DiG DoH TLS Error

Tue, 16 Jan 2024 01:47:21 -0800 

Hello,
I am trying to resolve a DNS record with DNS over HTTPS with DiG on our DNS server. However DiG is returning a TLS error. See following anonymized result 

 ➜ dig +trace +https @dns.example.com www.example.com
;; Connection to 192.168.132.5#443(192.168.132.5) for www.example.com failed: TLS error. 
;; no servers could be reached
;; Connection to 192.168.132.5#443(192.168.132.5) for www.example.com failed: TLS error. 
;; no servers could be reached
;; Connection to 192.168.132.5#443(192.168.132.5) for www.example.com failed: TLS error. 
;; no servers could be reached
I can confirm that the server can be reached and with openssl s_client -connect, the certificate returned OK result 

Connecting to 192.168.132.5
CONNECTED(00000003)
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=R3
verify return:1
depth=0 CN=*.example.com
verify return:1
---
Certificate chain
 0 s:CN=*.example.com
   i:C=US, O=Let's Encrypt, CN=R3
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan <redacted> 2024 GMT; NotAfter: Apr <redacted> 2024 GMT
 1 s:C=US, O=Let's Encrypt, CN=R3
   i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT 
---
Server certificate
-----BEGIN CERTIFICATE-----
<certificate redacted>
-----END CERTIFICATE-----
subject=CN=*.example.com
issuer=C=US, O=Let's Encrypt, CN=R3
---
No client certificate CA names sent
Peer signing digest: SHA384
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2816 bytes and written 392 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 384 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256
    Session-ID: <redacted>
    Session-ID-ctx:
    Resumption PSK: <redacted>
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 604800 (seconds)
    TLS session ticket:
<redacted>                                     .

    Start Time: 1705398062
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK


Any idea what is causing the TLS error?
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to