search

AdguardTeam / AdGuardHome

Network-wide ads & trackers blocking DNS server
https://adguard.com/adguard-home.html
GNU General Public License v3.0
24.84k stars 1.79k forks source link

Support for ignoring certificate errors from upstream DNS servers #7086

Open HX-Technology-LLC opened 3 months ago

HX-Technology-LLC commented 3 months ago

Prerequisites

The problem

When running adguardhome on Windows 7/8.1 and configuring the upstream dns as DOH and DOT of IP type, the certificate validity cannot be verified properly.

Proposed solution

Ignore SSL certificate checking or use non-systematic SSL certificate validity checking like Firefox

Alternatives considered and additional information

No response

Cebeerre commented 3 months ago

Could you please elaborate on what are you trying to achieve ? Using secured SSL/TLS endpoints with the proper domain and checking that everything makes sense is actually the point to ensure nobody is "on the wire ..."

HX-Technology-LLC commented 2 months ago

Could you please elaborate on what are you trying to achieve ? Using secured SSL/TLS endpoints with the proper domain and checking that everything makes sense is actually the point to ensure nobody is "on the wire ..."

I deployed adguardhome in my Windows 7 VM, I set up the upstream servers for tls:/8.8.4.4 and tls:/1.1.1.1, and found that there were a lot of certificate validation errors, and that using the ie browser (because it uses the schannel component that comes with the system) to access https://1.1.1.1 The prompts for certificate errors are consistent with those of adguardhome, and I'm wondering if I can skip the certificate errors and query them directly

Translated with DeepL.com (free version)

Cebeerre commented 2 months ago

Could you please elaborate on what are you trying to achieve ? Using secured SSL/TLS endpoints with the proper domain and checking that everything makes sense is actually the point to ensure nobody is "on the wire ..."

I deployed adguardhome in my Windows 7 VM, I set up the upstream servers for tls:/8.8.4.4 and tls:/1.1.1.1, and found that there were a lot of certificate validation errors, and that using the ie browser (because it uses the schannel component that comes with the system) to access https://1.1.1.1 The prompts for certificate errors are consistent with those of adguardhome, and I'm wondering if I can skip the certificate errors and query them directly

Translated with DeepL.com (free version)

Why don't you just set up the upstream servers as:

tls://dns.google
https://dns.google/dns-query
tls://1dot1dot1dot1.cloudflare-dns.com
https://dns.cloudflare.com/dns-query

So the certificates are actually validated ?

samlux04 commented 2 months ago

Sometimes even when using https://dns.cloudflare.com/dns-query or https://one.one.one.one/dns-query also give certificate error under cloudflare wrap VPN or other VPN. Which is kinda funny considered it's a cloudflare product.

HX-Technology-LLC commented 1 month ago

Could you please elaborate on what are you trying to achieve ? Using secured SSL/TLS endpoints with the proper domain and checking that everything makes sense is actually the point to ensure nobody is "on the wire ..."

I deployed adguardhome in my Windows 7 VM, I set up the upstream servers for tls:/8.8.4.4 and tls:/1.1.1.1, and found that there were a lot of certificate validation errors, and that using the ie browser (because it uses the schannel component that comes with the system) to access https://1.1.1.1 The prompts for certificate errors are consistent with those of adguardhome, and I'm wondering if I can skip the certificate errors and query them directly Translated with DeepL.com (free version)

Why don't you just set up the upstream servers as:

tls://dns.google
https://dns.google/dns-query
tls://1dot1dot1dot1.cloudflare-dns.com
https://dns.cloudflare.com/dns-query

So the certificates are actually validated ?

The certificate is verified and if it's set to a domain name it's fine, but I'd like to reduce the time it takes to query the encrypted dns domain for the first time and also reduce the information leakage because of the sni

HX-Technology-LLC commented 1 month ago

Sometimes even when using https://dns.cloudflare.com/dns-query or https://one.one.one.one/dns-query also give certificate error under cloudflare wrap VPN or other VPN. Which is kinda funny considered it's a cloudflare product.

Maybe there are some issues with processing the certificates?

samlux04 commented 1 month ago

Sometimes even when using https://dns.cloudflare.com/dns-query or https://one.one.one.one/dns-query also give certificate error under cloudflare wrap VPN or other VPN. Which is kinda funny considered it's a cloudflare product.

Maybe there are some issues with processing the certificates?

I have no idea. It just often/always give bad certificate when using cloudflare wrap.