Skip to content

DoT - Nameserver with Self Signed Certificate does not generate any errors when verify peers is enabled #182

Description

@shoulders

My setup

  • Windows 11 Pro
  • Xampp (php 8.2.12)
  • pfSense router acting as my DNS server
    • with standard DNS (port 53) and DoT (853) available
    • DoT is using self-signed certs
  • NetDNS2 v2.0.8

My Function

For your reference

Details
function dnsRequest($type, $nameserver, $targetDomain, $verifyPeer = true){

    try
    {
        // Create new resolver object, passing in an array of (Nameservers | DoH servers) to use for lookups
        // If domains are passed rather than IPs, DoH is used for the lookup.
        // Only https:// is supported for DoH
        $r = new \NetDNS2\Resolver(['nameservers' => [ $nameserver ]]);

        // Enable DoT / Upgrade standard cnnection to use TLS
        if ($type === 'dot'){$r->use_tls = true;}

        // Disable TLS Peer Verfication for the nameservers
        if(!$verifyPeer && ($type === 'dot' || $type === 'doh')){
            $r->tls_context = [ 'verify_peer' => false, 'verify_peer_name' => false ];
        }

        // Execute the query request for the domains A record
        $res = $r->query($targetDomain, 'A');

        // if domain points to more than one IP, then you can loop through the answer array to see each IP address.
        return '<span style="color: green;">'.$res->answer[0]->address.'</span>';

    } catch(\NetDNS2\Exception $e)
    {
        return '<span style="color: red;">'.$e->getMessage().'</span>';
    }

}

The Issue

When I do a lookup without disabling peer verification, I get no response at all from your library. However, below I have added the exception generated

Exception Array
NetDNS2\Exception::__set_state(array(
  message => '',
  *Exception*string => '',
  code => 3855,
  file => 'D:\\websites\\htdocs\\projects\\standalone\\DNS Hijacking Inspector\\vendor\\mikepultz\\netdns2\\src\\NetDNS2\\Client.php',
  line => 958,
  *Exception*trace => 
  array (
    0 => 
    array (
      file => 'D:\\websites\\htdocs\\projects\\standalone\\DNS Hijacking Inspector\\vendor\\mikepultz\\netdns2\\src\\NetDNS2\\Client.php',
      line => 1011,
      function => 'generateError',
      class => 'NetDNS2\\Client',
      type => '->',
      args => 
      array (
        0 => 1,
        1 => '10.0.0.1',
        2 => 
        NetDNS2\ENUM\Error::__set_state(array(
          name => 'INT_FAILED_SOCKET',
          value => 3855,
        )),
      ),
    ),
    1 => 
    array (
      file => 'D:\\websites\\htdocs\\projects\\standalone\\DNS Hijacking Inspector\\vendor\\mikepultz\\netdns2\\src\\NetDNS2\\Client.php',
      line => 813,
      function => 'sendTCPRequest',
      class => 'NetDNS2\\Client',
      type => '->',
      args => 
      array (
        0 => '10.0.0.1',
        1 => '�?�

from this function.

try
{
$response = $this->sendTCPRequest($ns, $data, ($_request->question[0]->qtype == \NetDNS2\ENUM\RR\Type::AXFR) ? true : false);
} catch(\NetDNS2\Exception $e)
{
$this->last_exception = $e;
$this->last_exception_list[$ns] = $e;
continue;
}

When I use the code below I get the IP of the requested domain, as expected.

$r->tls_context = [ 'verify_peer' => false, 'verify_peer_name' => false ]

Additional

When I use doge.exe to do DNS lookup on my DoT server I get the following error. Currently I cannot find a swtich to disable the peer verification with this app.

Error [tls]: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. (os error -2146762487)

see this for more info: Add an option to disable Peer verification to allow for testing on devices with self signed certificates #93

TL;DR

Should when there is the non-verified certificate on a DoT nameserver and verify peers is enabled, should there an error returned?

e.g. like cURL : curl failed with response: SSL certificate problem: self-signed certificate

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions