search

folbricht / routedns

DNS stub resolver, proxy and router with support for DoT, DoH, DoQ, and DTLS
BSD 3-Clause "New" or "Revised" License
476 stars 63 forks source link

TLS Listener does not work at all (DoT) #397

Open cbuijs opened 5 months ago

cbuijs commented 5 months ago

Using:

[listeners.dot]
address = "[::]:853" #TCP
protocol = "dot"
resolver = "dedup"
server-crt = "/opt/routedns-home/certs/fullchain.pem"
server-key = "/opt/routedns-home/certs/privkey.pem"

It listens on port 853, but does not respond to any DoT queries. No errors at all at RouteDNS side.

I use same certificates with DoH and DoQ, it works fine. Also when using DNSDIST, everything works fine. Guess the TLS implementation is not working.

DNS/TLS client errors (kdig):

kdig @192.168.1.32 -p 853 +tls www.paypal.com
;; WARNING: TLS, handshake failed (The TLS connection was non-properly terminated.)
;; ERROR: failed to query server 192.168.1.32@853(TCP)

It seems to send a EOF to any query.

folbricht commented 4 months ago

I tried that config and it seems to be working for me. Can you try a few things? 1) Use :853 to rule out anything going on with ip6 there 2) Use netstat -anl or similar to confirm it's actually listening 3) openssl s_client -connect 192.168.1.32:853 to check if you can get a TLS handshake This looks like something in the network is blocking it, perhaps a firewall or a routing issue

cbuijs commented 4 months ago

I did some combinations like :853 or 192.168.1.32:853 etc, and didn't fix it.

It does listen, and I see traffic, it just provides complete empty response.

tcp6       0      0 :::853                  :::*                    LISTEN      435/bin/routedns    
tcp6       0      0 :::53                   :::*                    LISTEN      435/bin/routedns    
tcp6       0      0 :::443                  :::*                    LISTEN      435/bin/routedns    
udp6       0      0 :::53                   :::*                                435/bin/routedns    
udp6       0      0 :::443                  :::*                                435/bin/routedns    
udp6       0      0 :::853                  :::*                                435/bin/routedns

The openssl connect output:

openssl s_client -connect 192.168.1.32:853
Connecting to 192.168.1.32
CONNECTED(00000003)
C0FAC7F901000000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:692:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 306 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

I use same certificates for doh and just works, the openssl connect provides all the info/data/etc (will not share as it is sensitive info).

liang-hiwin commented 3 months ago

I have the same problem, dns-over-tls doesn't work properly

folbricht commented 2 months ago

@liang-hiwin I'd need a bit more information. A snippet of your config and maybe a log would be good

liang-hiwin commented 2 months ago

@liang-hiwin I'd need a bit more information. A snippet of your config and maybe a log would be good

The log is fine, but dot does not work.