X
Nhấn vào đây để đến phiên bản di động của trang web.

Diễn đàn trợ giúp

DOH potential security risk message

Được đăng

When trying DNS over https in in a neetwork that uses googles DNS 8.8.8.8 and 8.8.4.4 I configured FF as follows set network.trr.mode=3 set network.trr.bootstarpaddress=8.8.8.8 set network.trr.uri=https://dns.google/dns-query

Then I went to https://1.1.1.1/help knowing full well that I am use googles DOH and not cloudflare expecting cloudflare web site to tell me I am not using there services with results being all negative.

Instead FF reported that "Warning potential security problem ahead". See enclosed If I am using Googles DOH values and I go to a cloudgflare site why would FF flag the site as a security risk? Keeping in mind FF appears to be working for other sites in the DOH configuration for Google with no visible problems.

When trying DNS over https in in a neetwork that uses googles DNS 8.8.8.8 and 8.8.4.4 I configured FF as follows set network.trr.mode=3 set network.trr.bootstarpaddress=8.8.8.8 set network.trr.uri=https://dns.google/dns-query Then I went to https://1.1.1.1/help knowing full well that I am use googles DOH and not cloudflare expecting cloudflare web site to tell me I am not using there services with results being all negative. Instead FF reported that "Warning potential security problem ahead". See enclosed If I am using Googles DOH values and I go to a cloudgflare site why would FF flag the site as a security risk? Keeping in mind FF appears to be working for other sites in the DOH configuration for Google with no visible problems.
Đính kèm ảnh chụp màn hình

Giải pháp được chọn

The network is a library in Canada, Toronto area. I didn't believe that the library would filter a specific 1.1.1.1 address and not other DOH sites. But It appears that is the case because I tried another device on that network and then I tried it on another public network and it worked.

I will have to put this question to the Library as to why the filter? Not that I expect an answer

Đọc câu trả lời này trong ngữ cảnh 0
Trích dẫn

Chi tiết hệ thống bổ sung

Ứng dụng

  • Chuỗi đại diện người dùng: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:68.0) Gecko/20100101 Firefox/68.0

Thông tin chi tiết

jscher2000
  • Top 10 Contributor
8642 giải pháp 70696 câu trả lời
Được đăng

Can you click the Advanced button for more information about why the certificate verification failed?

Can you click the Advanced button for more information about why the certificate verification failed?
Bài viết này có hữu ích với bạn không? 1
Trích dẫn
cor-el
  • Top 10 Contributor
  • Moderator
17424 giải pháp 157436 câu trả lời
Được đăng

Câu trả lời hữu ích

1.1.1.1 would normally redirect you to a server in your vicinity using anycast, so there might be a domain mismatch for the certificate after the redirect.

1.1.1.1 would normally redirect you to a server in your vicinity using anycast, so there might be a domain mismatch for the certificate after the redirect.
Bài viết này có hữu ích với bạn không? 1
Trích dẫn

Câu trả lời hữu ích

The certificate failed because it was not HTTPs so the connection was not secure. But strangely I was not able to connect using CloudFlare DOh value only with Googles DOH value shown in this web site "https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers"

The certificate failed because it was not HTTPs so the connection was not secure. But strangely I was not able to connect using CloudFlare DOh value only with Googles DOH value shown in this web site "https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers"
Bài viết này có hữu ích với bạn không? 1
Trích dẫn
Eldar Value 4 giải pháp 45 câu trả lời
Được đăng

Those settings are working:

about:config?filter=network.trr

network.trr.bootstrapAddress > 8.8.8.8 network.trr.confirmationNS > dns.google network.trr.credentials > dns.google network.trr.disable-ECS > false network.trr.early-AAAA > true network.trr.mode > 3 network.trr.uri > https://dns.google.com/experimental

after set, restart firefox and enjoy :)

'''Those settings are working:''' about:config?filter=network.trr network.trr.bootstrapAddress > 8.8.8.8 network.trr.confirmationNS > dns.google network.trr.credentials > dns.google network.trr.disable-ECS > false network.trr.early-AAAA > true network.trr.mode > 3 network.trr.uri > https://dns.google.com/experimental '''after set, restart firefox and enjoy :)'''
Bài viết này có hữu ích với bạn không? 1
Trích dẫn

Người tạo câu hỏi

I have already stated the settings I used. I have already stated that google DOH worked.

Why does cloudflare the default used by FF not work?

