How to use the DoH resolver at cloudflare-dns.com on Android?

relaygus · January 25, 2021, 10:23pm

I’m using OkHTTP 4.9.0 to do DNS lookups on your DoH resolver. Things work perfectly on the JVM 8+ (tested on macOS, Linux and Windows), but it fails with the following exception on Android (tested on Android 5 and 8):

    Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
        at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:219)
        at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:379)
        at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:337)
        at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:209)
        at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:226)
        at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:106)
        at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:74)
        at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:255)
        at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
        at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:95)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
        at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83)
        at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
    	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept

Based on that traceback, I’d say the problem is that the issuer of your certificate isn’t on the Conscrypt trust store. I can’t imagine things would be different with a different HTTP client, given that the problem is in Conscrypt.

I can work around this issue by using Google’s DoH resolver.

Here’s the DoH client I’m using in case you want to test this, but you should be able to replicate this with a simple HTTP request to cloudflare-dns.com: GitHub - relaycorp/doh-jvm: Basic DNS-over-HTTPS library for the JVM

So, how are other people using this resolver on Android?

Topic		Replies	Views
ECH not working over DoH3 on Android? 1.1.1.1	2	988	October 20, 2023
DNS hostname not working on android DNS & Network	16	6120	May 13, 2023
Android 11 and lower stopped working with CertPathValidatorException Security	6	2020	June 13, 2023
SSL: Trust anchor for certification path not found (CertPathValidatorException) Security	4	22	March 21, 2025
Android 13: DoH Not working anymore? DNS & Network	2	1781	May 5, 2023

How to use the DoH resolver at cloudflare-dns.com on Android?

Related topics