DNS related: ssl/tls SSL_ERROR_BAD_CERT_DOMAIN #7525
Comments
|
Sometimes the upstream DNS servers are at fault. |
|
added dnscrypt-proxy with Quad9 dnscrypt/doh as the only upstream and configured AGH to use 127.0.0.1:40 (for dnscrypt-proxy) Will see if it happens again.. |
Heh, Quad9 does give bad dns responses.. lol will post screenshots of |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Prerequisites
I have checked the Wiki and Discussions and found no answer
I have searched other issues and found no duplicates
I want to report a bug and not ask a question or ask for help
I have set up AdGuard Home correctly and configured clients to use it. (Use the Discussions for help with installing and configuring clients.)
Platform (OS and CPU architecture)
FreeBSD, AMD64 (aka x86_64)
Installation
GitHub releases or script from README
Setup
Other (please mention in the description)
AdGuard Home version
107.55
Action
Every so often we'll get a invalid ssl cert for a domain name that we know is good. An immediate reload fixes the problem.
Mostly it happens with domains related to AWS root certificates. I have always related it to something with ChromeOS/Browser and Google Workspace. As AWS Root Cert is in Windows and ChromeOS Base..
Today while using ZenBrowser on a Windows PC and very low traffic I experienced the same and found that AGH gave me dns entries from Quad9 which I cannot get from Quad9 again, or via a dns looking glass, which do not belong to the zone reached via recursion.
Note that all the IPs are different from the looking glass (which was done for the purpose of this issue..)
http://www.dns-lg.com/us01/store.ui.com/a
This is from a cli program called
q(github.com/natesales/q)As quickly as I could open a term and type.. (less than two minutes of the initial problem)
As you can see 34.213.96.150 and 44.241.198.88 and 54.187.135.47 were never returned as valid records.
(none of those do not answer https) BUT
52.36.140.184 Is the *.clarifyhealth.us, clarifyhealth.us host.. (not store.ui.com)
Using this dnsstamp for the doh entry: (from dnscrypt-proxy2 v3 list..)
sdns://AgIAAAAAAAAABzkuOS45LjkgsBkgdEu7dsmrBT4B4Ht-BQ5HPSD3n3vqQ1-v5DydJC8TZG5zOS5xdWFkOS5uZXQ6NTA1MwovZG5zLXF1ZXJ5
My AGH host is FreeBSD on baremetal
My AGH Bootstrap is also a dnsstamp for dnscrypt:
sdns://AQMAAAAAAAAAFDE0OS4xMTIuMTEyLjExMjo4NDQzIGfIR7jIdYzRICRVQ751Z0bfNN8dhMALjEcDaN-CHYY-GTIuZG5zY3J5cHQtY2VydC5xdWFkOS5uZXQ
Bootstrap has DNSSEC doh dnsstamp does not.. (I cannot think that someone mitm my one dns request for store.ui.com - just to put that out there..)
https://osint.sh/crt/ shows many certs for the domain..
but
https://osint.sh/dns/ shows nothing for the domain.. just NS records..
asking those NS's also yields no records..
(very strange)
Everything related to dns/doh/'https only mode'/etc was already disabled in Zen..
Expected result
The A records which appear to be in the zone file as visible from other recursive clients.
Actual result
Not the vendor supplied A records
Additional information and/or screenshots
FreeBSD
The text was updated successfully, but these errors were encountered: