Hi Michael, tried that now with this one --> https://people.ipfire.org/~ummeegge/screenshoots/dns-over-tls_wui.png
... the HTML formatting kills me :D ...
and it looks now good:
$ kdig -d @81.3.27.54 +tls-ca=/etc/ssl/certs/ca-bundle.crt +tls-host=rec1.dns.lightningwirelabs.com google.com ;; DEBUG: Querying for owner(google.com.), class(1), type(1), server(81.3.27.54), port(853), protocol(TCP) ;; DEBUG: TLS, imported 129 certificates from '/etc/ssl/certs/ca-bundle.crt' ;; DEBUG: TLS, received certificate hierarchy: ;; DEBUG: #1, CN=rec1.dns.lightningwirelabs.com ;; DEBUG: SHA-256 PIN: pOvVkJSj6rWNPM0vR3hoJr/21kZI6TfImhowIEdcEUQ= ;; DEBUG: #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3 ;; DEBUG: SHA-256 PIN: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg= ;; DEBUG: TLS, skipping certificate PIN check ;; DEBUG: TLS, The certificate is trusted. ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20-POLY1305) ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 1349 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION: ;; Version: 0; flags: ; UDP size: 4096 B; ext-rcode: NOERROR
;; QUESTION SECTION: ;; google.com. IN A
;; ANSWER SECTION: google.com. 151 IN A 216.58.208.46
;; Received 55 B ;; Time 2018-12-11 20:30:29 CET ;; From 81.3.27.54@853(TCP) in 25.2 ms
Great, will update my dot.conf.
As a beneath one, try it currently with a seperat CGI to have a better overview. Patched now as you suggested the 'write_forward_conf()' function, needed to disable nevertheless update_forwarder() function in initscript if forward.conf should be used ... (there is more)
Come back if things are cleaned/cleared up a little more but also better tested.
Best,
Erik
Am Dienstag, den 11.12.2018, 19:22 +0000 schrieb Michael Tremer:
Hey,
Could you try that again? I removed the OCSP must-staple flag from the certificate.
-Michael
On 10 Dec 2018, at 14:37, ummeegge ummeegge@ipfire.org wrote:
Great that you looked over it, have tested it again and the kdig report differs which looks now like this:
;; DEBUG: Querying for owner(google.com.), class(1), type(1), server(81.3.27.54), port(853), protocol(TCP) ;; DEBUG: TLS, imported 128 certificates from '/etc/ssl/certs/ca- bundle.crt' ;; DEBUG: TLS, received certificate hierarchy: ;; DEBUG: #1, CN=rec1.dns.lightningwirelabs.com ;; DEBUG: SHA-256 PIN: ZayzRhKLRWLL7v9QC0uEJEMomE572oNUuF4ocAxDQ7E= ;; DEBUG: #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3 ;; DEBUG: SHA-256 PIN: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg= ;; DEBUG: TLS, skipping certificate PIN check ;; DEBUG: TLS, The certificate is NOT trusted. The certificate requires the server to include an OCSP status in its response, but the OCSP status is missing. ;; WARNING: TLS, handshake failed (Error in the certificate.) ;; WARNING: failed to query server 81.3.27.54@853(TCP)
Exit status: 0
May this is helpful for you.
Best,
Erik
Am Montag, den 10.12.2018, 13:26 +0000 schrieb Michael Tremer:
Hey,
Thanks for reporting.
On 10 Dec 2018, at 12:32, ummeegge ummeegge@ipfire.org wrote:
A question, what happens with DoT on Lightningwirelabs -->
https://www.lightningwirelabs.com/2018/05/03/dns-over-tls-now-available-on-o...
? I get there an
$ kdig -d @81.3.27.54 +tls-ca=/etc/ssl/certs/ca-bundle.crt +tls- host="ns1.lightningwirelabs.com" google.com; ;; DEBUG: Querying for owner(google.com.), class(1), type(1), server(81.3.27.54), port(853), protocol(TCP) ;; DEBUG: TLS, imported 128 certificates from '/etc/ssl/certs/ca- bundle.crt' ;; WARNING: can't connect to 81.3.27.54@853(TCP) ;; WARNING: failed to query server 81.3.27.54@853(TCP)
I recently made a change which caused that unbound didn’t listen on the TLS port any more.
I fixed that now.
The correct host name for that server is rec1.dns.lightningwirelabs.com.
-Michael
.
Best,
Erik