DNS over TLS issues

[doineedto]

Has anyone using DNS over TLS started facing connectivity issues recently?
I am unable to use Private DNS on Android devices since the past week. This is observed even on the LTE network.

 

[Sushubh]

Have you tried using a different server?

 

[doineedto]

Yeah. I have a private server which has stopped working. Tried adguard public server. It works intermittently throughout the day

 

[shantam2005]

Same with me. Facing this since sometime in September. I also switched my phone around the same time so thought this was a phone issue.

 

[JB701]

that is interesting. you could try using wireshark on pc with "tcp.port==853" filter to see whats causing the issue.

you can use yogadns client

 

[royalroy]

Let's encrypt root certificate has expired and Android system has not updated it. Use a TLS certificate from some other authority.

 

---

[JB701]

Let's encrypt root certificate has expired and Android system has not updated it. Use a TLS certificate from some other authority.

AdGuard DNS ( dns.adguard.com) uses their own cert though (not Letsencrypt) . Unless, OP meant AdGuard Home.

I tried dns.google one.one.one.one and dns.adguard.com on Airtel LTE and its all working fine.

 

[doineedto]

Let's encrypt root certificate has expired and Android system has not updated it. Use a TLS certificate from some other authority.

Interesting. Did not know that. Let me try this.

But I also tried 'dns.adguard.com' and even this intermittently gives me a 'Private DNS cannot be accessed message'

 

[doineedto]

Let's encrypt root certificate has expired and Android system has not updated it. Use a TLS certificate from some other authority.

According to Let's Encrypt documentation, only Android devices prior to version 7.1.1 will have any issues whatsoever. I am on Android 11. So this seems less likely to happen.

Certificate Compatibility - Let's Encrypt

The main determining factor for whether a platform can validate Let’s Encrypt certificates is whether that platform trusts ISRG’s “ISRG Root X1” certificate. Prior to September 2021, some platforms could validate our certificates even though they don’t include ISRG Root X1, because they trusted...

letsencrypt.org

 

[royalroy]

I was facing the same issues with Adguard Home. Eventually, I changed the certificate and the issue was gone.

 

[doineedto]

Did you use any free alternative or purchased a certificate?

 

[vishalrao]

@doineedto the certificate is the public side one of the certificate root authority which you can obtain for free... Probably look at letsencrypt website for steps to update it on your device?

 

[doineedto]

@vishalrao I understand how the SSL certificate works. Lets Encrypt docs say that Android versions greater that 7.1.1 should trust the new root CA Cert by default. Besides I am not sure if you can update the trusted root ca on Android.

If I understand correctly, @royalroy switched to a different issuer. Please correct me if I am wrong!

 

[royalroy]

Yes, I had a free TLS certificate from Namecheap (sectigo reseller). I got it free with github student pack.

 

[ishanjain28]

@vishalrao I understand how the SSL certificate works. Lets Encrypt docs say that Android versions greater that 7.1.1 should trust the new root CA Cert by default. Besides I am not sure if you can update the trusted root ca on Android.

If I understand correctly, @royalroy switched to a different issuer. Please correct me if I am wrong!

Thats how its supposed to work but apparently its a mess on android. DoT is part of the base system and doesnt trust the default system certificate store. it uses its own store which hasnt been updated(I dont know if there is even a way to update it without involvement from manufacturer/oem) and broke after letsencrypt tried to fix it on 30th September 2021.