1.1.1.1 over TLS issues started 2 days ago

Hi,
I’ve been using DNS over TLS for several months now, 2 days ago I lost DNS and haven’t been able to get it sorted.
Important info:
MacOS 10.14.2
Stubby 0.2.3
Tested on 2 Spanish ISPs, Vodafone and movistar

Started to get the following error:
[07:51:01.127200] STUBBY: 1.0.0.1 : Upstream : !Backing off TLS on this upstream - Will retry again in 2s at Wed Dec 19 07:51:03 2018
[07:51:01.187200] STUBBY: 1.1.1.1 : Verify failed : TLS - Failure - Pinset validation failure

After a system restart the best I can get now is:
Error message:
STUBBY: FAILURE no valid transports or upstreams available!
Could not schedule query: None of the configured upstreams could be used to send queries on the specified transports

I can traceroute to 1.1.1.1 fine

Stubby config:
upstream_recursive_servers:

IPv4 addresses

The Surfnet/Sinodun servers

  • address_data: 1.1.1.1
    tls_auth_name: “Cloudflare-dns.com
    tls_pubkey_pinset:
    • digest: “sha256”
      value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
  • address_data: 1.0.0.1
    tls_auth_name: “Cloudflare-dns.com
    tls_pubkey_pinset:
    • digest: “sha256”
      value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=

It would seem as if the certificate hash is incorrect.

Try the following

  - address_data: 1.1.1.1
    tls_auth_name: "Cloudflare-dns.com"
    tls_pubkey_pinset:
      - digest: "sha256"
	value: TdBczz+YjD3Q/taSfHXL5n4LnRxzJk0WG0JAX7nRu6s=


  - address_data: 1.0.0.1
    tls_auth_name: "Cloudflare-dns.com"
    tls_pubkey_pinset:
      - digest: "sha256"
	value: TdBczz+YjD3Q/taSfHXL5n4LnRxzJk0WG0JAX7nRu6s=

Ok, after changing the pubkey pinset and then a restart I’m back up and running.

Is this something that’s going to chage often? If so, how can I self serve the changes?

Also is this just a cert expiry that should be expected? There’s a lot of tutorials etc around that reference the old value which will now be broken.

Thanks, Dan.

@cloonan

This topic was automatically closed after 14 days. New replies are no longer allowed.