21 Kvě
2019
21 Kvě
'19
9:33
(I'm including the mailing list so others can benefit from this
discussion as well since we had the proxy/no-proxy topic there before)
Vaclav Steiner wrote:
Our KRESd daemons are configured with lua-http module
for DoH, not anz reverse proxy.
Is this a temporary setup or what is the motivation behind not using any
HTTP frontend since knot-resolver developers actively recommend against
a "naked" kresd DoH endpoint without any reverse proxy?
And about list [3] we know. We want to be there :-)
Great to hear that.
kind regards,
Christoph
Issue [2] I’ll say guys from knot-resolver team.
Probably Firefox
doesn’t have problem with it.
a _fresh_ firefox 66.0.5 acutally has a problem with it:
"
Warning: Potential Security Risk Ahead
Firefox detected a potential security threat and did not continue to
odvr.nic.cz. If you visit this site, attackers could try to steal
information like your passwords, emails, or credit card details.
[...]
"
20. 5. 2019 v
19:36, Christoph wrote:
Hi Vaclav,
thanks for running a public DoH service [1].
Would be great if you could add your DoH server to the
public DNS resolver lists [3].
There is a TLS misconfiguration that results in a TLS error
because the certificate chain is incomplete [2].
Is this a kresd without any HTTP reverse proxy like nginx in front of it?
kind regards,
Christoph
[1] https://blog.nic.cz/2019/05/20/na-odvr-podporujeme-take-dns-over-https/
[2]
https://www.ssllabs.com/ssltest/analyze.html?d=odvr.nic.cz&hideResults=…
[3] https://github.com/curl/curl/wiki/DNS-over-HTTPS
https://github.com/DNSCrypt/dnscrypt-resolvers