How do DNS Server on Ubuntu Linux configure doh / dot?

[liang-hiwin]

Hello, I'm a stupid person. Can you tell me how to configure DOH / DOT? How is the certificate configured? The four types of certificates I applied for in certbot are "cert1.pem", "chain1.pem", "fullchain1.pem", "privkey1.pem", but I see the certificate format in DNS Server needs to be ".pfx "I'm confused now and don't know how to configure it.

[liang-hiwin]

I think this option of Forwarder Protocol can be deleted. I think I can judge the type of DNS-over-UDP (default), DNS-over-HTTPS, DNS-over-TLS according to the input information, as long as the information is filled in In the case, you can refer to the picture below for optimization.

[ShreyasZare]

Hello, I'm a stupid person. Can you tell me how to configure DOH / DOT? How is the certificate configured? The four types of certificates I applied for in certbot are "cert1.pem", "chain1.pem", "fullchain1.pem", "privkey1.pem", but I see the certificate format in DNS Server needs to be ".pfx "I'm confused now and don't know how to configure it.

Thanks for the post. You just need to create pfx file using openssl command shown below:

openssl pkcs12 -export -out "cert.pfx" -inkey "privkey1.key" -in "cert1.crt" -certfile "chain1.crt"

Note that your need to install this pfx certificate only if you want to host DoH or DoT service.

[ShreyasZare]

I think this option of Forwarder Protocol can be deleted. I think I can judge the type of DNS-over-UDP (default), DNS-over-HTTPS, DNS-over-TLS according to the input information, as long as the information is filled in In the case, you can refer to the picture below for optimization.

Thanks for the suggestion. This has already been thought in detail. There is really no point in mixing different forwarders with different protocols. Mixing secure protocols with plain UDP is totally useless as you are exposing your traffic over UDP which defeats the entire purpose of having secure protocol.

And, its critical in certain cases to be able to specify the protocol like when you want to use DoH with json format.

You can use two different forwarders like one from Google and another from Cloudflare together using DoH or DoT but now, you share your data with both instead of just one.

Its thus best to use a single provider as forwarder with secure protocol if available. Else, just remove all forwarders and let the DNS server do the recursive resolution itself to avoid being tracked by those forwarders (ISP will still be able track though).

[liang-hiwin]

我认为可以删除转发器协议的此选项。我想我可以根据输入的信息来判断DNS-over-UDP（默认），DNS-over-HTTPS，DNS-over-TLS的类型，只要填写信息即可。下面的图片进行了优化。

谢谢你的建议。已经对此进行了详细考虑。将不同的转发器与不同的协议混合在一起确实没有意义。将安全协议与普通UDP混合使用完全没有用，因为您通过UDP暴露流量，这使拥有安全协议的整个目的无法实现。

而且，在某些情况下能够像使用JSON格式使用DoH一样指定协议至关重要。

您可以同时使用DoH或DoT来使用两个不同的转发器，例如Google的一个转发器和Cloudflare的另一个转发器，但是现在，您不仅可以共享数据，还可以与两者共享数据。

因此，最好将单个提供程序用作具有安全协议的转发器（如果可用）。否则，只需删除所有转发器，然后让DNS服务器自己执行递归解析，以避免被这些转发器跟踪（尽管ISP仍然可以跟踪）。

Thank you for your patient reply. I don't think it is necessary to convert the certificate of doh / dot to ".pfx" before it can be used. After all, there is one more command to convert the certificate format.

[liang-hiwin]

What I mean is to use the default format of the certificate without converting the format of the certificate to ".pfx". What do you think?

[ShreyasZare]

The requirement for having pfx format certificate is since .NET SSL code requires certificate in pfx format to work.

[liang-hiwin]

拥有pfx格式证书的要求是因为.NET SSL代码要求pfx格式的证书才能工作。

ok-----I use this software for the first time, so I still have some doubts. How is this menu set? I understand it as follows: Set the translate.google.cn domain name to use 1.1.1.1 to resolve. I do n’t know if it ’s right.

[liang-hiwin]

I found a problem.The ip obtained after installation is not the public IP, but the host name or the internal IP.

