search

radioactiveAHM / DnsSafeguard

DnsSafeguard is dedicated to providing a secure DNS client solution, ensuring your DNS queries remain private and uncensored.
Apache License 2.0
23 stars 0 forks source link

DoH server: received fatal alert: CertificateUnknown #8

Open brian6932 opened 23 hours ago

brian6932 commented 23 hours ago

I'm not really sure what I did wrong

❯ openssl ecparam -genkey -name prime256v1 -out key.pem

❯ openssl req -new -x509 -days 36500 -key key.pem -out cert.pem -config san.cnf

❯ certutil -addstore -enterprise -f CA cert.pem
CA "Intermediate Certification Authorities"
Signature matches Public Key
Certificate "WR2" added to store.
CertUtil: -addstore command completed successfully.

❯ DnsSafeguard
DNS cache cleared
DoH server Listening on 127.0.0.1:443
QUIC Connecting
QUIC Connecting
QUIC Connection Established
QUIC Connection Established
DoH server: received fatal alert: CertificateUnknown

Raw access seems to work though

❯ DnsSafeguard
DNS cache cleared
DoH server Listening on 127.0.0.1:443
QUIC Connecting
QUIC Connecting
QUIC Connection Established
QUIC Connection Established
DoH server: tls handshake eof
DoH server: received fatal alert: UnknownCA
QUIC Connecting
connection is closed
QUIC 0RTT Connection Established
DoH server: peer is incompatible: SupportedVersionsExtensionRequired
❯ Test-NetConnection 127.0.0.1 -Port 443

ComputerName     : 127.0.0.1
RemoteAddress    : 127.0.0.1
RemotePort       : 443
InterfaceAlias   : Loopback Pseudo-Interface 1
SourceAddress    : 127.0.0.1
TcpTestSucceeded : True

❯ curl -sSL https://127.0.0.1/dns-query
curl: (60) SSL peer certificate or SSH remote key was not OK
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

❯ Invoke-WebRequest https://127.0.0.1/dns-query
Invoke-WebRequest: Authentication failed because the remote party sent a TLS alert: 'ProtocolVersion'.

Accessing https://127.0.0.1/dns-query in Firefox (security.enterprise_roots.enabled is set to true) results in:

config.json ```json { "protocol": "h3", "server_name": "doh3.dns.nextdns.io", "custom_http_path": "/redacted", "socket_addrs": "45.90.28.0:443", "udp_socket_addrs": "127.0.0.1:53", "disable_domain_sni": true, "fragmenting": { "enable": false, "method": "single" }, "noise": { "enable": false, "ntype": "rand", "content": "google.com", "packet_length": 1, "packets": 1, "sleep": 1000, "continues": false }, "ipv6": { "enable": true, "protocol": "h3", "server_name": "doh3.dns.nextdns.io", "custom_http_path": "/redacted", "socket_addrs": "[2a07:a8c0::]:443", "udp_socket_addrs": "[::1]:53", "disable_domain_sni": true, "fragmenting": { "enable": false, "method": "single" }, "noise": { "enable": false, "ntype": "rand", "content": "google.com", "packet_length": 1, "packets": 3, "sleep": 500, "continues": false } }, "quic": { "congestion_controller": "bbr", "keep_alive_interval": 5, "datagram_receive_buffer_size": 16777216, "datagram_send_buffer_size": 8388608, "connecting_timeout_sec": 2 }, "connection": { "h1_multi_connections": 3, "dot_nonblocking_dns_query_lifetime": 5, "reconnect_sleep": 1, "max_reconnect": 5, "max_reconnect_sleep": 30 }, "doh_server": { "enable": true, "listen_address": "127.0.0.1:443", "certificate": "cert.pem", "key": "key.pem", "log_errors": true }, "rules": [] } ```
radioactiveAHM commented 20 hours ago

You have to install a certificate to system so the system can trust. To install a certificate so the Windows 11 can trust it, follow these steps:

  1. Rename the Certificate File:
    • Rename cert.pem to cert.crt The icon of cert.crt should change.
  2. Install the Certificate:
    • Right-click on cert.crt and select Install Certificate.
    • In the Store Location section, select Local Machine and click Next.
    • Choose Place all certificates in the following store, then click Browse.
    • Select Trusted Root Certification Authorities and click OK.
    • Click Next and complete the wizard.
  3. Verify in Firefox: Try accessing the desired site in Firefox. If it doesn’t work, repeat the installation process but select Third-Party Root Certification Authorities instead of Trusted Root Certification Authorities.
  4. Update DnsSafeguard Configuration: Don’t forget to rename cert.pem to cert.crt in the DnsSafeguard configuration file.
brian6932 commented 19 hours ago

