DiG DoH TLS Error
r1wcp42w at bbqporkmccity.com
r1wcp42w at bbqporkmccity.com
Tue Jan 16 09:46:23 UTC 2024
Hello,
I am trying to resolve a DNS record with DNS over HTTPS with DiG on our
DNS server. However DiG is returning a TLS error. See following
anonymized result
➜ dig +trace +https @dns.example.com www.example.com
;; Connection to 192.168.132.5#443(192.168.132.5) for www.example.com
failed: TLS error.
;; no servers could be reached
;; Connection to 192.168.132.5#443(192.168.132.5) for www.example.com
failed: TLS error.
;; no servers could be reached
;; Connection to 192.168.132.5#443(192.168.132.5) for www.example.com
failed: TLS error.
;; no servers could be reached
I can confirm that the server can be reached and with openssl s_client
-connect, the certificate returned OK result
Connecting to 192.168.132.5
CONNECTED(00000003)
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=R3
verify return:1
depth=0 CN=*.example.com
verify return:1
---
Certificate chain
0 s:CN=*.example.com
i:C=US, O=Let's Encrypt, CN=R3
a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
v:NotBefore: Jan <redacted> 2024 GMT; NotAfter: Apr <redacted> 2024 GMT
1 s:C=US, O=Let's Encrypt, CN=R3
i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00
2025 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
<certificate redacted>
-----END CERTIFICATE-----
subject=CN=*.example.com
issuer=C=US, O=Let's Encrypt, CN=R3
---
No client certificate CA names sent
Peer signing digest: SHA384
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2816 bytes and written 392 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 384 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_128_GCM_SHA256
Session-ID: <redacted>
Session-ID-ctx:
Resumption PSK: <redacted>
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 604800 (seconds)
TLS session ticket:
<redacted> .
Start Time: 1705398062
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
Any idea what is causing the TLS error?
More information about the bind-users
mailing list