[ShreyasZare]

拥有pfx格式证书的要求是因为.NET SSL代码要求pfx格式的证书才能工作。

ok-----I use this software for the first time, so I still have some doubts. How is this menu set? I understand it as follows: Set the translate.google.cn domain name to use 1.1.1.1 to resolve. I do n’t know if it ’s right.

The DNS Client tab in the software is to allow testing. You can use it to query the locally running DNS server or any other server to test connectivity and see if the selected protocol works before using it as a forwarder.

[ShreyasZare]

I found a problem.The ip obtained after installation is not the public IP, but the host name or the internal IP.

This is not an issue. It as as intended and uses your machine name to display url. It means you can use the given URL or use any of the IP addresses the server has to access the web portal.

[liang-hiwin]

When I fill in "127.0.0.1:5353" in the DNS client, I can't get the resolution result, but when I fill in "127.0.0.1:53", the resolution is normal, and the execution command "dig QQ. Com @ 127.0.0.1 - P 5353" is also normal. Therefore, I think dnsserver listens to 127.0.0.1:53 addresses by default, rather than other ports other than 53.

[liang-hiwin]

The standard port 53 has been hijacked, at least in my case, it's not parsed correctly, so it's very important to use a special port.

[ShreyasZare]

When I fill in "127.0.0.1:5353" in the DNS client, I can't get the resolution result, but when I fill in "127.0.0.1:53", the resolution is normal, and the execution command "dig QQ. Com @ 127.0.0.1 - P 5353" is also normal. Therefore, I think dnsserver listens to 127.0.0.1:53 addresses by default, rather than other ports other than 53.

The DNS Server runs by default on port 53 and changing the port is not supported.

[ShreyasZare]

The standard port 53 has been hijacked, at least in my case, it's not parsed correctly, so it's very important to use a special port.

Your port 53 is not hijacked. Your Ubuntu machine has dnsmasq/systemd-resolved running by default on port 53 and thus the DNS server is unable to use the same port. You need to disable dnsmasq/systemd-resolved for the DNS server to work correctly. Do read this blog post which gives install instructions in which disabling dnsmasq/systemd-resolved is discussed.

[liang-hiwin]

标准端口53已被劫持，至少在我看来，它没有被正确解析，因此使用特殊端口非常重要。

您的端口53没有被劫持。您的Ubuntu计算机默认在端口53上运行dnsmasq / systemd-resolved，因此DNS服务器无法使用同一端口。您需要禁用dnsmasq / systemd-resolved，DNS服务器才能正常工作。请阅读此博客文章，其中提供了安装说明，其中讨论了禁用dnsmasq / systemd-resolved。

Can you add a custom listening port? Port 53 has been seriously polluted in our country. At China

[ShreyasZare]

Can you add a custom listening port? Port 53 has been seriously polluted in our country. At China

Will note this as feature request and will try to add in next release.

[liang-hiwin]

您可以添加自定义监听端口吗？我国的53号港口已受到严重污染。在中国

会将其记录为功能请求，并将尝试添加到下一个版本中。

Congratulations, looking forward, thank you

[liang-hiwin]

Sorry for delaying your rest time. So far I have too many questions about this project on github, please forgive me. It is recommended to add the right mouse button to delete the log command in the log log. This is useful for low-performance Raspberry Pi (reducing the loading of the log log content), because the current version can only be clicked to delete it. The log time does not correspond to the system time, the time displayed by the log is incorrect

[ShreyasZare]

It is recommended to add the right mouse button to delete the log command in the log log. This is useful for low-performance Raspberry Pi (reducing the loading of the log log content), because the current version can only be clicked to delete it. The log time does not correspond to the system time, the time displayed by the log is incorrect

You can delete the logs directly from Raspberry Pi via ssh from /etc/dns/config/logs directory. The UI is quite basic and more options will be added later when core features have been added.

Time in log file is in UTC and not in local time. There is a plan to add option in settings for changing the timezone in logs which might be added in next release.

[liang-hiwin]

Hello, I'll ask you a question again. Where is the data saved by "improt" in this "DNS Client" menu button?

[liang-hiwin]

Technitium DNS Server cannot resolve the domain name "www.baidu.com". The upstream uses DOH, and the direct resolution through dot is normal, but after Technitium DNS Server cannot resolve, the resolution times out.

[ShreyasZare]

Hello, I'll ask you a question again. Where is the data saved by "improt" in this "DNS Client" menu button?

The Import button in DNS Client will create or update the zone with the response received in the query. This feature allows you to quickly create a copy of live zone to your local DNS server to allow testing. Once a domain name is imported as a zone, the DNS server will respond to the query from that zone and the live domain name wont be queried.

[ShreyasZare]

Technitium DNS Server cannot resolve the domain name "www.baidu.com". The upstream uses DOH, and the direct resolution through dot is normal, but after Technitium DNS Server cannot resolve, the resolution times out.

Try querying the domain name using DNS Client tab with the same DoH server you have configured as forwarder. If that is working then make sure that you have not accidentally imported that domain name as zone as it will prevent from resolving the live domain name. Check logs for errors and post the errors here for analysis.

[liang-hiwin]

Technitium DNS Server cannot resolve the domain name "www.baidu.com". The upstream uses DOH, and the direct resolution through dot is normal, but after Technitium DNS Server cannot resolve, the resolution times out.

Try querying the domain name using DNS Client tab with the same DoH server you have configured as forwarder. If that is working then make sure that you have not accidentally imported that domain name as zone as it will prevent from resolving the live domain name. Check logs for errors and post the errors here for analysis.

After I set the "dns client" --- "import", you can not see the imported data in the "zones" area. "Www.baidu.com" can not resolve the problem I found, because I wrong set back to normal after Baidu's ZONES deleted.

[liang-hiwin]

"value" is sometimes a domain name, sometimes it is ip

[ShreyasZare]

"value" is sometimes a domain name, sometimes it is ip

This is how DNS works and there is no issue. What you are seeing is a record in cache and getting confused. Data in cache is not full response. The domain mvconf.f.360.cn points to another domain which points to another domain which points to IP addresses. This is how CNAME works. Check this full response here.

[liang-hiwin]

Can I request additional addresses that support the following features? I think the addition of these features, dns analytical results more accurate. Simply put, dns performs partition resolution. 1.Country IP ranges “http://www.iwik.org/ipcountry/” 2.GEOIP “https://dev.maxmind.com/geoip/geoip2/geolite2/”

[ShreyasZare]

Can I request additional addresses that support the following features? I think the addition of these features, dns analytical results more accurate. Simply put, dns performs partition resolution. 1.Country IP ranges “http://www.iwik.org/ipcountry/” 2.GEOIP “https://dev.maxmind.com/geoip/geoip2/geolite2/”

This feature is in to-do list but will be implemented only after most of the core features are done.

[liang-hiwin]

Can I request additional addresses that support the following features? I think the addition of these features, dns analytical results more accurate. Simply put, dns performs partition resolution. 1.Country IP ranges “http://www.iwik.org/ipcountry/” 2.GEOIP “https://dev.maxmind.com/geoip/geoip2/geolite2/”

This feature is in to-do list but will be implemented only after most of the core features are done.

Great, I shouldn't bother you.

[liang-hiwin]

hello.

