Closed daemonserj closed 3 months ago
Up, I can confirm it has been like this for 3 days.
@zoonderkins Sorry for the ping, I'm pinging you because this issue is urgent.
@zoonderkins
Hi @LucioAmely
Problem has been solved, please try again. Sorry for the delay, I'm been busy this few months.
Switzerland Server is still not working. It's giving the following error on DnsCrypt:
Incorrect signature for provider name: [2.dnscrypt-cert.blahdns.com.]
Also not working through DoT as well.
Hi @LucioAmely
From what I tested on my machine, Swiss server DoT, DNSCrypt both working normally.
Here is the DNSCrypt lookup
dnslookup example.org sdns://AQMAAAAAAAAAETQ1LjkxLjkyLjEyMTo4NDQzIIhCiTxjWpKpvR2RBDSGoByOMQTzH8DQVVHmdgxroO45GzIuZG5zY3J5cHQtY2VydC5ibGFoZG5zLmNvbQ
dnslookup 1.10.0
Server: sdns://AQMAAAAAAAAAETQ1LjkxLjkyLjEyMTo4NDQzIIhCiTxjWpKpvR2RBDSGoByOMQTzH8DQVVHmdgxroO45GzIuZG5zY3J5cHQtY2VydC5ibGFoZG5zLmNvbQ
dnslookup result (elapsed 615.782458ms):
;; opcode: QUERY, status: NOERROR, id: 18129
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version 0; flags:; udp: 5632
;; QUESTION SECTION:
;example.org. IN A
;; ANSWER SECTION:
example.org. 47361 IN A 93.184.216.34
Here is the DoT lookup
kdig example.org @dot-ch.blahdns.com +tls +tls-hostname=dot-ch.blahdns.com
;; TLS session (TLS1.3)-(ECDHE-X25519)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 4131
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 4096 B; ext-rcode: NOERROR
;; QUESTION SECTION:
;; example.org. IN A
;; ANSWER SECTION:
example.org. 47248 IN A 93.184.216.34
;; Received 56 B
;; Time 2024-01-23 02:00:46 CST
;; From 45.91.92.121@853(TLS) in 896.0 ms
Issue looks similar to the following one. I am not sure if anybody else is having the connectivity problem as well. I've been using your DNS service for years without any problems and grateful to you for that.
https://github.com/DNSCrypt/dnscrypt-resolvers/issues/62
Also I am using the following SPKI fingerprint for the CH DoT and connecting using the port 443 instead of 853. Maybe something about the SPKI fingerprint or strict SNI configuration got changed during the time servers have had problems or certificates got expired as mentioned on the issue in the link above?
CH DoT SPKI Fingerprint:
cxti1XR6uW483xAioP3d1ZaoGSy+obY6WaE4fW1A6Nk=
Also connecting to different networks/using mobile data does not help either. Checked if it's some kind of new ISP restriction or not; it doesn't seem so.
I've checked dot-ch with dnslookup and getdns_query on various hosts. Now it looks fine.
It's sadly still the same for me. @zoonderkins can you please tell us what was the problem in the servers and what actions taken to solve them, maybe I can figure out what got changed and find the cause of my connectivity problems.
I think that's it, the rest still the same ~
Calculated the SPKI fingerprint of the CH server again, it's the same as before. Today somehow DoT started to work again by itself.
About DnsCrypt, what can be the problem?:
CH server gives this exact error both on PC and phone even with different network connections.
Incorrect signature for provider name: [2.dnscrypt-cert.blahdns.com.]
JP and SG servers are still giving TIMEOUT
errors.
Update: Used the dnslookup like you did for DnsCrypt connection, it gave me certificate signature mismatch error as well.
Please try with this dnscrypt
Provider public key: 8842893c635a92a9bd1d91043486a01c8e3104f31fc0d05551e6760c6ba0ee39
DNS Stamp: sdns://AQMAAAAAAAAAETQ1LjkxLjkyLjEyMTo4NDQzIIhCiTxjWpKpvR2RBDSGoByOMQTzH8DQVVHmdgxroO45GzIuZG5zY3J5cHQtY2VydC5ibGFoZG5zLmNvbQ
DNS Stamp: sdns://AQMAAAAAAAAAF1syYTBlOmRjMDo2OjIzOjoyXTo4NDQzIIhCiTxjWpKpvR2RBDSGoByOMQTzH8DQVVHmdgxroO45GzIuZG5zY3J5cHQtY2VydC5ibGFoZG5zLmNvbQ
Provider public key: 8842893c635a92a9bd1d91043486a01c8e3104f31fc0d05551e6760c6ba0ee39
Provider name: 2.dnscrypt-cert.blahdns.com
Please try with this dnscrypt
Provider public key: 8842893c635a92a9bd1d91043486a01c8e3104f31fc0d05551e6760c6ba0ee39 DNS Stamp: sdns://AQMAAAAAAAAAETQ1LjkxLjkyLjEyMTo4NDQzIIhCiTxjWpKpvR2RBDSGoByOMQTzH8DQVVHmdgxroO45GzIuZG5zY3J5cHQtY2VydC5ibGFoZG5zLmNvbQ DNS Stamp: sdns://AQMAAAAAAAAAF1syYTBlOmRjMDo2OjIzOjoyXTo4NDQzIIhCiTxjWpKpvR2RBDSGoByOMQTzH8DQVVHmdgxroO45GzIuZG5zY3J5cHQtY2VydC5ibGFoZG5zLmNvbQ Provider public key: 8842893c635a92a9bd1d91043486a01c8e3104f31fc0d05551e6760c6ba0ee39 Provider name: 2.dnscrypt-cert.blahdns.com
IPv4 one works perfectly, could not test IPv6 since all IPv6 connections are blocked in my network. Thank you for solving this issue.
I think when you renewed the certificate the provider public key got changed. That's why old DnsCrypt stamp got invalidated.
CH DoT stopped responding around 30 minutes ago. It's still reachable and pingable but not responding to requests.
Sorry for the late reply. Can you connect through port 853 instead of 443 ? I plan migrate to standard DoT i the future.
dot-jp and dot-sg are not working completely. dot-de and dot-ch work as Private DNS in Android but not respond or respond SERVFAIL through stubby.