1.1.1.2 and 1.1.1.3 are throwing SSL errors for DNS over HTTPS

I have been using DNS over HTTPS via cloudflared to 1.1.1.2 for months and today it stopped working. 1.1.1.1 DoH does work.

Here is a failing test command

$ curl -v -s  -H 'accept: application/dns-json'   'https://1.1.1.2/dns-query?name=google.com&type=A'
*   Trying 1.1.1.2:443...
* Connected to 1.1.1.2 (1.1.1.2) port 443 (#0)
...
* OpenSSL/3.0.11: error:0A000410:SSL routines::sslv3 alert handshake failure
* Closing connection 0

Here is a working command

curl -s  -H 'accept: application/dns-json'   'https://1.1.1.1/dns-query?name=google.com&type=A' | jq .
...
  "Answer": [
    {
      "name": "google.com",
      "type": 1,
      "TTL": 195,
      "data": "142.250.190.78"
    }
  ]
}```

This issue has been escalated.

3 Likes

Can follow along here: Cloudflare Status - Issues for Families and Securities with 1.1.1.x public resolver via DoH

2 Likes

Hi Guys,

I have a Microtik router and DOH is enabled on it. Everything was working fine until today.
My router is setup to use certificate verification and today that is broken, because the certificate for security.cloudflare-dns.com now uses Let’s Encrypt instead of DigiCert.

Is this some sort of certificates failover?

Thanks.

The Status page for this incident hasn’t been updated for a few hours, what’s the current situation?

Cloudflare Status - Issues for Families and Securities with 1.1.1.x public resolver via DoH

Thanks

Seeing this as well. The malware and family safe DOH are all failing this way. From my local DNS resolver logs, this started at 7:05:02 PM CDT on April 16, 2024.

$ curl -v -s  -H 'accept: application/dns-json'   'https://1.1.1.2/dns-query?name=google.com&type=A'
*   Trying 1.1.1.2:443...
* Connected to 1.1.1.2 (1.1.1.2) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.0 (IN), TLS header, Unknown (21):
* TLSv1.3 (IN), TLS alert, handshake failure (552):
* error:0A000410:SSL routines::sslv3 alert handshake failure
* Closing connection 0

$ curl -v -s  -H 'accept: application/dns-json'   'https://1.1.1.3/dns-query?name=google.com&type=A'
*   Trying 1.1.1.3:443...
* Connected to 1.1.1.3 (1.1.1.3) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.0 (IN), TLS header, Unknown (21):
* TLSv1.3 (IN), TLS alert, handshake failure (552):
* error:0A000410:SSL routines::sslv3 alert handshake failure
* Closing connection 0

$ curl -v -s  -H 'accept: application/dns-json'   'https://1.0.0.2/dns-query?name=google.com&type=A'
*   Trying 1.0.0.2:443...
* Connected to 1.0.0.2 (1.0.0.2) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.0 (IN), TLS header, Unknown (21):
* TLSv1.3 (IN), TLS alert, handshake failure (552):
* error:0A000410:SSL routines::sslv3 alert handshake failure
* Closing connection 0

$ curl -v -s  -H 'accept: application/dns-json'   'https://1.0.0.3/dns-query?name=google.com&type=A'
*   Trying 1.0.0.3:443...
* Connected to 1.0.0.3 (1.0.0.3) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.0 (IN), TLS header, Unknown (21):
* TLSv1.3 (IN), TLS alert, handshake failure (552):
* error:0A000410:SSL routines::sslv3 alert handshake failure
* Closing connection 0

Standard DNS (UDP port 53) on the same resolvers work fine.

Until they fix this issue, there are a couple of workarounds. The best one is to go to https://developers.cloudflare.com/1.1.1.1/infrastructure/network-operators/#available-endpoints to see that instead of 1.1.1.2 you can use https://security.cloudflare-dns.com/dns-query and everything will keep working.

The other one is to temporarily use 1.1.1.1 instead.

The command to test using the hostname is this,

curl -H 'accept: application/dns-json' 'https://security.cloudflare-dns.com/dns-query?name=google.com&type=A'
1 Like

I think the issue I am experiencing is different from your issue. DigiCert was slated to be expired a bit ago, see DigiCert update · Cloudflare SSL/TLS docs

I think you’ll need to somehow update your router or it’s certificate store to work with Let’s Encrypt certificates.

terrible :weary:

I have seen other providers suggest using FQDNs for DoH and it intrigues me. How can I resolve ‘security.cloudflare-dns.com’ to then connect to it for DNS resolution? It seems like a chicken-or-egg situation.

Edit: Or maybe a horse-before-cart situation. I’m not very good at metaphors.

1 Like

Hello,

Indeed it’s a catch22, but taking into account that the IPv4 for cloudflare-dns.com are well known and not changing often you can create a static DNS entry only for the dns resolver that you are using.
For example: If you use: security.cloudflare-dns .com as the DoH dns resolver, you first create the static DNS entries for cloudflare-dns .com domain that point to 1.1.1.2 and 1.0.0.2 ips. Then you can use the DoH url using the domain name.

Now related to today’s issue.
Before finding this community page I saw that earlier today I got an error when verifying *.cloudflare-dns.com root certificates.

I first thought of a MITM :slight_smile:

From my observations, the usual certificates used by *.cloudflare-dns.com where those from DIGICERT, but today I got a Letsencrypt certificate with a root certificate from ISRG X2 as you can see below:

Now everything seems ok.

For those that need to verify the certificates for the DoH server I found out that the following ROOT certificates should be enough:

DigiCert Global Root G2 - cacerts.digicert .com/DigiCertGlobalRootG2.crt for cloudflare-dns.com
DigiCert Global Root G3 - cacerts.digicert .com/DigiCertGlobalRootG3.crt for security.cloudflare-dns.com

Also all digicert CA can be found here: digicert .com/kb/digicert-root-certificates.htm#roots

Hope it helps someone!

PS: I wanted to upload the screenshots with the certificates, but being my first post I cannot :slight_smile:

My DNS server that does DoH is a linux server that has 1.1.1.2 and 1.0.0.2 in the /etc/resolv.conf file. So, it could use the cloudflare-dns.com domain name, but I’d rather just use DoH directly against the IPs.

Looks like things are working again for the IPv4 addresses and still being worked on for the IPv6 IPs.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.