I have already stated the settings I used. I have already stated that google DOH worked. Why does cloudflare the default used by FF not work?
Bài viết này có hữu ích với bạn không? 1
Trích dẫn
philipp
  • Top 25 Contributor
  • Moderator
5291 giải pháp 23381 câu trả lời
Được đăng

again, please click on advanced on the error page to see what's the error code and possibly inspect the failing certificate...

again, please click on advanced on the error page to see what's the error code and possibly inspect the failing certificate...
Bài viết này có hữu ích với bạn không?
Trích dẫn

Người tạo câu hỏi

You dont seem to understand. No certificate was obtained as shown in my enclosure.

Why would cloudflare site be blocked and not google? Why is it I could not get through to cloudflare when google DOH was working?

You dont seem to understand. No certificate was obtained as shown in my enclosure. Why would cloudflare site be blocked and not google? Why is it I could not get through to cloudflare when google DOH was working?
Bài viết này có hữu ích với bạn không?
Trích dẫn
jscher2000
  • Top 10 Contributor
8642 giải pháp 70696 câu trả lời
Được đăng

Hi Mace2, on the error page, there is an Advanced button -- the gray one next to the large blue one. That Advanced button opens a panel with more technical information about the problem. I don't think you can diagnose the issue without that.

Hi Mace2, on the error page, there is an Advanced button -- the gray one next to the large blue one. That Advanced button opens a panel with more technical information about the problem. I don't think you can diagnose the issue without that.
Bài viết này có hữu ích với bạn không?
Trích dẫn

Người tạo câu hỏi

Enclosed is the advance tab. Keep in mind the google DOH values are set and work. But the cloudflare web site 1.1.1.1/help did not work

Enclosed is the advance tab. Keep in mind the google DOH values are set and work. But the cloudflare web site 1.1.1.1/help did not work
Bài viết này có hữu ích với bạn không?
Trích dẫn
jscher2000
  • Top 10 Contributor
8642 giải pháp 70696 câu trả lời
Được đăng

I'm looking at the domains of the certificate provided to Firefox in your screenshot and I wonder whether your service provider may not permit IP address URLs, or at least this one. Otherwise, why would that certificate be showing up?

I'm looking at the domains of the certificate provided to Firefox in your screenshot and I wonder whether your service provider may not permit IP address URLs, or at least this one. Otherwise, why would that certificate be showing up?
Bài viết này có hữu ích với bạn không?
Trích dẫn

Giải pháp được chọn

The network is a library in Canada, Toronto area. I didn't believe that the library would filter a specific 1.1.1.1 address and not other DOH sites. But It appears that is the case because I tried another device on that network and then I tried it on another public network and it worked.

I will have to put this question to the Library as to why the filter? Not that I expect an answer

The network is a library in Canada, Toronto area. I didn't believe that the library would filter a specific 1.1.1.1 address and not other DOH sites. But It appears that is the case because I tried another device on that network and then I tried it on another public network and it worked. I will have to put this question to the Library as to why the filter? Not that I expect an answer
Bài viết này có hữu ích với bạn không? 0
Trích dẫn
jscher2000
  • Top 10 Contributor
8642 giải pháp 70696 câu trả lời
Được đăng

Do you think they filter 1.1.1.1 in particular, or filter IP address URLs in general?

Do you think they filter 1.1.1.1 in particular, or filter IP address URLs in general?
Bài viết này có hữu ích với bạn không?
Trích dẫn

Người tạo câu hỏi

I think a greater question is why Cloidflare DOH was filtered over Google DOH

I think a greater question is why Cloidflare DOH was filtered over Google DOH
Bài viết này có hữu ích với bạn không? 0
Trích dẫn
jscher2000
  • Top 10 Contributor
8642 giải pháp 70696 câu trả lời
Được đăng

So if you aren't using DOH you can access https://1.1.1.1/help on that same network?

So if you aren't using DOH you can access https://1.1.1.1/help on that same network?
Bài viết này có hữu ích với bạn không?
Trích dẫn

Người tạo câu hỏi

I am using DOH. I am using googles DOH server. The librayr is filtering only cloudflare DOH.

the configuration network.trr.mode=3 ensures only DOH is being used.

I am using DOH. I am using googles DOH server. The librayr is filtering only cloudflare DOH. the configuration network.trr.mode=3 ensures only DOH is being used.
Bài viết này có hữu ích với bạn không? 0
Trích dẫn
Đặt một câu hỏi

Bạn phải đăng nhập vào tài khoản của bạn để trả lời bài viết. Vui lòng bắt đầu một câu hỏi mới, nếu bạn chưa có tài khoản.