Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bug: DNS forwarder / DNS sec checkboxes - error: ssl handshake failed crypto error:1

    Scheduled Pinned Locked Moved DHCP and DNS
    7 Posts 2 Posters 682 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 4
      4o4rh
      last edited by 4o4rh

      I have the clouflare services 1.1.1.3 and 1.1.1.2 in the general tab. With the default use localhost, fallback to remove.

      in dns resolver i have
      Enable DNSSEC Support - ticked
      DNS Query Forwarding - ticked
      Use SSL/TLS for outgoing DNS Queries to Forwarding Servers - ticked

      i get no dns resolution on the clients

      If i add the below to custom config it works. I thought the checkboxes, were supposed to replace the below requirement

      forward-zone:
forward-ssl-upstream: yes
name: "."
forward-addr: 1.1.1.3@853 #Cloudflare ip4
forward-addr: 1.1.1.2@853 #Cloudflare ip4
forward-addr: 1.0.0.3@853 #Cloudflare ip4
forward-addr: 1.0.0.2@853 #Cloudflare ip4
      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @4o4rh
        last edited by johnpoz

        @gwaitsi said in DNS forwarder / DNS sec checkboxes don't work:

        Enable DNSSEC Support - ticked

        If your going to forward.. There is NO point of ticking this.. Where you forward either does dnssec out of the box, or it doesn't - asking for dnssec when you forward doesn't accomplish anything.

        Did they announce that dot is available on 111.2 and 111.3 yet? If not then no dot is not going to work for them. BTW those lists are different .2 does just malware, and .3 does malware and adult.. So your going to have issues - if .3 is ask site xxx.tld might be blocked, but if you ask .2 it wouldn't be.

        If you want to block malware and adult then use .3 only.. It is anycast - there is no point to using more than just the single IP.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        4 1 Reply Last reply Reply Quote 0
        • 4
          4o4rh @johnpoz
          last edited by 4o4rh

          @johnpoz the reason I have 4, is that there are two WAN and two VPN connections and the text says that each gateway should have a unique DNS.

          I setup below, so the gateway pools will always get the same results.
          WAN1 1.1.1.2
          WAN2 1.0.0.2
          VPN1 1.1.1.3
          VPN2 1.0.0.3

          but neither that, nor the Enable DNSSec Support are the reason that forwarding check box is not forwarding i think

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @4o4rh
            last edited by

            @gwaitsi said in DNS forwarder / DNS sec checkboxes don't work:

            the text says that each gateway should have a unique DNS.

            This is so you can get there if pointing to isp dns, since isp A isn't going to allow you to use its dns if your coming from isp B.

            But this has nothing to do with your pointing to dns that uses different block lists.. Which is going to be problematic in actually getting the filtering you want.

            What I would suggest you do is get 1 working, with you 1 connection before you start playing with multiple.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            4 2 Replies Last reply Reply Quote 0
            • 4
              4o4rh @johnpoz
              last edited by

              @johnpoz but each rule i have has the gateway pool specified.
              eg.
              WAN1/2 are both Tier1 and
              VPN1/2 are Tier 1 and 2
              so there won't be any cross pollinating so to speak

              4 1 Reply Last reply Reply Quote 0
              • 4
                4o4rh @4o4rh
                last edited by

                @gwaitsi i removed the two VPN ones, and that fixed it. thanks

                1 Reply Last reply Reply Quote 0
                • 4
                  4o4rh @johnpoz
                  last edited by 4o4rh

                  @johnpoz John, i need to revise my original post. Removing the DNS from the VPNs, and disabling DNSSEC fixed the checkboxes not working at all, but there is definitely a functional issue here.

                  Using the checkboxes to do the forwarding, the below error appears in the logs

                  Mar 4 21:29:24 	unbound 	29887 	[29887:3] notice: ssl handshake failed 1.1.1.3 port 853
Mar 4 21:29:24 	unbound 	29887 	[29887:3] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

                  disabling the two check boxes, and adding the below in the customs box, the log is clean

                  server:
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.3@853
forward-addr: 1.0.0.3@853

                  so, there is something funny going on with these checkboxes

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.