AdGuardHome icon indicating copy to clipboard operation
AdGuardHome copied to clipboard

Published 20 hours ago verified publisher icon AdguardTeam

Cannot Specify Upstream for Domain with Underscore (for _acme-challenge)

Open shbatm opened this issue 2 years ago • 3 comments

Prerequisites

  • [X] I have checked the Wiki and Discussions and found no answer

  • [X] I have searched other issues and found no duplicates

  • [X] I want to report a bug and not ask a question

Operating system type

Linux, OpenWrt

CPU architecture

AMD64

Installation

GitHub releases or script from README

Setup

On a router, DHCP is handled by the router

AdGuard Home version

v0.108.0-a.261+1fb04376

Description

What did you do?

Attempted to add a specific subdomain to the Upstream DNS servers list with an "_" in the domain.

Expected result

Expect to be able to redirect _acme-challenge.zt.example.com to the upstream servers.

Per this documentation, I would like to send all subdomain queries to a specific upstream server, except _acme-challenge.* which needs to go to the upstream external server for external validation.

Desired config in Upstream DNS Servers:

[/zt.example.com/]192.168.195.11
[/_acme-challenge.zt.example.com/]#

This is possible in dnsmasq using the server=/_acme-challenge.zt.example.com/1.1.1.1 syntax.

Actual result

Config validation fails on the _, also fails to start when added manually in configuration yaml file.

Error: control/dns_config | validating upstream servers: bad upstream for domain "[/_acme-challenge.zt.example.com/]#": domain at index 0: bad domain name "_acme-challenge.zt.example.com": bad domain name label "_acme-challenge": bad domain name label rune '_' | 400

Screenshots (if applicable)

Additional information

shbatm avatar Sep 02 '22 18:09 shbatm

Hello. I was under the impression that underscores aren't normally supported in domain names, apart from service types in SRV records, but that doesn't seem to be the case. And even if it were, our current system doesn't seem to support those either.

@EugeneOne1, we'll need to reinspect our validation. Perhaps, it's easier to just allow the leading underscore in all domain names.

ainar-g avatar Sep 05 '22 16:09 ainar-g

Thanks for taking a look. My specific case is for returning TXT records, but I also came across this for Amazon CNAME Validation

https://stackoverflow.com/questions/13650233/underscore-in-cname-required-by-ses-not-allowed-by-registrar/26692491#26692491

shbatm avatar Sep 05 '22 16:09 shbatm

Just wanted to add my use case. I use caddy as a reverse proxy server. It is configured to do DNS challenges against cloudflare. I see in the Adguard Home logs that it tried to perform the challenge against the following domain

_acme-challenge.example.com

Prior to seeing this issue I didn't know I had to allow the challenge to go to the upstream DNS server, and since I use AGH>unbound to resolve things locally, caddy wasn't being able to renew the cert through AGH. So in the end the workaround I did was to bypass AGH in order for caddy to properly do the DNS challenge

related: caddyserver/caddy#5082

so in my case I believe that what I need to configure for upstream server is this

[/_acme-challenge.example.com/]1.1.1.1

However trying to set the above returns the errors reported by OP

paulo-erichsen avatar Sep 28 '22 00:09 paulo-erichsen

@shbatm, hello again. We've finally pushed the edge build that should fix the issue for such domains, could you please check if it now works? FYI, these domains are now validated according to the 2nd section of RFC 3696.

EugeneOne1 avatar Feb 21 '23 14:02 EugeneOne1

This is very exciting, I can combine the DNS of the domain server with AdGuardHome so that AdGuardHome can act as the primary DNS server. I configured '[/_tcp.xxxxxxxxxx.com/]xxxxxxxxxx' and tested it with nslookup

nslookup -qt=SRV _gc._tcp.xxxxxxxxxx.com xxxxxxxxxx
Server:  xxxxxxxxxx
Address:  xxxxxxxxxx

_gc._tcp.xxxxxxxxxx.com       SRV service location:
          priority       = 0
          weight         = 100
          port           = 3268
          svr hostname   = ds.xxxxxxxxxx.com
ds.xxxxxxxxxx.com     internet address = xxxxxxxxxx

I have used AdGuard Home v0.108.0-b.28 and it seems to be working fine, thank you for maintaining it!

Boc-chi-no avatar Feb 22 '23 02:02 Boc-chi-no

I've updated my docker instance of AGH to the edge and now I'm able to set this upstream dns server for my domain :)

[/_acme-challenge.example.com/]1.1.1.1

the downside is that I just realized that the above won't actually solve my issue. My caddy instance still haven't been able to get a certificate when going through AGH. I even set the following server as the only dns server that AGH uses

1.1.1.1

but that didn't help either.

I'd say this specific #4884 issue is now closed, but the problem I'm having is probably specific to my setup and environment. To be clear, I'm using caddy with the cloudflare plugin which does DNS acme challenge against cloudflare.

If anyone is curious, I built the caddy-cloudflare image through this Dockerfile:

FROM caddy:builder AS builder
RUN xcaddy build --with github.com/caddy-dns/cloudflare

FROM caddy:latest
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

then also in the Caddyfile, this is the setting I'm using

tls {
  dns cloudflare {{ cloudflare_dns_token }}
}

I'll probably create a new issue with more details for trying to get cloudflare acme challenge to work through AGH (unless someone has any ideas to what's going on)

paulo-erichsen avatar Feb 22 '23 07:02 paulo-erichsen