View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0008470Kali LinuxGeneral Bugpublic2023-09-21 13:552023-09-22 14:41
Reporterpkreuzt Assigned Todaniruiz  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionno change required 
Summary0008470: Unbound DNS server upstream SSL errors after upgrade to 1.18
Description

In a DNS over TLS config, every connection upstream to root servers gives an SSL error. Cannot resolve hostnames because of this problem:

sep 21 15:45:58 Kali systemd[1]: Started unbound.service - Unbound DNS server.
sep 21 15:46:02 Kali unbound[222685]: [222685:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
sep 21 15:46:02 Kali unbound[222685]: [222685:0] notice: ssl handshake failed 199.9.14.201 port 53
sep 21 15:46:02 Kali unbound[222685]: [222685:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
sep 21 15:46:02 Kali unbound[222685]: [222685:0] notice: ssl handshake failed 199.9.14.201 port 53
sep 21 15:46:03 Kali unbound[222685]: [222685:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
sep 21 15:46:03 Kali unbound[222685]: [222685:0] notice: ssl handshake failed 192.203.230.10 port 53
sep 21 15:46:03 Kali unbound[222685]: [222685:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
sep 21 15:46:03 Kali unbound[222685]: [222685:0] notice: ssl handshake failed 192.203.230.10 port 53
sep 21 15:46:06 Kali unbound[222685]: [222685:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
sep 21 15:46:06 Kali unbound[222685]: [222685:0] notice: ssl handshake failed 199.9.14.201 port 53
sep 21 15:46:07 Kali unbound[222685]: [222685:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
sep 21 15:46:07 Kali unbound[222685]: [222685:0] notice: ssl handshake failed 199.9.14.201 port 53
sep 21 15:46:07 Kali unbound[222685]: [222685:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
sep 21 15:46:07 Kali unbound[222685]: [222685:0] notice: ssl handshake failed 192.203.230.10 port 53
sep 21 15:46:07 Kali unbound[222685]: [222685:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
sep 21 15:46:07 Kali unbound[222685]: [222685:0] notice: ssl handshake failed 192.203.230.10 port 53
sep 21 15:46:14 Kali unbound[222685]: [222685:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
sep 21 15:46:14 Kali unbound[222685]: [222685:0] notice: ssl handshake failed 199.7.83.42 port 53
sep 21 15:46:26 Kali unbound[222685]: [222685:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
sep 21 15:46:26 Kali unbound[222685]: [222685:0] notice: ssl handshake failed 192.5.5.241 port 53
sep 21 15:46:26 Kali unbound[222685]: [222685:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
sep 21 15:46:26 Kali unbound[222685]: [222685:0] notice: ssl handshake failed 192.5.5.241 port 53
sep 21 15:46:29 Kali unbound[222685]: [222685:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
sep 21 15:46:29 Kali unbound[222685]: [222685:0] notice: ssl handshake failed 192.5.5.241 port 53
sep 21 15:46:29 Kali unbound[222685]: [222685:0] error: ssl handshake failed crypto error:00000000:lib(0)::reason(0)
sep 21 15:46:29 Kali unbound[222685]: [222685:0] notice: ssl handshake failed 192.5.5.241 port 53

Not sure it should work this way, because actual DNS to be forwarded on TLS are Quad9 and Cloudflare ones (relevant config part):

#Adding DNS-Over-TLS support
forward-zone:
name: "."
forward-tls-upstream: yes

Quad9

forward-addr: 2620:fe::fe@853#dns.quad9.net
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 2620:fe::9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net

Cloudflare DNS

forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com

Activities

pkreuzt

pkreuzt

2023-09-22 12:55

reporter   ~0018501

Please close this issue as problem resolved itself. I'm sure it was not the usual timing problem with SSL, so maybe something related with outdated root.key.

Issue History

Date Modified Username Field Change
2023-09-21 13:55 pkreuzt New Issue
2023-09-22 12:55 pkreuzt Note Added: 0018501
2023-09-22 14:41 daniruiz Assigned To => daniruiz
2023-09-22 14:41 daniruiz Status new => closed
2023-09-22 14:41 daniruiz Resolution open => no change required