No internet access on Android with Private DNS (DoT)

[MatsG23]

Issue Details

Channel: release
Go version: go1.17.9
GOOS: linux
GOARCH: amd64
Race: false
Dependencies:
        github.com/AdguardTeam/dnsproxy@v0.41.4 (sum: h1:zA8BJmWBkSL5kp4b8CblQRg                                                                                                             IrLGzJ4IUGQ7tA1255Cw=)
        github.com/AdguardTeam/golibs@v0.10.8 (sum: h1:diU9gP9qG1qeLbAkzIwfUerpH                                                                                                             SqzR6zaBgzvRMR/m6Q=)
        github.com/AdguardTeam/urlfilter@v0.15.2 (sum: h1:LZGgrm4l4Ys9eAqB+UUmZf                                                                                                             iC6vHlDlYFhx0WXqo6LtQ=)
        github.com/NYTimes/gziphandler@v1.1.1 (sum: h1:ZUDjpQae29j0ryrS0u/B8HZfJ                                                                                                             BtBQHjqw2rQ2cqUQ3I=)
        github.com/aead/chacha20@v0.0.0-20180709150244-8b13a72661da (sum: h1:KjT                                                                                                             M2ks9d14ZYCvmHS9iAKVt9AyzRSqNU1qabPih5BY=)
        github.com/aead/poly1305@v0.0.0-20180717145839-3fee0db0b635 (sum: h1:52m                                                                                                             0LGchQBBVqJRyYYufQuIbVqRawmubW3OFGqK1ekw=)
        github.com/ameshkov/dnscrypt/v2@v2.2.3 (sum: h1:X9UP5AHtwp46Ji+sGFfF/1Is                                                                                                             6OPI/SjxLqhKpx0P5UI=)
        github.com/ameshkov/dnsstamps@v1.0.3 (sum: h1:Srzik+J9mivH1alRACTbys2xOx                                                                                                             s0lRH9qnTA7Y1OYVo=)
        github.com/beefsack/go-rate@v0.0.0-20200827232406-6cde80facd47 (sum: h1:                                                                                                             M57m0xQqZIhx7CEJgeLSvRFKEK1RjzRuIXiA3HfYU7g=)
        github.com/cheekybits/genny@v1.0.0 (sum: h1:uGGa4nei+j20rOSeDeP5Of12XVm7                                                                                                             TGUd4dJA9RDitfE=)
        github.com/digineo/go-ipset/v2@v2.2.1 (sum: h1:k6skY+0fMqeUjjeWO/m5OuWPS                                                                                                             ZUAn7AucHMnQ1MX77g=)
        github.com/fsnotify/fsnotify@v1.5.1 (sum: h1:mZcQUHVQUQWoPXXtuf9yuEXKudk                                                                                                             V2sx1E06UadKWpgI=)
        github.com/go-ping/ping@v0.0.0-20211130115550-779d1e919534 (sum: h1:dhy9                                                                                                             OQKGBh4zVXbjwbxxHjRxMJtLXj3zfgpBYQaR4Q4=)
        github.com/google/go-cmp@v0.5.6 (sum: h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWd                                                                                                             hFyr0ZUNZcxQ=)
        github.com/google/gopacket@v1.1.19 (sum: h1:ves8RnFZPGiFnTS0uPQStjwru6uO                                                                                                             6h+nlr9j6fL7kF8=)
        github.com/google/renameio@v1.0.1 (sum: h1:Lh/jXZmvZxb0BBeSY5VKEfidcbcbe                                                                                                             nKjZFzM/q0fSeU=)
        github.com/google/uuid@v1.3.0 (sum: h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZ                                                                                                             dTaoZ5fu7I=)
        github.com/insomniacslk/dhcp@v0.0.0-20211214070828-5297eed8f489 (sum: h1                                                                                                             :jhdHqd7DxBrzfuFSoPxjD6nUVaV/1RIn9aHA0WCf/as=)
        github.com/josharian/native@v0.0.0-20200817173448-b6b71def0850 (sum: h1:                                                                                                             uhL5Gw7BINiiPAo24A2sxkcDI0Jt/sqp1v5xQCniEFA=)
        github.com/kardianos/service@v1.2.0 (sum: h1:bGuZ/epo3vrt8IPC7mnKQolqFeY                                                                                                             Jb7Cs8Rk4PSOBB/g=)
