dnsredir
dnsredir copied to clipboard
leiless
你好,自定义客户端证书功能没实现 tls CERT KEY CA
case "tls":
args := c.RemainingArgs()
if len(args) > 3 {
return c.ArgErr()
}
tlsConfig, err := pkgtls.NewTLSConfigFromArgs(args...)
if err != nil {
return err
}
// Merge server name if tls_servername set previously
tlsConfig.ServerName = u.transport.tlsConfig.ServerName
u.transport.tlsConfig = tlsConfig
log.Infof("%v: %v", dir, args)
https://github.com/leiless/dnsredir/blob/master/upstream.go#L399-L411
是有的呢,难道说你的Corefile没有honor tls CERT KEY CA配置吗?
如果是这样,麻烦贴一下你现有Corefile,以及TLS握手报错信息?
经我测试发现,tls CERT KEY CA是可以工作的,具体而言:
Corefile
.:10053 {
debug
loop
dnsredir . {
to tls://94.140.14.14
# tls CA - No client authentication is used, and the CA file is used to verify the server certificate.
tls dns-adguard-com.pem
}
}
dns-adguard-com.pem 这个文件你可以从Firefox里面打开 https://94.140.14.14/dns-query ,然后将其 PEM证书下载下来放到和Corefile同一级目录下。
$ ./coredns_dnsredir-linux-amd64 -conf Corefile
[INFO] plugin/dnsredir: Initializing, version v0.0.7, HEAD f660931
[INFO] plugin/dnsredir: Match any
[INFO] plugin/dnsredir: Transport: tls Address: 94.140.14.14:853
[INFO] plugin/dnsredir: Upstream: &{tls 94.140.14.14:853 0 0x1a47040 <nil> <nil> <nil> }
[INFO] plugin/dnsredir: tls: [dns-adguard-com.pem]
.:10053
CoreDNS-1.8.3
linux/amd64, go1.16.2, 4293992-dirty
[DEBUG] plugin/dnsredir: "6855361830932061722.4471371409727006771." in name list, t: 1.959µs
[DEBUG] plugin/dnsredir: Upstream host tls://94.140.14.14:853 is selected
[DEBUG] plugin/dnsredir: New connection established for tls://94.140.14.14:853
[DEBUG] plugin/dnsredir: rtt: 403.312866ms
[DEBUG] plugin/dnsredir: "dns.google." in name list, t: 1.879µs
[DEBUG] plugin/dnsredir: Upstream host tls://94.140.14.14:853 is selected
[DEBUG] plugin/dnsredir: Cached connection used for tls://94.140.14.14:853
[DEBUG] plugin/dnsredir: rtt: 90.859µs
[DEBUG] plugin/dnsredir: cached connection was closed by peer: tls://94.140.14.14:853
[DEBUG] plugin/dnsredir: New connection established for tls://94.140.14.14:853
[DEBUG] plugin/dnsredir: rtt: 352.598933ms
$ dig @127.0.0.1 -p10053 dns.google +short A
8.8.4.4
8.8.8.8
除非你使用了自签发的TLS证书,否则我能想到针对公证签发证书的DoT(也就是公共DoT),大部分时候只需要设置 tls_servername 即可。
类似这样:
dnsredir . {
to tls://103.2.57.5 tls://103.2.57.6
tls_servername public.dns.iij.jp
}
具体可以参考 https://github.com/leiless/dnsredir#examples
是的,我按照这个链接生成了自签名证书 https://www.jianshu.com/p/5938432e2130
在192.168.1.9上配置如下,目的是转发到192.168.1.10上
. {
dnsredir . {
to ietf-doh://192.168.1.10:8853/dns-query
tls client.cert.pem client.key.pem ca.cert.pem
health_check 60s
max_fails 3
expire 15s
}
}
192.168.1.10上配置如下,目的是转发到192.168.1.11的基于UDP的DNS
https://.:8853 {
tls server.cert.pem server.key.pem ca.cert.pem
log
errors
forward . 192.168.1.11:53
}
9连接10报错 [WARNING] plugin/dnsredir: hc: DNS https://192.168.1.10:8853/dns-query failed rtt: 7.4982ms err: Get "https://192.168.1.10:8853/dns-query?ct=application/dns-message&dns=AAABAAABAAAAAAAAAAACAAE": x509: certificate signed by unknown authority
你能贴一下
openssl x509 -text -noout -in client.cert.pem
和
openssl x509 -text -noout -in server.cert.pem
输出的结果吗?
