bug

[liang-hiwin]

[listeners.local-dot]
address = ":853"
protocol = "dot"
resolver = "cloudflare-dot"
server-crt = "/path/to/server.crt"
server-key = "/path/to/server.key"

Through the DOT dns configured above, the Android system private dns cannot be connected

[folbricht]

Are you able to get any sort of error message? There's a good chance it's related to the key/cert not being trusted by the phone

[folbricht]

Are you able to get any sort of error message? There's a good chance it's related to the key/cert not being trusted by the phone

[liang-hiwin]

Are you able to get any sort of error message? There's a good chance it's related to the key/cert not being trusted by the phone

How to open the log?

[folbricht]

Sorry, I don't really use it that way so not sure how to access the log. The other thing that might be possible is the capture a network trace/pcap on the server to see the tls handshake, but that's more involved for sure.

[cbuijs]

@liang-hiwin,

server-crt = "/path/to/server.crt"
server-key = "/path/to/server.key"

Did you actually use right certificates or the above config?

Do you seen routedns listening on port 853?

You can check with:

pgrep -afl routedns
netstat -anp | grep -iF routedns

Also maybe handy is to provide all the messages that routedns outputs during startup.

[liang-hiwin]

The configuration is ok, but tls is not working in private dns menu of android

[liang-hiwin]

I test tls through adguard home is normal, but the private dns test in the android phone frame can not connect.

[cbuijs]

Can you share the output of the following kdig command (from the knot-dnsutils)?

kdig @your.dns.server.ip.address -p 853 +tls +tls-hostname=your.dns.server.dns.name www.google.com

It will provide info if it doesn't work, I suspect an TLS handshake or certificate issue.

Could be a also a TLS version issue. My binaries only allow v1.3 for example, where older androids need v1.2. I had that problem in the past.