1.1.1.2 and TLS

The community says 1.1.1.2 over TLS doesn’t work yet - you’ll get unfiltered results. But CF docs say:

https://developers.cloudflare.com/1.1.1.1/1.1.1.1-for-families#dns-over-tls-dot

The docs say it does work. Am I reading this wrong - or is there a way to get it going?

What do you mean “the community says it doesn’t work”? Why not just try it yourself then?

~> kdig @1.1.1.1 im-creator.com
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 49012
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; im-creator.com.              IN      A

;; ANSWER SECTION:
im-creator.com.         600     IN      A       216.239.32.21

;; Received 48 B
;; Time 2022-01-05 16:47:53 CET
;; From [email protected](UDP) in 21.7 ms
~> kdig @1.1.1.2 im-creator.com
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 55251
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; im-creator.com.              IN      A

;; ANSWER SECTION:
im-creator.com.         60      IN      A       0.0.0.0

;; Received 48 B
;; Time 2022-01-05 16:47:57 CET
;; From [email protected](UDP) in 9.3 ms
~> kdig -d @1.1.1.2 +tls-ca +tls-host=security.cloudflare-dns.com im-creator.com
;; DEBUG: Querying for owner(im-creator.com.), class(1), type(1), server(1.1.1.2), port(853), protocol(TCP)
;; DEBUG: TLS, imported 129 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG:      SHA-256 PIN: RKlx+/Jwn2A+dVoU8gQWeRN2+2JxXcFkAczKfgU8OAI=
;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1
;; DEBUG:      SHA-256 PIN: e0IRz5Tio3GA1Xs4fUVWmH1xHDiH2dMbVtCBSkOIdqM=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted. 
;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 1775
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; PADDING: 405 B

;; QUESTION SECTION:
;; im-creator.com.              IN      A

;; ANSWER SECTION:
im-creator.com.         60      IN      A       0.0.0.0

;; Received 468 B
;; Time 2022-01-05 16:48:00 CET
;; From [email protected](TCP) in 28.6 ms

It clearly blocks the domain over normal DNS and DoT.

Ok, then! This looks promising. Let me figure out why I was still getting thru.

Thanks

The issue is, due to some technical reasons, the TLS certificate served at 1.1.1.2 is not correct, unless the client doesn’t check for it, it won’t not work as 1.1.1.1.

For instance:

$ echo | openssl s_client -connect 1.0.0.2:853 -servername security.cloudflare-dns.com | openssl x509 -noout -text | grep -A1 'Subject Alternative Name'

            X509v3 Subject Alternative Name:
                DNS:cloudflare-dns.com, DNS:*.cloudflare-dns.com, DNS:one.one.one.one, IP Address:1.1.1.1, IP Address:1.0.0.1, IP Address:162.159.36.1, IP Address:162.159.46.1, IP Address:2606:4700:4700:0:0:0:0:1111, IP Address:2606:4700:4700:0:0:0:0:1001, IP Address:2606:4700:4700:0:0:0:0:64, IP Address:2606:4700:4700:0:0:0:0:6400

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.