DiG DoH TLS Error

r1wcp42w at bbqporkmccity.com r1wcp42w at bbqporkmccity.com
Tue Jan 16 09:46:23 UTC 2024 

Hello,


I am trying to resolve a DNS record with DNS over HTTPS with DiG on our 
DNS server. However DiG is returning a TLS error. See following 
anonymized result

  ➜ dig +trace +https @dns.example.com www.example.com
;; Connection to 192.168.132.5#443(192.168.132.5) for www.example.com 
failed: TLS error.
;; no servers could be reached

;; Connection to 192.168.132.5#443(192.168.132.5) for www.example.com 
failed: TLS error.
;; no servers could be reached

;; Connection to 192.168.132.5#443(192.168.132.5) for www.example.com 
failed: TLS error.
;; no servers could be reached



I can confirm that the server can be reached and with openssl s_client 
-connect, the certificate returned OK result

Connecting to 192.168.132.5
CONNECTED(00000003)
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=R3
verify return:1
depth=0 CN=*.example.com
verify return:1
---
Certificate chain
  0 s:CN=*.example.com
    i:C=US, O=Let's Encrypt, CN=R3
    a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
    v:NotBefore: Jan <redacted> 2024 GMT; NotAfter: Apr <redacted> 2024 GMT
  1 s:C=US, O=Let's Encrypt, CN=R3
    i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
    a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
    v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 
2025 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
<certificate redacted>
-----END CERTIFICATE-----
subject=CN=*.example.com
issuer=C=US, O=Let's Encrypt, CN=R3
---
No client certificate CA names sent
Peer signing digest: SHA384
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2816 bytes and written 392 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 384 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
     Protocol  : TLSv1.3
     Cipher    : TLS_AES_128_GCM_SHA256
     Session-ID: <redacted>
     Session-ID-ctx:
     Resumption PSK: <redacted>
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     TLS session ticket lifetime hint: 604800 (seconds)
     TLS session ticket:
<redacted>                                     .

     Start Time: 1705398062
     Timeout   : 7200 (sec)
     Verify return code: 0 (ok)
     Extended master secret: no
     Max Early Data: 0
---
read R BLOCK


Any idea what is causing the TLS error?

More information about the bind-users mailing list