Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deno DoT (local certs) fails #49

Closed
ignoramous opened this issue Jan 23, 2022 · 6 comments
Closed

Deno DoT (local certs) fails #49

ignoramous opened this issue Jan 23, 2022 · 6 comments
Assignees
@ignoramous

Comments

@ignoramous
Copy link
Contributor

Process bring up is all good, but DoT doesn't work since apparently reads fail to decrypt:

➜ deno run --unstable --allow-net --allow-env --allow-read --import-map=import_map.json src/server-deno.ts

➜ kdig -d @127.0.0.1:10000 +tls-ca=../serverless-dns/test/data/tls/dns.rethinkdns.localhost.crt +tls-host=1-AABABAA.dns.rethinkdns.localhost +tls-sni=1-AABABAA.dns.rethinkdns.localhost aws.com

2022-01-23T14:03:10.517Z D Deno DoT conn: { transport: "tcp", hostname: "127.0.0.1", port: 53256 }
2022-01-23T14:03:10.520Z W Deno err tcp query read InvalidData: cannot decrypt peer's message
    at deno:core/01_core.js:101:46
    at unwrapOpResult (deno:core/01_core.js:121:13)
    at async read (deno:ext/net/01_net.js:21:19)
    at async serveTcp (file:///home/murtaza/bravehub/serverless-dns/src/server-deno.ts:133:11)

TLS cert/key picked up from:

{ certFile: "test/data/tls/dns.rethinkdns.localhost.crt",
  keyFile: "test/data/tls/dns.rethinkdns.localhost.key" }
@ignoramous
Copy link
Contributor Author

@amithm7 would you know what is going awry here?

@ignoramous ignoramous self-assigned this Jan 23, 2022
@amithm7
Copy link
Contributor

amithm7 commented Jan 24, 2022
edited

To do TLS termination in-app on deno, 3 env. variables must be set.

For local dev, in .env file:

TERMINATE_TLS=true
TLS_KEY_PATH=test/data/tls/dns.rethinkdns.localhost.key
TLS_CRT_PATH=test/data/tls/dns.rethinkdns.localhost.crt

And kdig command is:

kdig duckduckgo.com @0.0.0.0:10000 +tls +tls-sni=1-IAAAACA.dns.rethinkdns.localhost

doh command:

doh -k duckduckgo.com https://dns.rethinkdns.localhost:8080/1:4AcHAP__________-f8\=

@ignoramous
Copy link
Contributor Author

ignoramous commented Jan 24, 2022
edited

All three .env vars are set as approp.

The kdig command in the first comment does work for local nodejs runs... Though, I tried this other command too, but it didn't work as well:

kdig duckduckgo.com @0.0.0.0:10000 +tls +tls-sni=1-IAAAACA.dns.rethinkdns.localhost
;; WARNING: TLS, handshake failed (Decryption has failed.)
;; ERROR: failed to query server 0.0.0.0@10000(TCP)

cURL's doh command works (iff dns.rethinkdns.localhost is added to /etc/hosts), so that is good.

@amithm7
Copy link
Contributor

amithm7 commented Jan 24, 2022
edited

This also works for me:

kdig amazon.com @dns.rethinkdns.localhost:10000 +tls +tls-sni=1-IAAAACA.dns.rethinkdns.localhost

Even sni is not used on deno, this also works for me:

kdig @dns.rethinkdns.localhost:10000 +tls amazon.com

My host file has:

❯ cat /etc/hosts
127.0.0.1       localhost a.dns.rethinkdns.localhost dns.rethinkdns.localhost

Or is it difference in versions?
I have kdig (Knot DNS), version 3.1.5

@ignoramous
Copy link
Contributor Author

I am on kdig v2.x

➜ kdig --version
kdig (Knot DNS), version 2.7.8

Strangely, starting today, DoT on Deno works. May be kdig v2.x doesn't work with Deno v1.1x in Januarys... who knows 🤷

@ignoramous
Copy link
Contributor Author

DoT is down, only in prod: #61

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ignoramous ignoramous

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ignoramous @amithm7