[Outdated] [the Chinese mainland] google.com is DNS poisoned

Update: It has been restored to its previous state so that the OCSP and CRL addresses of GTS can now be accessed normally in the Chinese mainland.

Currently google.com is poisoned in the Chinese mainland.

Since ocsp.pki.goog and crl.pki.goog CNAME points to *.google.com, OCSP and CRL of GTS certificate will not be available in the Chinese mainland.

Unfortunately Cloudflare can’t really help here. Cloudflare has no control of google.com or any of it’s DNS records.

You may be able to try using DNS over HTTPS via Cloudflare WARP or another DoH provider to avoid any DNS poisoning issues, but this is not guaranteed to work.

1 Like

But Cloudflare is using GTS-issued certificates for its customers: Certificate authorities · Cloudflare SSL/TLS docs

As mcfadyeni said, Cloudflare does not control Google Trust Services(the Service issuing the Certificates) and thus cannot circumvent this block. Cloudflare does offer its customers the option to select which certificate authority they wish to choose for their primary and backup certificates, but this is up to the individual customer to set, so if a service you wish to use does not do so, you should contact them directly.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.