Android Pie Private DNS feature

Search This thread

crypted

Senior Member
Nov 20, 2007
2,493
4,221
Miami, FL
derekgordon.com
Does anyone have specifics for the required certificates, protocols, and general functionality for the new Private DNS feature?

I'm working on a new project whxuh will bring internet facing pihole operations and DNS over TLS and HTTPs to folks with very limited logging for better filtering and tweaking purposes. No IP or specific buser data saved.

Currently, I have TLS functionality and SSL self signed certificate functionality working on clients running Linux.

Android continues to fail to connect whether I'm using TLS only or providing SSL and TLS together. I've loaded certificates into the phone as well.

Android bug report logs don't provide much useful information. It enables. It shows the proper IP for the hostname used. Nothing says why it fails.

Server side logs show the handshake, server accepting everything from the client, and then the client disconnecting abruptly for what seems to be not liking a certificate.

Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: Service [dns] started
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: Option TCP_NODELAY set on local socket
Jan 3 17:21:55 dgpihole1 stunnel: LOG5[0]: Service [dns] accepted connection from 179.6.222.181:37146
Jan 3 17:21:55 dgpihole1 stunnel: LOG6[0]: Peer certificate required
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS state (accept): before SSL initialization
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS state (accept): before SSL initialization
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: SNI: no virtual services defined
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS state (accept): SSLv3/TLS read client hello
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS state (accept): SSLv3/TLS write server hello
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS state (accept): SSLv3/TLS write certificate
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS state (accept): SSLv3/TLS write key exchange
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS state (accept): SSLv3/TLS write certificate request
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS state (accept): SSLv3/TLS write server done
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: TLS alert (read): fatal: unknown CA
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: Remove session callback
Jan 3 17:21:55 dgpihole1 stunnel: LOG3[0]: SSL_accept: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Jan 3 17:21:55 dgpihole1 stunnel: LOG5[0]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: Deallocating application specific data for addr index
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: Local descriptor (FD=3) closed
Jan 3 17:21:55 dgpihole1 stunnel: LOG7[0]: Service [dns] finished (0 left)

Input appreciated.
 

crypted

Senior Member
Nov 20, 2007
2,493
4,221
Miami, FL
derekgordon.com
For example/testing purposes, I'm running a basic stunnel to try to get the the heart of the issue. All TLS versions seem to fail for Android and it seems to require SSL. I enabled SSLv3 in the last attempt below. SSLv3, while enabled, was changed to not authenticate to try and bypass any issues with certificates. The server does fine. Android provides no details as to why it doesn't want to go forward. Seems evil.

