blocky icon indicating copy to clipboard operation
blocky copied to clipboard

Published 20 hours ago verified publisher icon 0xERR0R

Interesting upstream server failed warning on dns.surfshark.com

Open PeterDaveHello opened this issue 2 years ago • 3 comments

The warning:

[2023-02-10 15:27:56]  WARN parallel resolver: test resolve of upstream server failed: can't resolve request via upstream server https://92.249.39.1:443/dns-query: http return content type should be 'application/dns-message', but was ''

When I use curl to test it, the result looks no problem:

$ curl -sD- -o /dev/null https://dns.surfshark.com/dns-query?dns=AAABAAABAAAAAAABBmRuc2xvdwJtZQAAAQABAAApAgAAAAAAAFoADABWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
HTTP/2 200 
access-control-allow-headers: Content-Type
access-control-allow-methods: GET, HEAD, OPTIONS, POST
access-control-allow-origin: *
access-control-max-age: 3600
cache-control: private, max-age=3593
content-type: application/dns-message
date: Fri, 10 Feb 2023 15:40:39 GMT
expires: Fri, 10 Feb 2023 16:40:32 GMT
last-modified: Fri, 10 Feb 2023 15:40:39 GMT
vary: Accept
content-length: 63

PeterDaveHello avatar Feb 10 '23 16:02 PeterDaveHello

Not sure if it's related, but looks like kdig also got an issue with https://dns.surfshark.com/, just not the HTTP header issue.

$ kdig -d +https @dns.surfshark.com dnslow.me
;; DEBUG: Querying for owner(dnslow.me.), class(1), type(1), server(dns.surfshark.com), port(443), protocol(TCP)
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, CN=dns.surfshark.com
;; DEBUG:      SHA-256 PIN: yttntfV+Wu7pwEnxMLplkboikrtMhqDXY5H1G8Qj+8s=
;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=R3
;; DEBUG:      SHA-256 PIN: jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=
;; DEBUG:  #3, C=US,O=Internet Security Research Group,CN=ISRG Root X1
;; DEBUG:      SHA-256 PIN: C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, skipping certificate verification
;; ERROR: failed to query server dns.surfshark.com@443(TCP)

PeterDaveHello avatar Feb 10 '23 17:02 PeterDaveHello

I get following error message from curl:

curl -I --insecure  -H "Host: dns.surfshark.com" https://92.249.39.1/dns-query?dns=AAABAAABAAAAAAABBmRuc2xvdwJtZQAAAQABAAApAgAAAAAAAFoADABWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error

0xERR0R avatar Feb 14 '23 06:02 0xERR0R

This curl works:

curl -I  --resolve dns.surfshark.com:443:92.249.39.1 https://dns.surfshark.com/dns-query?dns=AAABAAA
BAAAAAAABBmRuc2xvdwJtZQAAAQABAAApAgAAAAAAAFoADABWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

We are using IP addresses to connect to servers and most DoH servers can handle the TLS handshake this way. Servername is already set on TLSClientConfig and as HTTP header parameter.

0xERR0R avatar Feb 14 '23 07:02 0xERR0R