System.IO.EndOfStreamException: Unable to read beyond the end of the stream. at System.IO.BinaryReader.InternalRead(Int32 numBytes) at System.IO.BinaryReader.ReadInt32() at DnsServerCore.Dns.StatsManager.StatCounter..ctor(BinaryReader bR) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\StatsManager.cs:line 1018 at DnsServerCore.Dns.StatsManager.HourlyStats..ctor(BinaryReader bR) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\StatsManager.cs:line 897 at DnsServerCore.Dns.StatsManager.LoadHourlyStats(DateTime dateTime) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\StatsManager.cs:line 259 [2020-02-08 00:24:40 UTC] DNS Server recursive resolution failed for QNAME: bing.com; QTYPE: AAAA; QCLASS: IN; TechnitiumLibrary.Net.Dns.DnsClientException: DnsClient failed to resolve the request: no response from name servers. ---> System.Net.WebException: The SSL connection could not be established, see inner exception. Authentication failed because the remote party has closed the transport stream. ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception. ---> System.IO.IOException: Authentication failed because the remote party has closed the transport stream. at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.ProcessAuthentication(LazyAsyncResult lazyResult, CancellationToken cancellationToken) at System.Net.Security.SslStream.BeginAuthenticateAsClient(SslClientAuthenticationOptions sslClientAuthenticationOptions, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState) at System.Net.Security.SslStream.<>c.<AuthenticateAsClientAsync>b__65_0(SslClientAuthenticationOptions arg1, CancellationToken arg2, AsyncCallback callback, Object state) at System.Threading.Tasks.TaskFactory1.FromAsyncImpl[TArg1,TArg2](Func5 beginMethod, Func2 endFunction, Action1 endAction, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions) at System.Net.Security.SslStream.AuthenticateAsClientAsync(SslClientAuthenticationOptions sslClientAuthenticationOptions, CancellationToken cancellationToken) at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken) --- End of inner exception stack trace --- at System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean allowHttp2, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.GetHttpConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken) at System.Net.Http.DecompressionHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) at System.Net.Http.HttpClient.FinishSendAsyncUnbuffered(Task1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts) at System.Net.HttpWebRequest.SendRequest() at System.Net.HttpWebRequest.GetResponse() --- End of inner exception stack trace --- at System.Net.HttpWebRequest.GetResponse() at TechnitiumLibrary.Net.WebClientEx.GetWebResponse(WebRequest request) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\WebClientEx.cs:line 317 at System.Net.WebClient.DownloadBits(WebRequest request, Stream writeStream) at System.Net.WebClient.UploadBits(WebRequest request, Stream readStream, Byte[] buffer, Int32 chunkSize, Byte[] header, Byte[] footer) at System.Net.WebClient.UploadDataInternal(Uri address, String method, Byte[] data, WebRequest& request) at System.Net.WebClient.UploadData(Uri address, String method, Byte[] data) at TechnitiumLibrary.Net.Dns.ClientConnection.HttpsClientConnection.Query(DnsDatagram request) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\ClientConnection\HttpsClientConnection.cs:line 89 at TechnitiumLibrary.Net.Dns.DnsClient.Resolve(DnsDatagram request) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 1157 --- End of inner exception stack trace ---` 2020-02-08.log

[ShreyasZare]

The exception is about failing to connect to the DoH forwarder. If this error is repeating then it means the there is an issue with network connectivity to that DNS forwarder. If the error is just coming once or twice then its just some network issue that interrupted the connection.

[liang-hiwin]

The exception is about failing to connect to the DoH forwarder. If this error is repeating then it means the there is an issue with network connectivity to that DNS forwarder. If the error is just coming once or twice then its just some network issue that interrupted the connection.

What is the default timeout for connecting upstream doh?

[liang-hiwin]

Doh set up cdn and found that he could still be hijacked.

[liang-hiwin]

After running for a few minutes, the program became very stuck and could not log in. I can only restart the program. "Htop" to check that the server is running normally, but the Technitium DNS Server web interface is very stuck and I can only restart Technitium DNS Server.

[liang-hiwin]

Oh my god, I'm going crazy. I restarted "sudo systemctl restart dns.service" again, otherwise it won't work. The system is debian9.6-x64 (4.9.0-8-amd64 # 1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU / Linux) How many times do you have to restart "sudo systemctl restart dns.service" this day, my god! Is there any way you can run stably

[ShreyasZare]

The exception is about failing to connect to the DoH forwarder. If this error is repeating then it means the there is an issue with network connectivity to that DNS forwarder. If the error is just coming once or twice then its just some network issue that interrupted the connection.

What is the default timeout for connecting upstream doh?

Its 2 seconds which is standard value for DNS.

[liang-hiwin]

The exception is about failing to connect to the DoH forwarder. If this error is repeating then it means the there is an issue with network connectivity to that DNS forwarder. If the error is just coming once or twice then its just some network issue that interrupted the connection.

What is the default timeout for connecting upstream doh?

Its 2 seconds which is standard value for DNS.