Results with just TLS 1.0:
Jan 4 12:30:35 dgpihole1 stunnel: LOG7[0]: Service [dns] finished (0 left)
Jan 4 12:30:45 dgpihole1 stunnel: LOG7[main]: Found 1 ready file descriptor(s)
Jan 4 12:30:45 dgpihole1 stunnel: LOG7[main]: FD=4 events=0x2001 revents=0x0
Jan 4 12:30:45 dgpihole1 stunnel: LOG7[main]: FD=7 events=0x2001 revents=0x1
Jan 4 12:30:45 dgpihole1 stunnel: LOG7[main]: Service [dns] accepted (FD=3) from 208.54.39.146:30398
Jan 4 12:30:45 dgpihole1 stunnel: LOG7[1]: Service [dns] started
Jan 4 12:30:45 dgpihole1 stunnel: LOG7[1]: Option TCP_NODELAY set on local socket
Jan 4 12:30:45 dgpihole1 stunnel: LOG5[1]: Service [dns] accepted connection from 208.54.39.146:30398
Jan 4 12:30:45 dgpihole1 stunnel: LOG6[1]: Peer certificate required
Jan 4 12:30:45 dgpihole1 stunnel: LOG7[1]: TLS state (accept): before SSL initialization
Jan 4 12:30:47 dgpihole1 stunnel: LOG7[1]: TLS state (accept): before SSL initialization
Jan 4 12:30:47 dgpihole1 stunnel: LOG7[1]: SNI: no virtual services defined
Jan 4 12:30:47 dgpihole1 stunnel: LOG7[1]: TLS state (accept): SSLv3/TLS read client hello
Jan 4 12:30:47 dgpihole1 stunnel: LOG7[1]: TLS state (accept): SSLv3/TLS write server hello
Jan 4 12:30:47 dgpihole1 stunnel: LOG7[1]: TLS state (accept): SSLv3/TLS write certificate
Jan 4 12:30:47 dgpihole1 stunnel: LOG7[1]: TLS state (accept): SSLv3/TLS write key exchange
Jan 4 12:30:47 dgpihole1 stunnel: LOG7[1]: TLS state (accept): SSLv3/TLS write certificate request
Jan 4 12:30:47 dgpihole1 stunnel: LOG7[1]: TLS state (accept): SSLv3/TLS write server done
Jan 4 12:30:47 dgpihole1 stunnel: LOG7[1]: TLS alert (read): fatal: protocol version
Jan 4 12:30:47 dgpihole1 stunnel: LOG7[1]: Remove session callback
Jan 4 12:30:47 dgpihole1 stunnel: LOG3[1]: SSL_accept: 1409442E: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
Jan 4 12:30:47 dgpihole1 stunnel: LOG5[1]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
Jan 4 12:30:47 dgpihole1 stunnel: LOG7[1]: Deallocating application specific data for addr index
Jan 4 12:30:47 dgpihole1 stunnel: LOG7[1]: Local descriptor (FD=3) closed
Jan 4 12:30:47 dgpihole1 stunnel: LOG7[1]: Service [dns] finished (0 left)
Jan 4 12:31:11 dgpihole1 stunnel: LOG7[main]: Found 1 ready file descriptor(s)
Jan 4 12:31:11 dgpihole1 stunnel: LOG7[main]: FD=4 events=0x2001 revents=0x1
Jan 4 12:31:11 dgpihole1 stunnel: LOG7[main]: FD=7 events=0x2001 revents=0x0
Jan 4 12:31:11 dgpihole1 stunnel: LOG7[main]: Dispatching signals from the signal pipe
Jan 4 12:31:11 dgpihole1 stunnel: LOG7[main]: Processing SIGNAL_TERMINATE
Jan 4 12:31:11 dgpihole1 stunnel: LOG5[main]: Terminated
Jan 4 12:31:11 dgpihole1 stunnel: LOG7[main]: Closing service [dns]

Results of just TLS 1.1:
Jan 4 12:31:35 dgpihole1 stunnel: LOG7[2]: Service [dns] finished (0 left)
Jan 4 12:31:49 dgpihole1 stunnel: LOG7[main]: Found 1 ready file descriptor(s)
Jan 4 12:31:49 dgpihole1 stunnel: LOG7[main]: FD=4 events=0x2001 revents=0x0
Jan 4 12:31:49 dgpihole1 stunnel: LOG7[main]: FD=7 events=0x2001 revents=0x1
Jan 4 12:31:49 dgpihole1 stunnel: LOG7[main]: Service [dns] accepted (FD=3) from 208.54.39.146:20950
Jan 4 12:31:49 dgpihole1 stunnel: LOG7[3]: Service [dns] started
Jan 4 12:31:49 dgpihole1 stunnel: LOG7[3]: Option TCP_NODELAY set on local socket
Jan 4 12:31:49 dgpihole1 stunnel: LOG5[3]: Service [dns] accepted connection from 208.54.39.146:20950
Jan 4 12:31:49 dgpihole1 stunnel: LOG6[3]: Peer certificate required
Jan 4 12:31:49 dgpihole1 stunnel: LOG7[3]: TLS state (accept): before SSL initialization
Jan 4 12:31:49 dgpihole1 stunnel: LOG7[3]: TLS state (accept): before SSL initialization
Jan 4 12:31:49 dgpihole1 stunnel: LOG7[3]: SNI: no virtual services defined
Jan 4 12:31:49 dgpihole1 stunnel: LOG7[3]: TLS state (accept): SSLv3/TLS read client hello
Jan 4 12:31:49 dgpihole1 stunnel: LOG7[3]: TLS state (accept): SSLv3/TLS write server hello
Jan 4 12:31:49 dgpihole1 stunnel: LOG7[3]: TLS state (accept): SSLv3/TLS write certificate
Jan 4 12:31:49 dgpihole1 stunnel: LOG7[3]: TLS state (accept): SSLv3/TLS write key exchange
Jan 4 12:31:49 dgpihole1 stunnel: LOG7[3]: TLS state (accept): SSLv3/TLS write certificate request
Jan 4 12:31:49 dgpihole1 stunnel: LOG7[3]: TLS state (accept): SSLv3/TLS write server done
Jan 4 12:31:49 dgpihole1 stunnel: LOG3[3]: SSL_accept: 1408F10B: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
Jan 4 12:31:49 dgpihole1 stunnel: LOG5[3]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
Jan 4 12:31:49 dgpihole1 stunnel: LOG7[3]: Deallocating application specific data for addr index
Jan 4 12:31:49 dgpihole1 stunnel: LOG7[3]: Local descriptor (FD=3) closed
Jan 4 12:31:49 dgpihole1 stunnel: LOG7[3]: Service [dns] finished (0 left)
Jan 4 12:32:12 dgpihole1 stunnel: LOG7[main]: Found 1 ready file descriptor(s)
Jan 4 12:32:12 dgpihole1 stunnel: LOG7[main]: FD=4 events=0x2001 revents=0x1
Jan 4 12:32:12 dgpihole1 stunnel: LOG7[main]: FD=7 events=0x2001 revents=0x0
Jan 4 12:32:12 dgpihole1 stunnel: LOG7[main]: Dispatching signals from the signal pipe
Jan 4 12:32:12 dgpihole1 stunnel: LOG7[main]: Processing SIGNAL_TERMINATE
Jan 4 12:32:12 dgpihole1 stunnel: LOG5[main]: Terminated