        github.com/lucas-clemente/quic-go@v0.25.0 (sum: h1:K+X9Gvd7JXsOHtU0N2icZ                                                                                                             2Nw3rx82uBej3mP4CLgibc=)
        github.com/marten-seemann/qtls-go1-17@v0.1.0 (sum: h1:P9ggrs5xtwiqXv/FHN                                                                                                             wntmuLMNq3KaSIG93AtAZ48xk=)
        github.com/mdlayher/ethernet@v0.0.0-20190606142754-0394541c37b7 (sum: h1                                                                                                             :lez6TS6aAau+8wXUP3G9I3TGlmPFEq2CTxBaRqY6AGE=)
        github.com/mdlayher/netlink@v1.5.0 (sum: h1:r4fa439+SsMarM0rMONU3iSshSV3                                                                                                             ArVqJl6H/zjrhh4=)
        github.com/mdlayher/raw@v0.0.0-20211126142749-4eae47f3d54b (sum: h1:MHcT                                                                                                             arUMC4sFA7eiyR8IEJ6j2PgmgXR+B9X2IIMjh7A=)
        github.com/mdlayher/socket@v0.1.1 (sum: h1:q3uOGirUPfAV2MUoaC7BavjQ154J7                                                                                                             +JOkTWyiV+intI=)
        github.com/ainar-g/dns@v1.1.49-0.20220411125901-8a162bbc18d8 (sum: h1:Hp                                                                                                             2waLwK989ui3bDkFpedlIHfyWdZ77gynvd+GPEqXY=)
        github.com/patrickmn/go-cache@v2.1.0+incompatible (sum: h1:HRMgzkcYKYpi3                                                                                                             C8ajMPV8OFXaaRUnok+kx1WdO15EQc=)
        github.com/pkg/errors@v0.9.1 (sum: h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK                                                                                                             5UwLGTwt4=)
        github.com/satori/go.uuid@v1.2.0 (sum: h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3                                                                                                             TbMJP9utgA0ww=)
        github.com/ti-mo/netfilter@v0.4.0 (sum: h1:rTN1nBYULDmMfDeBHZpKuNKX/bWEX                                                                                                             QUhe02a/10orzg=)
        github.com/u-root/uio@v0.0.0-20210528151154-e40b768296a7 (sum: h1:XMAtQH                                                                                                             wKjWHIRwg+8Nj/rzUomQY1q6cM3ncA0wP8GU4=)
        go.etcd.io/bbolt@v1.3.6 (sum: h1:/ecaJf0sk1l4l6V4awd65v2C3ILy7MSj+s/x1AD                                                                                                             CIMU=)
        golang.org/x/crypto@v0.0.0-20211215153901-e495a2d5b3d3 (sum: h1:0es+/533                                                                                                             1RGQPcXlMfP+WrnIIS6dNnNRe0WB02W0F4M=)
        golang.org/x/net@v0.0.0-20220403103023-749bd193bc2b (sum: h1:vI32FkLJNAW                                                                                                             tGD4BwkThwEy6XS7ZLLMHkSkYfF8M0W0=)
        golang.org/x/sync@v0.0.0-20210220032951-036812b2e83c (sum: h1:5KslGYwFpk                                                                                                             hGh+Q16bwMP3cOontH8FOep7tGV86Y7SQ=)
        golang.org/x/sys@v0.0.0-20220406163625-3f8b81556e12 (sum: h1:QyVthZKMsya                                                                                                             QwBTJE04jdNN0Pp5Fn9Qga0mrgxyERQM=)
        golang.org/x/text@v0.3.7 (sum: h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM                                                                                                             352Gk=)
        gopkg.in/natefinch/lumberjack.v2@v2.0.0 (sum: h1:1Lc07Kr7qY4U2YPouBjpCLx                                                                                                             piyxIVoxqXgkXLknAOE8=)
        gopkg.in/yaml.v2@v2.4.0 (sum: h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTf                                                                                                             uKaY=)
        howett.net/plist@v1.0.0 (sum: h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZ                                                                                                             bSQM=)

