search

kkebo / DNSecure

DNSecure is a configuration tool of DoT and DoH for iOS and iPadOS.
MIT License
389 stars 21 forks source link

Can’t use IP DNS server as a fallbak #36

Open Zenuncl opened 3 years ago

Zenuncl commented 3 years ago

on my configuration, IP DNS and DNS over TLS doesn’t work together.

Created a new entry for my customized DNS. Using a self-built AdGuard for DNS over TLS, and try to setup 1.1.1.1 as as failover.

DoT works along, but whenever I added 1.1.1.1 under server section, the network stop working. No page loaded.

Tried DoH as well, same issue

either DoH or DoT, my AdGuard works along without any IP entered but can’t work together.

I also tried self-signed profile which seem having same issue. Not sure if it’s Apple side issue or what. Those build in configurations work though.

Since this app doesn’t have logs, so I can’t really debug it myself. Anyone have similar issue and know the solution?

kkebo commented 3 years ago

IP addresses on the servers section are tied to the DNS-over-TLS/HTTPS settings section's server name or URL. For example, to use Cloudflare's 1.1.1.1 as DoT, you must specify cloudflare-dns.com as the server name on the DNS-over-TLS settings section. So, you cannot use your customized DNS server and 1.1.1.1 at the same time.

Zenuncl commented 3 years ago

Is that mean the DoT/DoH hostname need to match the IP address? What if I use my own DoT? I need to also use my own DNS's IP for it?

I believe the failback should be another DNS, so for example if I use my own DoT, dns.example.com, I would like to have a failover DNS such as 1.1.1.1 so in case my DoT fail or for whatever reason not working, I still have fallback 1.1.1.1 to resolve domain without any issue. (Maybe a warning but not completely lost internet)

kkebo commented 3 years ago

Is that mean the DoT/DoH hostname need to match the IP address?

No. In case of DoT, it's a domain name of the certificate, and in case of DoH, it's an endpoint of DoH resolver.

For example, Cloudflare is using cloudflare-dns.com for their DoT's certificate as described here, and https://cloudflare-dns.com/dns-query as an endpoint of DoH as described here.

I believe the failback should be another DNS, so for example if I use my own DoT, dns.example.com, I would like to have a failover DNS such as 1.1.1.1 so in case my DoT fail or for whatever reason not working, I still have fallback 1.1.1.1 to resolve domain without any issue. (Maybe a warning but not completely lost internet)

I believe that iOS's NEDNSSettingsManager API doesn't support a fallback like that. If so, we can't do it. I'll read the documentation again.