Need Bind DNS server for working ?

[ghost]

I deployed SNI proxy ON VPS and I used wildcard to proxy all incoming connections,

I use table like this

table {  
   .* *
 }

I use dnsmasq to point necessary domains to the proxy. but some parts of some sites not loading and crashing every time. I don't have Bind DNS server installed on my VPS. do I need to install bind DNS as well for work SNI proxy properly ? or are there other things I have to look ?

[dlundquist]

Using a local caching DNS resolver is recommended since udns uses a single source port for outgoing DNS requests, making spoofing easier. If you trust the network between you and your DNS resolver to have sufficient anti-spoofing measures in place you can ignore the resolver configuration and let sniproxy use the defaults from /etc/resolv.conf.

Using a single wildcard entry table like that could allow an attacker to access local services on that VPS, or internal services which that VPS has access but are not intended to be available to the internet at large. I would recommend building a table matching only the specific domains you have configuration in your dnsmasq installation, but this configuration should work.

Have you looked at the sniproxy error and access logs? If you don't have logs configured already this configuration will log to files in /tmp/:

error_log {
    filename /tmp/sniproxy.log
    priority debug
}

access_log {
    filename /tmp/sniproxy-access.log
}

[ghost]

Thanks for the quick response. I didn't enabled log files before. with my setup lot of sites get error message "SSL_ERROR_NO_CYPHER_OVERLAP". but after I enterd all the domains in config files it that error mostly fixed. but only some sites I still get this error when I load the site first.

I tested with all the DNS caching disabled in the client machine and browsers. And every time I clear the cache also. but as soon as I visit some site I get SSL_ERROR_NO_CYPHER_OVERLAP error. after I wait 2 seconds and refresh then sites loading normally. I have no idea what is happening. seems like resolving issue. I tried with local caching DNS but issue still exist. very strange. do you have any explanation ? other than this error all are working impressively well !!

[dlundquist]

The error, "SSL_ERROR_NO_CYPHER_OVERLAP", isn't coming from sniproxy. It sounds like the client and server do not have any cryptographic cyphers in common.

[ghost]

yes surely it not coming from SNI proxy. but when I proxying sites with many sub-domains it will throw SSL error on every major browsers. but after two or three seconds site run properly when I'm refreshed I've no Idea why this happens. And some other users also experiencing slimier issue.

[dlundquist]

I would suggest obtaining a packet capture of both the incomming and outgoing TCP connections through sniproxy and then examine the TLS handshakes. SNIproxy doesn't modify the TCP stream so it sounds like a client/server compatibility.

[ghost]

seems like it browser throwing SSL error because delayed back-end connection

103.13.74.130:14770 -> 192.168.1.159:443 -> [2600:1415:11:484::15d5]:443 [www.9now.com.au] 7/7 bytes tx 185/370 bytes rx 0.012 seconds
103.13.74.130:8211 -> 192.168.1.159:443 -> 111.221.29.30:443 [c.9now.com.au] 4839/4839 bytes tx 1289/1289 bytes rx 61.235 seconds
103.13.74.130:5167 -> 192.168.1.159:443 -> 118.215.39.146:443 [assets.adobedtm.com] 36723/36723 bytes tx 941/941 bytes rx 116.822 seconds

when I go through https_logs result is like this. I have no Idea why connections delay so much. I try to configure sniproxy before make with IPV4 priority. but same results. this is happening with local bind instance as well as google DNS.