Yea I've tried the Trusted Root Certification Authorities, Intermediate Certificate Authorities, & Third-Party Root Certification Authorities stores, but neither seems to work. Test-NetConnection seems to be the only thing that actually does the tls exchange, but no request clients are working. Chromium doesn't work either.

radioactiveAHM commented 18 hours ago

Try this link https://127.0.0.1/?dns=PhcBAAABAAAAAAAABnZvcnRleARkYXRhCW1pY3Jvc29mdANjb20AAAEAAQ. The browser should save DNS query response as a 59Kb file.

radioactiveAHM commented 18 hours ago

You should use https://127.0.0.1/dns-query{?dns} for browsers and don't miss {?dns} part.

Edit: The {?dns} part indicates that the browser should encode the DNS query to base64url format as an HTTP URL query.

brian6932 commented 16 hours ago

Try this link https://127.0.0.1/?dns=PhcBAAABAAAAAAAABnZvcnRleARkYXRhCW1pY3Jvc29mdANjb20AAAEAAQ. The browser should save DNS query response as a 59Kb file.

Yes, this works.

You should use https://127.0.0.1/dns-query{?dns} for browsers and don't miss {?dns} part.

This doesn't seem to. Setting network.trr.custom_uri & network.trr.uri to https://127.0.0.1/dns-query with or without the trailing dns-query & {?dns} doesn't. Nor does ECH work without the TRR resolver (setting network.trr.mode to 0 or 5), regardless of whether network.dns.native_https_query_win10 is true, or not. Realistically TRR shouldn't need to be enabled (ff 129+).

Using q doesn't seem to work either, but it's error might be more useful.

❯ q google.com '@https://127.0.0.1/'
time="2024-12-03T23:40:53-05:00" level=fatal msg="requesting https://127.0.0.1:443/?dns=zH8BAAABAAAAAAAABmdvb2dsZQNjb20AAA8AAQ: Get \"https://127.0.0.1:443/?dns=zH8BAAABAAAAAAAABmdvb2dsZQNjb20AAA8AAQ\": net/http: HTTP/1.x transport connection broken: malformed HTTP response \"\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\""

❯ q google.com '@https://127.0.0.1/dns-query'
time="2024-12-03T23:40:57-05:00" level=fatal msg="requesting https://127.0.0.1:443/dns-query?dns=NwUBAAABAAAAAAAABmdvb2dsZQNjb20AAAEAAQ: Get \"https://127.0.0.1:443/dns-query?dns=NwUBAAABAAAAAAAABmdvb2dsZQNjb20AAAEAAQ\": net/http: HTTP/1.x transport connection broken: malformed HTTP response \"\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\""

❯ q google.com '@https://127.0.0.1/' --http2
time="2024-12-03T23:41:00-05:00" level=fatal msg="unpacking DNS response from https://127.0.0.1:443/?dns=ZmcBAAABAAAAAAAABmdvb2dsZQNjb20AABAAAQ: dns: overflowing header size"

❯ q google.com '@https://127.0.0.1/dns-query' --http2
time="2024-12-03T23:41:05-05:00" level=fatal msg="unpacking DNS response from https://127.0.0.1:443/dns-query?dns=nBABAAABAAAAAAAABmdvb2dsZQNjb20AABAAAQ: dns: buffer size too small"
radioactiveAHM commented 15 hours ago

It seems the issue is related to the HTTP version. Currently, the local DoH server supports only HTTP/2 (H2), while your client is using HTTP/1.1. I’m working on adding support for HTTP/1.1.

The good news is that the link I provided is working, indicating that the local H2 server is functioning correctly and the certificate is trusted. Please wait 1-3 days for me to implement HTTP/1.1 support for the local DoH server.

The bug you’re encountering is actually a client-side issue with your browser. Your browser is sending an H2 ALPN but then using HTTP/1.1.

radioactiveAHM commented 15 hours ago

Also i have to implement the POST method for the DoH server. I'll notify you for testing.