-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AdGuardHome dropping requests when using client is using unbound with TLS #2664
Comments
To troubleshoot this issue we need to see AdGuard Home logs.
|
here's the log. see the most recent one. it failed to resolve. i can't test this on production server. i'll spin another server if you need some data |
|
@ainar-g note that in unbound it is configured without any domain name: Not sure how it worked before, does unbound verify the server cert? |
@ameshkov, that's client ID validation, and client IDs only appeared in v0.105.0. The assumption there is that valid clients always set server name in their requests. Apparently this assumption is too restrictive? |
Tbh, I don't think it's too restrictive, AGH works as expected. The only thing I don't like is the log message, it does not explain the problem (invalid SNI sent by the client). |
On the other hand, it's up to the client to verify the certificate, and we have |
Merge in DNS/adguard-home from 2664-non-strict-sni to master Updates #2664. Squashed commit of the following: commit e8d625f Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Thu Feb 11 14:46:52 2021 +0300 all: imp doc commit 10537b8 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Thu Feb 11 14:30:25 2021 +0300 dnsforward: do not check client srv name unless asked
Should be fixed as of snapshot 7e08565. Can you please check if our solution fixes the issue for you? |
yes fixed. thank you |
Merge in DNS/adguard-home from 2664-non-strict-sni to master Updates AdguardTeam#2664. Squashed commit of the following: commit e8d625f Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Thu Feb 11 14:46:52 2021 +0300 all: imp doc commit 10537b8 Author: Ainar Garipov <A.Garipov@AdGuard.COM> Date: Thu Feb 11 14:30:25 2021 +0300 dnsforward: do not check client srv name unless asked
as the title said, in the recent Update. i notice my Unbound TLS can't communicate with newest AGH in VPS., turn back to 0.104.3, the issue resolved by itself.
wierdly when using DNS feature in adguard Adblocker, it resolve well. i don't know what i should give you as i checked logs on vps, there's no important log regarding this. i checked /var/log
The text was updated successfully, but these errors were encountered: