AdguardTeam / AdGuardHome

Network-wide ads & trackers blocking DNS server
https://adguard.com/adguard-home/overview.html
GNU General Public License v3.0
25.75k stars 1.85k forks source link

When using multiple domains in a certificate, clientID's are recognized in only one #7006

Open Akiya82 opened 6 months ago

Akiya82 commented 6 months ago

Prerequisites

The problem

I created a certificate with three wildcard domains and three regular domains. The wildcard domains are in the format .doh-agh.xxx.com, .dot-agh.xxx.com and *.doq-agh.xxx.com.

When I enter one of these domains in the "Server Name" field on the "Encryption" tab (for example, doh-agh.xxx.com), the client IDs of the other wildcard domains are not detected. I need these additional wildcard domains to be able to route traffic in my local network differently for different DNS protocols.

Proposed solution

I suggest adding the option to enter multiple "Server Names" in the "Encryption" tab. This way, the clientID detection will work for more than one domain.

Alternatives considered and additional information

The reason for separating the DoH, DoT, and DoQ clients by domain is to create different paths for proxying device requests within the local network. When I use only one domain, I have to remove the Nginx server from the request path to AdGuard Home, which disrupts the architecture of my home network.

ainar-g commented 6 months ago

Can you elaborate on how Nginx is involved? DoT and DoQ are both typically on port 853, while DoH is typically on 443.

Akiya82 commented 6 months ago

All DNS over HTTPS (DoH) requests are routed through Nginx Proxy Manager (Adguard — Nginx — User).

DNS over QUIC (DoQ) and DNS over TLS (DoT) go directly to AdGuard Home from the user (Adguard — User).

If I try to exclude Nginx from the DoH request path, it will work within the network due to the DNS zone. However, outside the local network, DoH will not work because Nginx proxies all my web resources, and either DoH to AdGuard Home or everything else will stop functioning. This is because I can specify only one destination address in port 443 forwarding on the router.

If I used only one domain and a wildcard domain for AdGuard Home, all traffic would go through Nginx, and I would not know the real IP addresses when accessing AdGuard through DoT and DoQ due to the proxying of TCP and UDP streams on Nginx.

Akiya82 commented 6 months ago

It is possible to remove the «Server Name» field altogether. Instead, the program can be given the definition of this variable and loop through the names in the certificate. The program will then search for a wildcard domain and find its non-wildcard counterpart in the certificate. As a result, the client ID will be defined automatically.

hdm9527 commented 2 months ago

When multiple certificates are merged into one certificate, ip certificates are not recognized, but single-ip or single-domain certificates can be recognized.

dolceAlka commented 3 days ago

This suggestion would allow for using single certs for specific devices to be used for clientID without getting a wildcard cert as well.