DoH in Mikrotik

[nRafinia]

Hi The following error is logged when using DoH via Mikrotik

[HTTPS] System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception. ---> Interop+OpenSsl+SslException: SSL Handshake failed with OpenSSL error - SSL_ERROR_SSL. ---> Interop+Crypto+OpenSslCryptographicException: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca --- End of inner exception stack trace --- at Interop.OpenSsl.DoSslHandshake(SafeSslHandle context, ReadOnlySpan`1 input, Byte[]& sendBuf, Int32& sendCount) at System.Net.Security.SslStreamPal.HandshakeInternal(SafeFreeCredentials credential, SafeDeleteSslContext& context, ReadOnlySpan1 inputBuffer, Byte[]& outputBuffer, SslAuthenticationOptions sslAuthenticationOptions) --- End of inner exception stack trace --- at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter adapter, Boolean receiveFirst, Byte[] reAuthenticationData, Boolean isApm) at DnsServerCore.Dns.DnsServer.ProcessConnectionAsync(Socket socket, DnsTransportProtocol protocol, Boolean usingHttps) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 449

[ShreyasZare]

Thanks for the feedback. It seems that the certificate that you are using is missing some intermediary CA or ROOT certificate. This is causing the cert validation to fail. Try creating a new pfx cert file with the complete CA + root cert bundle.

[ShreyasZare]

If you got this setup exposed to the Internet then try to run SSL Test which will give you more details on the issue.

[nRafinia]

Thanks for the reply The SSL type of server is LetsEncrypt

[ShreyasZare]

Let me know the openssl command that you used to convert the letsencrypt certificate to pfx cert format.

Do refer to this blog post in case you haven't: https://blog.technitium.com/2020/07/how-to-host-your-own-dns-over-https-and.html

On Thu, Mar 18, 2021, 22:00 Naser Rafinia @.***> wrote:

Thanks for the reply The SSL type of server is LetsEncrypt

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/TechnitiumSoftware/DnsServer/issues/240#issuecomment-802083417, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACMLM3F76NBYFN6I7Z4ZRZ3TEITEDANCNFSM4ZMMAQXQ .

[nRafinia]

The file is created according to the same URL

blog.technitium.com/2020/07/how-to-host-your-own-dns-over-https-and.html

[nRafinia]

I moved the certificates manually to Mikrotik. After this, the previous error was changed and this error is logged in Mikrotik.

DoH server connection error: remote disconnected while in HTTP exchange and DoH server response not OK: 406: <html><head><title>406 Not Acceptable</title></head><body><h1>406 Not Acceptable</h1><p>Only application/dns-message and application/dns-json types are accepted.</p></body></html>

[ShreyasZare]

If you are seeing 406 error message on web browser then it means the SSL cert is now working well.

The error 406 itself is generated by the DNS server since the request sent by web browser is not what it expects as this is a DoH server. The DoH server will respond correctly only to DoH request which is what the error description says.

Just try to use the DNS Client tab and query to your DoH server's uri from there and you should get a correct response back.

[nRafinia]

Sending the request through https://dnsclient.net and the browser is successful and there is no problem.

Sending a request only through Mikrotik is difficult. By simulating the server through a small program, I almost got the details of the request sent via Mikrotik

[nRafinia]

Mikrotik has no problem with DoH sites like Cloudflare or Google. I debugged your project code, in the DnsServer.cs file line 606, when you recognize the header type of request, you take Accept while Mikrotik sends only Content-Type.

[ShreyasZare]

Thanks for the debugging. Ya, the DoH implementation expects the client to provide the mime type in Accept header. I can make this to use the mime type in Content-Type and if that too is missing then can make it assume a default type. This should make it work for Mikrotik.

[nRafinia]

I changed the code and tested it. But there was another error on Mikrotik

DoH server connection error: remote disconnected while in HTTP exchange

[ShreyasZare]

I changed the code and tested it. But there was another error on Mikrotik

DoH server connection error: remote disconnected while in HTTP exchange

This is expected with 406 response since the server will close connection when it returns error code.

[ShreyasZare]

I changed the code and tested it. But there was another error on Mikrotik DoH server connection error: remote disconnected while in HTTP exchange

This is expected with 406 response since the server will close connection when it returns error code.

It seems to be due to Connection: close header being missing for the error response. Will get that fixed too.

[ShreyasZare]

I have added a fix for this issue in latest update v6.1. Do check and let me know if its fixed.

[Bassa00]

upgrading to 7.11 made the error count reduce. Then i create a script to flush DNS cache each hour. seeing less errors now.

[ShreyasZare]

upgrading to 7.11 made the error count reduce. Then i create a script to flush DNS cache each hour. seeing less errors now.

Flushing DNS cache frequently is not a good idea as it will affect performance.

[Bassa00]

well, i dont see any performace issue so far. all its hardwear resources usages are usual. Before the change i couldn't even connect to intertet sometimes.