• Version of AdGuard Home server:
  • v0.107.6
• How did you install AdGuard Home:
• From your servers: https://static.adguard.com/adguardhome/release/AdGuardHome_linux_amd64.tar.gz
• How did you setup DNS configuration:
  • System (eth0)
• CPU architecture:
  • AMD64
• Operating system and version:
  • Ubuntu 20.04.4

Expected Behavior

When I go to the "Private DNS" setting and put my domain which is linked to the cloud server in, Android notices that a connection is not possible.

Actual Behavior

The DNS-over-TLS server should be usable, also because I did not use a custom port.

Additional Information

I activated DNS-over-TLS at the encryption settings, set the domain, used the default ports for the DNS services and entered the paths to the certificates (status: valid).

[catsimple]

same here. It's really weird. I’m using zerossl certificates and I have tried using tcping on my android 11 phone, it told me that my AGH server tcp 853 port is open but I cannot use private DNS on that. Browser shows "hostname_not_resolved" but I can still using other else public DoT server such as DNSPOD public dns (tls://dot.pub) so that it should not be the issuse by internet provider. I don't know what to do now.

[ainar-g]

@MatsG23, @catsimple, are you sure that the domain names you use for your AGH installations can be resolved? And that port 853 is open?

[catsimple]

@MatsG23, @catsimple, are you sure that the domain names you use for your AGH installations can be resolved? And that port 853 is open?

thanks for your reply, I solved it. After checking the detailed log, I found that the upstream I specified for my AGH installation server (DNSPOD PUBLIC DNS:119.29.29.29) was refusing my require(i/o time out by remote). I changed the upstream server for my domain then all problems solved.

[Aphantylat]

@MatsG23, @catsimple, are you sure that the domain names you use for your AGH installations can be resolved? And that port 853 is open?

I have suddenly the same problem. I have a cloud server running 1.107.7. I can access my webpanel via https (for example https://dns.mydomain.com). When I enter the same address in Private DNS on Android I get a "can not connect". Port 853 (tcp/udp) is open. The only thing i changed is that i upgraded to 1.107.7.

Update: when i connect in Edge to https://dns.mydomain.com/dns-query everything works fine.

[catsimple]

@MatsG23, @catsimple, are you sure that the domain names you use for your AGH installations can be resolved? And that port 853 is open?

I have suddenly the same problem. I have a cloud server running 1.107.7. I can access my webpanel via https (for example https://dns.mydomain.com). When I enter the same address in Private DNS on Android I get a "can not connect". Port 853 (tcp/udp) is open. The only thing i changed is that i upgraded to 1.107.7.

Update: when i connect in Edge to https://dns.mydomain.com/dns-query everything works fine.

Check your certificates, Let's Encrypt cause some problems on Android, https://github.com/AdguardTeam/AdGuardHome/issues/3689, use zerossl instead.

[Aphantylat]

@MatsG23, @catsimple, are you sure that the domain names you use for your AGH installations can be resolved? And that port 853 is open?

I have suddenly the same problem. I have a cloud server running 1.107.7. I can access my webpanel via https (for example https://dns.mydomain.com). When I enter the same address in Private DNS on Android I get a "can not connect". Port 853 (tcp/udp) is open. The only thing i changed is that i upgraded to 1.107.7. Update: when i connect in Edge to https://dns.mydomain.com/dns-query everything works fine.

Check your certificates, Let's Encrypt cause some problems on Android, #3689, use zerossl instead.

I use Letsencrypt for a year without problems. Happy to switch to ZeroSSL but can't get that properly working.

I manualy made a certificate and uploaded it to the server. I get the following error (replaced domain wth example):

Certificate chain is invalid. Subject: CN=dns.example.com Issuer: CN=ZeroSSL RSA Domain Secure Site CA,O=ZeroSSL,C=AT Expires: 2022-09-07 01:59:59 Hostnames: dns.example.com

and later on: This is a valid RSA private key. Your certificate does not verify: x509: certificate signed by unknown authority

[catsimple]

@MatsG23,@catsimple，您确定可以解析您用于 AGH 安装的域名吗？那个端口853是开放的？

我突然有同样的问题。我有一个运行 1.107.7 的云服务器。我可以通过 https 访问我的网络面板（例如https://dns.mydomain.com）。当我在 Android 上的私有 DNS 中输入相同的地址时，我得到“无法连接”。端口 853 (tcp/udp) 已打开。我唯一改变的是我升级到 1.107.7。 更新：当我在 Edge 中连接到https://dns.mydomain.com/dns-query时，一切正常。

检查您的证书，让我们加密在 Android 上会导致一些问题，#3689，​​请改用 zerossl。

我使用 Letsencrypt 一年没有问题。很高兴切换到 ZeroSSL，但无法正常工作。

我手动制作了证书并将其上传到服务器。我收到以下错误（用示例替换域）：

证书链无效。 主题：CN=dns.example.com 颁发者：CN=ZeroSSL RSA 域安全站点 CA，O=ZeroSSL，C=AT 到期：2022-09-07 01:59:59 主机名：dns.example.com

稍后： 这是一个有效的 RSA 私钥。 您的证书未验证：x509：证书由未知机构签名

What tool did you use to generate the certificates? I use acme.sh and works fine. Making sure your certificate is a fullchain certicate which contains root, intermediate and user three parts. You can also use method blow for using let's encrypt certificate. https://github.com/AdguardTeam/AdGuardHome/issues/3689#issuecomment-931843667

[Aphantylat]

I made the certificates from the zerossl site directly. Will try to use acme.sh. For letsencrypt i used certbot with fullchain. The chain and certificated is ok by adguard but on Android i cannot connect. This is what i get when using lets encrypt

Certificate chain is valid Subject: CN=dns.example.com Issuer: CN=R3,O=Let's Encrypt,C=US Expires: 2022-09-06 12:44:46 Hostnames: dns.example.org

UPDATE: I really have no clue to migrate from letsencrypt to zerossl :-(

UPDATE 2: After 2 days of no connection suddenly it's working again with Let'sEncrypt. Did not change anything and have no clue why it's working again.

[MatsG23]

I have switched to NextDNS. It is easier to maintain for me (in terms of infrastructure). If someone continues to have this issue, please open a new issue.