Results of just TLS 1.2:

Jan 4 12:32:25 dgpihole1 stunnel: LOG5[1]: Service [dns] accepted connection from 179.6.222.181:37944
Jan 4 12:32:25 dgpihole1 stunnel: LOG6[1]: Peer certificate required
Jan 4 12:32:25 dgpihole1 stunnel: LOG7[1]: TLS state (accept): before SSL initialization
Jan 4 12:32:25 dgpihole1 stunnel: LOG7[1]: TLS state (accept): before SSL initialization
Jan 4 12:32:25 dgpihole1 stunnel: LOG7[1]: SNI: no virtual services defined
Jan 4 12:32:25 dgpihole1 stunnel: LOG7[1]: TLS state (accept): SSLv3/TLS read client hello
Jan 4 12:32:25 dgpihole1 stunnel: LOG7[1]: TLS state (accept): SSLv3/TLS write server hello
Jan 4 12:32:25 dgpihole1 stunnel: LOG7[1]: TLS state (accept): SSLv3/TLS write certificate
Jan 4 12:32:25 dgpihole1 stunnel: LOG7[1]: TLS state (accept): SSLv3/TLS write key exchange
Jan 4 12:32:25 dgpihole1 stunnel: LOG7[1]: TLS state (accept): SSLv3/TLS write certificate request
Jan 4 12:32:25 dgpihole1 stunnel: LOG7[1]: TLS state (accept): SSLv3/TLS write server done
Jan 4 12:32:25 dgpihole1 stunnel: LOG7[main]: Found 1 ready file descriptor(s)
Jan 4 12:32:25 dgpihole1 stunnel: LOG7[main]: FD=4 events=0x2001 revents=0x0
Jan 4 12:32:25 dgpihole1 stunnel: LOG7[main]: FD=7 events=0x2001 revents=0x1
Jan 4 12:32:25 dgpihole1 stunnel: LOG7[main]: Service [dns] accepted (FD=8) from 208.54.39.146:47098
Jan 4 12:32:25 dgpihole1 stunnel: LOG7[2]: Service [dns] started
Jan 4 12:32:25 dgpihole1 stunnel: LOG7[2]: Option TCP_NODELAY set on local socket
Jan 4 12:32:25 dgpihole1 stunnel: LOG5[2]: Service [dns] accepted connection from 208.54.39.146:47098
Jan 4 12:32:25 dgpihole1 stunnel: LOG6[2]: Peer certificate required
Jan 4 12:32:25 dgpihole1 stunnel: LOG7[2]: TLS state (accept): before SSL initialization
Jan 4 12:32:25 dgpihole1 stunnel: LOG7[1]: TLS alert (read): fatal: unknown CA
Jan 4 12:32:25 dgpihole1 stunnel: LOG7[1]: Remove session callback
Jan 4 12:32:25 dgpihole1 stunnel: LOG3[1]: SSL_accept: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Jan 4 12:32:25 dgpihole1 stunnel: LOG5[1]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
Jan 4 12:32:25 dgpihole1 stunnel: LOG7[1]: Deallocating application specific data for addr index
Jan 4 12:32:25 dgpihole1 stunnel: LOG7[1]: Local descriptor (FD=3) closed
Jan 4 12:32:25 dgpihole1 stunnel: LOG7[1]: Service [dns] finished (1 left)