看错误提示x509: certificate signed by unknown authority应该是证书有什么地方配错啦?
你能贴一下
openssl x509 -text -noout -in client.cert.pem和openssl x509 -text -noout -in server.cert.pem输出的结果吗?看错误提示
x509: certificate signed by unknown authority应该是证书有什么地方配错啦?
$ openssl x509 -text -noout -in server.cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
70:9b:18:eb:27:6c:4d:e6:71:e8:12:6a:60:a6:e5:e0:6c:9f:ee:d8
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = ca
Validity
Not Before: Jul 1 08:21:02 2021 GMT
Not After : Jul 1 08:21:02 2022 GMT
Subject: CN = server
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:bf:33:b5:dd:ac:68:65:d6:d7:9a:d1:35:2d:e7:
d2:1e:22:30:2f:2c:a6:f0:c2:50:8d:ab:26:d6:c2:
94:87:f1:43:d2:31:87:06:6e:8d:3f:b2:21:30:17:
f8:d7:79:bf:dd:21:e1:76:77:cc:86:fc:b3:b4:fa:
b7:75:6f:a6:d8:e6:ab:ec:da:90:a5:de:9f:29:5a:
6a:a9:cb:47:7b:37:29:6a:9f:39:b5:a0:36:9f:df:
40:dd:82:14:46:8b:0c:19:33:20:d6:d0:0f:77:24:
39:0a:e8:ca:56:89:8e:00:aa:25:ca:b6:a5:86:ff:
da:c2:1a:79:90:ce:d9:da:ff:bb:8e:5d:47:6c:2a:
db:67:87:65:e0:57:50:ff:ee:09:a8:e6:45:e2:a6:
92:40:74:5f:eb:5c:a5:72:f7:ef:15:b6:99:f9:9b:
7f:3c:1d:e1:be:02:aa:7d:70:0b:1c:68:b5:bb:29:
38:e5:0f:fd:1d:a4:fe:d1:bb:a1:6a:1d:0b:c2:a8:
c6:df:a0:83:04:d5:d8:f3:7b:d2:7d:d6:35:ef:ff:
d2:18:24:9c:5d:ee:e8:83:40:b1:32:d6:a3:27:62:
01:a7:6d:a4:82:04:23:d8:80:97:2a:68:07:d4:86:
90:80:69:dc:fb:df:8c:3b:0a:f4:89:aa:fb:09:4f:
62:b9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Alternative Name:
DNS:cc.local, DNS:test.cc.local, IP Address:192.168.1.10
Signature Algorithm: sha256WithRSAEncryption
6d:85:84:38:92:ab:8f:2f:3e:47:0d:ed:30:d7:0c:f1:51:cf:
e9:2f:09:58:33:5e:1a:28:3e:96:5c:92:32:cf:e6:b5:d0:a2:
41:28:28:99:72:06:70:9c:0d:dd:56:93:b4:c6:f3:1a:7c:f6:
8d:6e:ab:dd:2d:0d:f0:54:b9:61:55:9c:60:cf:65:10:7c:0d:
fe:ef:a0:3b:d0:56:8a:bd:75:4b:11:6a:0e:bc:a2:8e:65:01:
f9:68:4b:df:a6:28:95:a2:3a:29:e4:6d:f7:95:2f:70:2c:a4:
44:f2:79:f1:77:da:c3:b3:35:57:b0:ff:40:97:bc:f3:3b:d5:
04:05:66:85:82:93:d6:ea:cb:54:9e:53:b8:18:6b:95:ff:08:
7e:83:97:c3:2e:d8:d5:1b:4c:31:0f:24:81:6a:f1:ad:fd:7c:
bf:51:43:aa:2c:fc:ea:5f:ea:84:72:89:80:4b:25:dc:76:89:
80:8b:28:50:7a:cf:45:69:d8:9c:63:57:99:9d:1f:f5:28:fc:
a0:c0:79:dc:55:4a:08:9d:6a:9c:82:38:e5:8a:39:3c:04:b4:
20:bd:5f:b1:58:f4:17:2d:cc:d2:4f:4b:6a:7c:79:a0:cc:9d:
1c:d2:a4:2d:03:0c:55:7f:8a:06:10:ad:d7:9c:cc:6f:27:a6:
d4:a4:da:15:f6:3a:a2:14:d6:f1:0b:fa:9c:f8:0b:0d:26:97:
53:bb:bc:3f:62:ba:2b:89:cf:4f:31:81:37:51:bb:f5:0b:d9:
