Infrastructure Series -- Recursive DNS and Adblocking DNS over TLS w/NGINX

I was just following this. for DoT on linux.

very old unbound configuration of mine… back when i ran dual servers to obscufate. I dont do that anymore

Anyways your problem isnt the DoT resolver… its whatever comes after TLS termination

So whats happening here is I send out a DoT request… it hits your server… handshake completes… cert is fine… It queries from there to the DNS server however right here is where it fails and gives no answer

1 Like

Contrasting with mine

Id say start your debug process here and above @Argone

Im off for some excercise

1 Like

btw if thats your forward zone. you are using my pihole so I wouldnt do that

yours should be IPs@port#TLD

okay

Also CHECK your intermediate cert… LE’s stuff often breaks DoT because it has a unsigned loop chain for its intermediate… because they had this huge debacle over it. Im not sure if they fixed it but I bought a cert from Namecheap and never looked back

image

If you can sign up for their program and move to X2-E1. X3-R3 broke af for sockets like DoT when i was running LE before

Disclaimer: I have no idea if this is still the case

1 Like

Go to one of his self hosted sites and see the chain of certificates.

yeah let me do that

@Argone can you give me a page you self host in DMs. I know you dont want to expose your page

It is gonna be a minute. I am restoring from a backup for linode. Somehow grub got fucked.

1 Like

Yeah I found that out before you said it

image

im gonna go excercise then

You can check your certificate chain and see if your in that shitty chain. If you are no real choice but to buy a cert. Ive loved buying mine. @Novasty knows some providers.

To quote LE

“On September 30 2021, there will be a small change in how older browsers and devices trust Let’s Encrypt certificates. If you run a typical website, you won’t notice a difference - the vast majority of your visitors will still accept your Let’s Encrypt certificate. If you provide an API or have to support IoT devices, you might have to pay a little more attention to the change.”

Aka older browsers and sockets are fucked… sorry RIP… you have free… free comes free of support. Thats how I translate it

god it is going to be a minute. I am going to have to reconnect all of the wireguard connections as i recently changed the keys for all the peers.

Im nearly certain this might be the problem. Your issues on the DoT and your DNS are all backend not front end

BTW @Argone I know you like learning but just going to throw it out there… There is a simpelr more headache free route if your not experienced in automating these thigns

Buy a synology… they are good. (truenas is too but harder)… I mean whats not to love about it… Get it… Set it… Forget it… something bonks itself to hell… and the box breaks… chuck the drives in another synology… profit

It keeps it seperate of your desktop too and you can avoid dual boot or using linux as your primary on a shared machine.

Ehhh, I am using proxmox and like it. I am learning. I feel accomplished once I get this stuff done.

1 Like

You have to start somwhere.

I am just providing options liek I do for everyone. Anyways ill be back later

also here is the form to switch over to the E cert for LE

Because you are affected by it

Also you might want to fix this (I have guides on it. Its not urgent)

That trust store cert messes with Apple and Androids DoT resolution as an FYI. It often just fails to resolve because of that in the chain. Now you can remove that from the trust store but its still reacquired on connect

I got a wildcard cert now.

1 Like

no i just copied that. to show you that i followed that tutorial. I have my settings.

1 Like