 GMT
last-modified: Fri, 10 Feb 2023 15:40:39 GMT
vary: Accept
content-length: 63
PeterDaveHello commented 1 year ago

Not sure if it's related, but looks like kdig also got an issue with https://dns.surfshark.com/, just not the HTTP header issue.

$ kdig -d +https @dns.surfshark.com dnslow.me
;; DEBUG: Querying for owner(dnslow.me.), class(1), type(1), server(dns.surfshark.com), port(443), protocol(TCP)
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, CN=dns.surfshark.com
;; DEBUG:      SHA-256 PIN: yttntfV+Wu7pwEnxMLplkboikrtMhqDXY5H1G8Qj+8s=
;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=R3
;; DEBUG:      SHA-256 PIN: jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=
;; DEBUG:  #3, C=US,O=Internet Security Research Group,CN=ISRG Root X1
;; DEBUG:      SHA-256 PIN: C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, skipping certificate verification
;; ERROR: failed to query server dns.surfshark.com@443(TCP)
0xERR0R commented 1 year ago

I get following error message from curl:

curl -I --insecure  -H "Host: dns.surfshark.com" https://92.249.39.1/dns-query?dns=AAABAAABAAAAAAABBmRuc2xvdwJtZQAAAQABAAApAgAAAAAAAFoADABWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error
0xERR0R commented 1 year ago

This curl works:

curl -I  --resolve dns.surfshark.com:443:92.249.39.1 https://dns.surfshark.com/dns-query?dns=AAABAAA
BAAAAAAABBmRuc2xvdwJtZQAAAQABAAApAgAAAAAAAFoADABWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

We are using IP addresses to connect to servers and most DoH servers can handle the TLS handshake this way. Servername is already set on TLSClientConfig and as HTTP header parameter.