Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Interesting upstream server failed warning on dns.surfshark.com #873

Open
PeterDaveHello opened this issue Feb 10, 2023 · 3 comments
Open

Interesting upstream server failed warning on dns.surfshark.com #873

PeterDaveHello opened this issue Feb 10, 2023 · 3 comments
Labels
🐞 bug Something isn't working 👋 help wanted Extra attention is needed
Milestone
future

Comments

@PeterDaveHello
Copy link
Contributor

The warning:

[2023-02-10 15:27:56]  WARN parallel resolver: test resolve of upstream server failed: can't resolve request via upstream server https://92.249.39.1:443/dns-query: http return content type should be 'application/dns-message', but was ''

When I use curl to test it, the result looks no problem:

$ curl -sD- -o /dev/null https://dns.surfshark.com/dns-query?dns=AAABAAABAAAAAAABBmRuc2xvdwJtZQAAAQABAAApAgAAAAAAAFoADABWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
HTTP/2 200 
access-control-allow-headers: Content-Type
access-control-allow-methods: GET, HEAD, OPTIONS, POST
access-control-allow-origin: *
access-control-max-age: 3600
cache-control: private, max-age=3593
content-type: application/dns-message
date: Fri, 10 Feb 2023 15:40:39 GMT
expires: Fri, 10 Feb 2023 16:40:32 GMT
last-modified: Fri, 10 Feb 2023 15:40:39 GMT
vary: Accept
content-length: 63
@PeterDaveHello
Copy link
Contributor Author

Not sure if it's related, but looks like kdig also got an issue with https://dns.surfshark.com/, just not the HTTP header issue.

$ kdig -d +https @dns.surfshark.com dnslow.me
;; DEBUG: Querying for owner(dnslow.me.), class(1), type(1), server(dns.surfshark.com), port(443), protocol(TCP)
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, CN=dns.surfshark.com
;; DEBUG:      SHA-256 PIN: yttntfV+Wu7pwEnxMLplkboikrtMhqDXY5H1G8Qj+8s=
;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=R3
;; DEBUG:      SHA-256 PIN: jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=
;; DEBUG:  #3, C=US,O=Internet Security Research Group,CN=ISRG Root X1
;; DEBUG:      SHA-256 PIN: C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, skipping certificate verification
;; ERROR: failed to query server dns.surfshark.com@443(TCP)

@0xERR0R
Copy link
Owner

0xERR0R commented Feb 14, 2023

I get following error message from curl:

curl -I --insecure  -H "Host: dns.surfshark.com" https://92.249.39.1/dns-query?dns=AAABAAABAAAAAAABBmRuc2xvdwJtZQAAAQABAAApAgAAAAAAAFoADABWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error

@0xERR0R
Copy link
Owner

0xERR0R commented Feb 14, 2023
edited
Loading

This curl works:

curl -I  --resolve dns.surfshark.com:443:92.249.39.1 https://dns.surfshark.com/dns-query?dns=AAABAAA
BAAAAAAABBmRuc2xvdwJtZQAAAQABAAApAgAAAAAAAFoADABWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

We are using IP addresses to connect to servers and most DoH servers can handle the TLS handshake this way. Servername is already set on TLSClientConfig and as HTTP header parameter.

@0xERR0R 0xERR0R added 🐞 bug Something isn't working 👋 help wanted Extra attention is needed labels Feb 15, 2023
@0xERR0R 0xERR0R added this to the future milestone Feb 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🐞 bug Something isn't working 👋 help wanted Extra attention is needed
Projects
None yet
Milestone
future
Development

No branches or pull requests
2 participants
@PeterDaveHello @0xERR0R