How to make the program run normally? I crash every day here web: 5380 no response

[ShreyasZare]

How to make the program run normally? I crash every day here web: 5380 no response

What is the hardware config of the machine? Have you loaded too many block lists? How much is free RAM available?

The DNS server is stable, I am running it on Raspberry Pi (1GB RAM) since more that a year without any issues.

[liang-hiwin]

The above picture has the system configuration. The system has 2 cores and 2 GB of memory. I have no need to configure the shield address.

[liang-hiwin]

`root@iZwz9d1rjhrzzxa4lsoi93Z:~# free -m

`

[ShreyasZare]

Its difficult to tell why the web panel at 5380 port is not responding. There have been no such feedback from anyone like this nor have I seen this on my own setup on Raspberry Pi, Ubuntu 18.04 VM, Windows 10 and Windows Server 2016.

[liang-hiwin]

In this .NET Core 3.1 environment download, I installed option 1 (.NET Core runtime), may I choose the wrong one?

[ShreyasZare]

In this .NET Core 3.1 environment download, I installed option 1 (.NET Core runtime), may I choose the wrong one?

That's fine. The DNS server wont run at all on wrong version of .NET Core.

[liang-hiwin]

Hello, can you help me configure doh / dot? I configured the doh / dot to fail to connect.

[ShreyasZare]

Hello, can you help me configure doh / dot? I configured the doh / dot to fail to connect.

The DNS Server Domain name does not matter for DoH or DoT. The domain name used for creating the SSL/TLS certificate must be used by clients. Restart the DNS server once for the DoH/DoT service to start. Check logs to see if the DoH/DoT started without any errors. Also you can confirm if the server is listening on the ports 443 and 853 using netstat -nlpt shell command.

Once everything looks good then use the built in DNS Client tab and use the domain name in the certificate to form a url and query the server using HTTPS protocol for test.

[liang-hiwin]

[HTTPS] System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL. ---> Interop+Crypto+OpenSslCryptographicException: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate --- End of inner exception stack trace --- at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, Byte[] recvBuf, Int32 recvOffset, Int32 recvCount, Byte[]& sendBuf, Int32& sendCount) at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteContext& context, ArraySegment`1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions) --- End of inner exception stack trace --- at System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception) at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.ProcessAuthentication(LazyAsyncResult lazyResult, CancellationToken cancellationToken) at System.Net.Security.SslStream.AuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthenticationOptions)

[ShreyasZare]

[HTTPS] System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL. ---> Interop+Crypto+OpenSslCryptographicException: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate --- End of inner exception stack trace --- at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, Byte[] recvBuf, Int32 recvOffset, Int32 recvCount, Byte[]& sendBuf, Int32& sendCount) at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteContext& context, ArraySegment`1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions) --- End of inner exception stack trace --- at System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception) at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.ProcessAuthentication(LazyAsyncResult lazyResult, CancellationToken cancellationToken) at System.Net.Security.SslStream.AuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthenticationOptions)

The exception is saying "bad certificate" which indicates something is wrong with the certificate in use.

[liang-hiwin]

Brother, I ca n’t apply for a certificate through the address where you host the certificate

[ShreyasZare]

Brother, I ca n’t apply for a certificate through the address where you host the certificate

I haven't used this tool for a while now so not sure if there is issue with it. But, note that the commands in there are Windows only. Do try again with care since any mistake in pasting the openssl output will take you back to step 1.

There is an alternative to hosting DoT & DoH service by using nginx as reverse proxy with TLS termination. For DoH you can configure nginx with SSL certificate and reverse proxy to the DNS server with DNS-over-HTTP protocol option.

For DoT you can use SSL termination for TCP stream in nginx. Read this blog post for details on configuration.

Advantage of using nginx is that you can configure certbot to automatically renew the Lets Encrypt certificate since the DNS server does not have auto renewal feature yet.

[liang-hiwin]

Hello brother! Please check this part of the code, I manually add custom DOH, it does not take effect. Now I can only rely on the forwarder to use doh, and the default is udp because of the "Forwarder Protocol" limitation, so I look forward to removing this limitation in the next version.