82:23:0b:f0:c5:a2:20:5c:cf:ca:49:cf:dc:52:fa:77:d9:59:
c6:72:c3:98:68:b8:88:ad:c9:8a:64:96:2c:c3:58:87:d5:ce:
27:b2:ce:eb:ea:a4:05:21:95:94:2a:d1:a0:7d:52:5e:de:d4:
0b:5c:61:f8:67:26:ab:69:41:8c:cf:1e:00:aa:97:d4:69:56:
f2:e8:b8:20:a2:f7:d0:9e:81:6d:79:19:d5:95:52:9e:9d:20:
9b:08:44:a5:fb:a0:5e:f7:65:85:bc:fe:ee:12:6f:81:94:4d:
e6:4c:e9:7b:bc:84:aa:11:24:dc:17:dc:1a:61:e9:c2:ba:96:
22:af:32:8b:53:8a:a3:c6:e9:c1:95:9e:f6:be:fb:67:c8:b8:
b6:89:96:2c:23:3d:be:19:4d:35:6f:8e:fc:76:bc:fc:ae:2d:
6f:3b:b8:8a:f3:b9:c5:ff:4d:44:34:ad:78:19:10:44:69:14:
65:67:b4:fa:9f:94:bf:2d:f1:53:4a:94:a0:40:f7:c1:7c:aa:
f4:2b:a8:8a:b5:d6:82:75:e0:7e:77:35:6c:f0:2e:ce:82:1c:
81:f0:47:cd:f2:c7:f7:2a
$ openssl x509 -text -noout -in client.cert.pem
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
70:9b:18:eb:27:6c:4d:e6:71:e8:12:6a:60:a6:e5:e0:6c:9f:ee:d9
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = ca
Validity
Not Before: Jul 1 08:21:02 2021 GMT
Not After : Jul 1 08:21:02 2022 GMT
Subject: CN = client
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:f0:f7:cb:f8:28:35:cd:50:9f:67:d3:31:36:82:
eb:44:89:d9:d0:80:2a:60:95:ca:69:7c:30:01:f5:
b9:e2:a5:c4:5a:58:cd:92:94:10:99:04:b9:e8:58:
60:b8:f6:69:c6:dc:ea:71:5c:ce:01:ac:6d:f5:0f:
46:3c:33:06:b0:90:b3:10:59:ac:31:de:36:fe:a4:
02:49:85:6c:48:b2:70:33:bf:72:e7:71:12:86:5a:
59:58:06:a0:34:34:78:f6:29:2c:3f:52:18:71:9b:
72:09:45:83:61:b4:d0:0e:31:85:2d:66:72:c2:36:
ef:3e:49:ef:c3:a1:f1:ae:36:f9:70:d6:58:8b:10:
9f:d4:49:b4:b6:d4:48:3d:e2:d4:62:a5:30:34:92:
e4:17:58:ee:12:41:24:1c:f2:0a:65:26:52:2e:97:
b7:2c:03:46:42:89:5f:b6:58:8e:b2:c8:7a:1a:c8:
65:c2:34:a5:d6:41:3d:03:8c:3d:46:80:4c:1d:dc:
bd:37:5a:d4:ea:91:d6:cd:33:51:01:c6:b5:00:bc:
ff:0e:64:6d:ce:3a:bb:fa:78:af:0a:56:4c:2e:53:
44:1c:cd:26:aa:64:c9:8f:92:f4:cc:50:a9:60:ed:
80:c5:65:64:69:85:6d:81:b4:49:c5:3f:90:96:bb:
3c:4b
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
1a:92:9d:71:e2:c0:f1:9e:64:d9:30:35:da:05:f3:ea:ef:be:
d3:d2:97:9f:8b:6a:4a:a1:e5:bf:4b:28:e0:9c:30:4c:12:3d:
8f:8b:50:f7:8f:17:d2:b1:b5:f2:9d:35:de:8b:71:0b:f2:76:
05:1a:ae:2d:30:aa:07:04:0a:04:d7:c9:af:54:96:64:5a:68:
61:9c:03:8c:39:25:a3:b8:b3:33:57:6f:7b:00:55:df:7e:a7:
61:de:54:ca:c6:df:3e:a5:0e:8e:bb:d3:a7:9a:16:fe:cf:10:
57:33:9b:c8:ed:92:94:2e:a7:cc:9f:7b:6d:27:61:6e:11:d9:
d8:13:79:43:a1:e4:fe:05:a2:ee:cc:f5:c4:00:7d:de:f2:12:
ee:85:08:36:6c:c5:be:d8:32:62:24:58:5f:a1:cd:3e:7e:e9:
d8:eb:2c:36:3a:84:8e:a4:15:63:65:46:3c:58:c5:c7:cb:a1:
43:73:11:25:12:68:8a:47:8b:0e:6a:27:1f:15:62:ec:80:b6:
b3:1c:77:20:42:26:95:b4:e4:18:63:7e:89:ac:35:2d:d9:78:
1a:30:f4:b6:46:1a:f6:5e:2b:58:e4:90:6a:a3:e6:c4:43:b7:
26:79:5d:78:de:2b:de:67:24:9a:fa:4b:a8:43:17:4c:19:66:
b7:ba:26:7a:3b:9b:dd:fb:8d:f8:18:69:3f:71:e0:4c:54:2f:
5a:dd:3a:8b:f5:f8:fb:3c:ad:f0:90:4f:31:3b:26:c2:10:51:
c6:92:72:79:9f:6a:8b:8c:97:bb:0a:5a:77:64:8d:8b:0c:ee:
6a:df:bc:54:5c:21:11:6a:c7:47:0e:d1:ff:ad:37:c0:f4:fd:
30:e1:21:20:7a:cd:1b:24:74:31:80:55:52:dc:bd:57:47:86:
cf:51:d2:40:65:02:cf:04:b3:ed:70:b0:97:19:b8:b2:6f:37:
5a:74:54:b3:d5:05:24:59:62:37:5b:fb:6e:04:4b:72:34:c1:
a6:69:fc:4e:4d:3b:d1:1b:d2:fb:58:76:fd:e7:e4:d8:b6:d2:
ed:8c:d9:bd:ea:35:4f:e9:a9:f7:31:96:c9:ff:ee:b7:01:5d:
8b:0a:6b:fb:4f:dd:ff:13:ff:0b:79:f9:73:bb:3a:32:97:c3:
f3:2b:f2:5c:d4:1c:c0:7f:80:49:56:3b:91:9e:ed:bd:6c:a8:
e9:20:01:69:4f:26:c3:5e:20:17:98:18:45:96:17:7f:83:22:
af:11:c1:a0:e9:9b:45:a4:0a:63:9d:70:c1:75:94:1e:d6:7e:
29:cb:57:8c:8c:26:93:63:b7:6c:eb:9e:72:97:f5:fb:e2:a4:
82:aa:0b:0d:60:5f:4f:8a
是的,我按照这个链接生成了自签名证书 https://www.jianshu.com/p/5938432e2130
在192.168.1.9上配置如下,目的是转发到192.168.1.10上
. { dnsredir . { to ietf-doh://192.168.1.10:8853/dns-query tls client.cert.pem client.key.pem ca.cert.pem health_check 60s max_fails 3 expire 15s } }192.168.1.10上配置如下,目的是转发到192.168.1.11的基于UDP的DNS
https://.:8853 { tls server.cert.pem server.key.pem ca.cert.pem log errors forward . 192.168.1.11:53 }9连接10报错 [WARNING] plugin/dnsredir: hc: DNS https://192.168.1.10:8853/dns-query failed rtt: 7.4982ms err: Get "https://192.168.1.10:8853/dns-query?ct=application/dns-message&dns=AAABAAABAAAAAAAAAAACAAE": x509: certificate signed by unknown authority
你能在192.168.1.9的Corefile的dnsredir添加下tls_servername cc.local然后再运行试试看呢?
是的,我按照这个链接生成了自签名证书 https://www.jianshu.com/p/5938432e2130 在192.168.1.9上配置如下,目的是转发到192.168.1.10上
. { dnsredir . { to ietf-doh://192.168.1.10:8853/dns-query tls client.cert.pem client.key.pem ca.cert.pem health_check 60s max_fails 3 expire 15s } }192.168.1.10上配置如下,目的是转发到192.168.1.11的基于UDP的DNS
https://.:8853 { tls server.cert.pem server.key.pem ca.cert.pem log errors forward . 192.168.1.11:53 }9连接10报错 [WARNING] plugin/dnsredir: hc: DNS https://192.168.1.10:8853/dns-query failed rtt: 7.4982ms err: Get "https://192.168.1.10:8853/dns-query?ct=application/dns-message&dns=AAABAAABAAAAAAAAAAACAAE": x509: certificate signed by unknown authority
你能在192.168.1.9的
Corefile的dnsredir添加下tls_servername cc.local然后再运行试试看呢?
添加了tls_servername cc.local,还是同样的问题
tls client.cert.pem client.key.pem ca.cert.pem这行注释掉了,问题还是一样
先这样吧,有时间再测试下,感谢感谢!
你能在192.168.1.9机器上试试 curl -vL --cacert ca.cert.pem https://192.168.1.10:8853/dns-query?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB 看能不能正常握手?
你能在
192.168.1.9机器上试试curl -vL --cacert ca.cert.pem https://192.168.1.10:8853/dns-query看能不能正常握手?
curl是正常的
└─$ curl -vL --cacert ca.cert.pem https://192.168.1.10:8853/dns-query
* Trying 10.251.6.132:8853...
* Connected to 10.251.6.132 (10.251.6.132) port 8853 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: ca.cert.pem
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=server
* start date: Jul 2 01:45:30 2021 GMT
* expire date: Jul 2 01:45:30 2022 GMT
* subjectAltName: host "10.251.6.132" matched cert's IP address!
* issuer: CN=ca
* SSL certificate verify ok.
> GET /dns-query HTTP/1.1
> Host: 10.251.6.132:8853
> User-Agent: curl/7.74.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS alert, close notify (256):
* Empty reply from server
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (52) Empty reply from server
我把两台机器的配置都改成tls://的,其他没改,就OK了。使用DoH的话,配置不配置tls都报unknown authority这个错。。。
下面的配置就可以
在192.168.1.9上配置如下,目的是转发到192.168.1.10上
. {
dnsredir . {
to tls://192.168.1.10:8853/dns-query
tls client.cert.pem client.key.pem ca.cert.pem
health_check 60s
max_fails 3
expire 15s
}
}
192.168.1.10上配置如下,目的是转发到192.168.1.11的基于UDP的DNS
tls://.:8853 {
tls server.cert.pem server.key.pem ca.cert.pem
log
errors
forward . 192.168.1.11:53
}
x509: certificate signed by unknown authority 这个错误看起来意思是说CA证书没有被系统信任,不过我们在tls里面已经指定了使用的CA证书,这个问题需要进一步的调查。
从表现上,看起来像是DoH server验证的时候使用了系统CA证书去完成验证,由于自签发的证书没有被加入到系统列表,所以导致了报错 x509: certificate signed by unknown authority?
由于我目前对公私钥体系还不太明白,可能后面有时间再看看这个问题。
从表现上,看起来像是DoH server验证的时候使用了系统CA证书去完成验证,由于自签发的证书没有被加入到系统列表,所以导致了报错 x509: certificate signed by unknown authority?
作为验证,你可以帮忙尝试下将你自签发的CA证书 ca.cert.pem 放到 /etc/ssl/certs 这个目录吗?
然后使用你之前的DoH配置再试试看?
https://serverfault.com/questions/62496/ssl-certificate-location-on-unix-linux/722646#722646
从表现上,看起来像是DoH server验证的时候使用了系统CA证书去完成验证,由于自签发的证书没有被加入到系统列表,所以导致了报错 x509: certificate signed by unknown authority?
作为验证,你可以帮忙尝试下将你自签发的CA证书
ca.cert.pem放到/etc/ssl/certs这个目录吗? 然后使用你之前的DoH配置再试试看?https://serverfault.com/questions/62496/ssl-certificate-location-on-unix-linux/722646#722646
我放在/etc/ssl/certs这个目录下了,还是同样的问题。设置成tls://后就可以了说明应该是读取到了当前目录下的ca.cert.pem。
关于证书方面的我也不是特别懂,我先转发到阿里云的DoH服务器了,不搞内部转发了。:-(
我放在/etc/ssl/certs这个目录下了,还是同样的问题。设置成tls://后就可以了说明应该是读取到了当前目录下的ca.cert.pem。
你是在192.168.1.10上操作的吗?我猜测需要在出现x509: certificate signed by unknown authority错误的机器上操作。
我放在/etc/ssl/certs这个目录下了,还是同样的问题。设置成tls://后就可以了说明应该是读取到了当前目录下的ca.cert.pem。
你是在
192.168.1.10上操作的吗?我猜测需要在出现x509: certificate signed by unknown authority错误的机器上操作。
我在两台机器上都放到那个目录下了。。。 有时间的话你可以按照这个 https://www.jianshu.com/p/5938432e2130 链接生成下证书,自己测试下?可能是我的姿势不对