Additionally, I set the server to accept SSL connections without any checking of certificates. It still fails from Android which is strange.

Jan 4 12:37:54 dgpihole1 stunnel: LOG7[main]: FD=7 events=0x2001 revents=0x1
Jan 4 12:37:54 dgpihole1 stunnel: LOG7[main]: Service [dns] accepted (FD=3) from 208.54.39.146:20768
Jan 4 12:37:54 dgpihole1 stunnel: LOG7[1]: Service [dns] started
Jan 4 12:37:54 dgpihole1 stunnel: LOG7[1]: Option TCP_NODELAY set on local socket
Jan 4 12:37:54 dgpihole1 stunnel: LOG5[1]: Service [dns] accepted connection from 208.54.39.146:20768
Jan 4 12:37:54 dgpihole1 stunnel: LOG6[1]: Peer certificate not required
Jan 4 12:37:54 dgpihole1 stunnel: LOG7[1]: TLS state (accept): before SSL initialization
Jan 4 12:37:54 dgpihole1 stunnel: LOG7[1]: TLS state (accept): before SSL initialization
Jan 4 12:37:54 dgpihole1 stunnel: LOG7[1]: SNI: no virtual services defined
Jan 4 12:37:54 dgpihole1 stunnel: LOG7[1]: TLS state (accept): SSLv3/TLS read client hello
Jan 4 12:37:54 dgpihole1 stunnel: LOG7[1]: TLS state (accept): SSLv3/TLS write server hello
Jan 4 12:37:54 dgpihole1 stunnel: LOG7[1]: TLS state (accept): SSLv3/TLS write certificate
Jan 4 12:37:54 dgpihole1 stunnel: LOG7[1]: TLS state (accept): SSLv3/TLS write key exchange
Jan 4 12:37:54 dgpihole1 stunnel: LOG7[1]: TLS state (accept): SSLv3/TLS write certificate request
Jan 4 12:37:54 dgpihole1 stunnel: LOG7[1]: TLS state (accept): SSLv3/TLS write server done
Jan 4 12:37:54 dgpihole1 stunnel: LOG7[1]: TLS alert (read): fatal: unknown CA
Jan 4 12:37:54 dgpihole1 stunnel: LOG7[1]: Remove session callback
Jan 4 12:37:54 dgpihole1 stunnel: LOG3[1]: SSL_accept: 14094418: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Jan 4 12:37:54 dgpihole1 stunnel: LOG5[1]: Connection reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket
Jan 4 12:37:54 dgpihole1 stunnel: LOG7[1]: Deallocating application specific data for addr index
Jan 4 12:37:54 dgpihole1 stunnel: LOG7[1]: Local descriptor (FD=3) closed
Jan 4 12:37:54 dgpihole1 stunnel: LOG7[1]: Service [dns] finished (0 left)

Just need some solid education on the Android side so I can start working on a global option to provide a HOW-TO and, my ultimate goal, a public-facing server option.

EDIT - once I know the details and if it's feasible I may be willing ton invest in a $60/yr wildcard SSL certificate that is compat with default root certificates in Android. But, it's kind of like throwing money from my tight wallet at a casino at this point. Not my ambition.
 
Last edited:

crypted

Senior Member
Nov 20, 2007
2,493
4,221
Miami, FL
derekgordon.com
I bought a certificate and have everything functioning so far. Lots of testing to come and potentially a service to be provided. HOW-TO will be written for sure. Fun to be back in the game after my hiatus (sort of).
 
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone