Re: [public-dns-discuss] DNS-over-TLS certificate domain name mismatch
88 views
Skip to first unread message
Message has been deleted
Puneet Sood
Jan 10, 2019, 1:09:29 AM1/10/19
to Mike Borsetti, public-dn...@googlegroups.com
The analysis on the website is not correct.
If you download the certificate using openssl and decode it, you can
the CN and SAN entries for it.
$ openssl s_client -connect 8.8.8.8:853 -servername dns.google -showcerts
CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN
= dns.google
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=dns.google
i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
-----BEGIN CERTIFICATE-----
MIIE2zCCA8OgAwIBAgIIXR7MPIf1lXEwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UE
BhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczElMCMGA1UEAxMc
R29vZ2xlIEludGVybmV0IEF1dGhvcml0eSBHMzAeFw0xODEyMTkwODE3MDBaFw0x
OTAzMTMwODE3MDBaMGQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
MRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKDApHb29nbGUgTExDMRMw
EQYDVQQDDApkbnMuZ29vZ2xlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEA47broNTkwpSMcUePEk1w8Bo6gwAES+VbBo5lcgXXCj0rDD5BONDNJmeWpiCl
LyICPQUswQwYMj/0govqrdVlqUohBJqAKj5OAMg8W1aEVZUDy7PszEvoYZYRfl2G
Bfp+jOg+y21N7CzY3s0gPL5N2jLdo+f4mFaFqbEwKz4n5ocT+4ZIMuVxx3npW7Wx
H21pX4GJ8ILh1FTOBePdWvXzqnSfMKwd4NP+QAq6lGLlNxCW4SLQHec5P+KjjbgO
141+hBt8jYBeCV2zQwzTufXREKZnSU89Y92yzh2ZaqNWawd5keNh1cpSw1518j7B
ngid4kYDDxbLUpR5EWq93TZGFwIDAQABo4IBnzCCAZswEwYDVR0lBAwwCgYIKwYB
BQUHAwEwdgYDVR0RBG8wbYIKZG5zLmdvb2dsZYcQIAFIYEhgAAAAAAAAAAAAZIcQ
IAFIYEhgAAAAAAAAAABkZIcQIAFIYEhgAAAAAAAAAACIRIcQIAFIYEhgAAAAAAAA
AACIiIcECAgEBIcECAgICIILODg4OC5nb29nbGUwaAYIKwYBBQUHAQEEXDBaMC0G
CCsGAQUFBzAChiFodHRwOi8vcGtpLmdvb2cvZ3NyMi9HVFNHSUFHMy5jcnQwKQYI
KwYBBQUHMAGGHWh0dHA6Ly9vY3NwLnBraS5nb29nL0dUU0dJQUczMB0GA1UdDgQW
BBQIDuNjyWEDEgU/HYyfRss/2er70jAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaA
FHfCuFCaZ3Z2sS3ChtCDoH6mfrpLMCEGA1UdIAQaMBgwDAYKKwYBBAHWeQIFAzAI
BgZngQwBAgIwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC5wa2kuZ29vZy9H
VFNHSUFHMy5jcmwwDQYJKoZIhvcNAQELBQADggEBABdba5uilNliTTe2XDY9AL7j
tmVNjiSZ8N5Mh7KYEpUQ9SGw2+ipSASHNrfKTy7u6mRu54sVuLKACwYpZlkh2d93
HNTaMurDjbaEq2Tr95R4alZ4Ps9+2hOnY/xcB/VyXH5xA8uH7XlOVmlrLr8GsGp6
TnjKA+S/RrzQ9TGHPWm+Tufao0D3r9eSdMXcfRgXx9mz8sFquKddtDKyfRp2iH7w
SYxmAQ6+kqS9Rv6ltgk5X2LpJEywGp5Pp0gSrtK8fxj9dgTtPJnXL+zZKf0sN68b
DqGE0i9/+s78OgAJLAIHEepS0W3F14coucrN6cTCTb3HoMCo5X1sbTkzMUjA48w=
-----END CERTIFICATE-----
<snip rest of the output>
===============================================
Certificate Information
Common Name: dns.google
Subject Alternative Names: dns.google, IP
Address:2001:4860:4860:0:0:0:0:64 , IP
Address:2001:4860:4860:0:0:0:0:6464 , IP
Address:2001:4860:4860:0:0:0:0:8844 , IP
Address:2001:4860:4860:0:0:0:0:8888 , IP Address:8.8.4.4, IP
Address:8.8.8.8, 8888.google
Organization: Google LLC
Locality: Mountain View
State: California
Country: US
Valid From: December 19, 2018
Valid To: March 13, 2019
Issuer: Google Internet Authority G3, Google Trust Services
Serial Number: 6710025055179740529 (0x5d1ecc3c87f59571)
On Thu, Jan 10, 2019 at 12:46 AM 'Mike Borsetti' via
public-dns-discuss <public-dn...@googlegroups.com> wrote:
>
> The certificate served by dns.google for DNS-over-TLS is untrusted as it does not include "dns.google" in its common or alternative names (doh!).
>
> See https://www.ssllabs.com/ssltest/analyze.html?d=dns.google
>
> Instructions to use dns.google for DNS-over-TLS: https://security.googleblog.com/2019/01/google-public-dns-now-supports-dns-over.html
>
> Common names *.c.docs.google.com
> Alternative names *.c.docs.google.com *.a1.googlevideo.com *.c.2mdn.net *.c.audiobooks.play.google.com *.c.bigcache.googleapis.com *.c.chat.google.com *.c.doc-0-0-sj.sj.googleusercontent.com *.c.drive.google.com *.c.googlesyndication.com *.c.googlevideo.com *.c.inbox.google.com *.c.lh3-da.googleusercontent.com *.c.lh3-da.photos0.sandbox.google.com *.c.lh3-db.googleusercontent.com *.c.lh3-db.photos1.sandbox.google.com *.c.lh3-dc.googleusercontent.com *.c.lh3-dc.photos2.sandbox.google.com *.c.lh3-dd.googleusercontent.com *.c.lh3-dd.photos3.sandbox.google.com *.c.lh3-de.googleusercontent.com *.c.lh3-de.photos4.sandbox.google.com *.c.lh3-df.googleusercontent.com *.c.lh3-df.photos5.sandbox.google.com *.c.lh3-dg.googleusercontent.com *.c.lh3-dg.photos6.sandbox.google.com *.c.lh3-dz.googleusercontent.com *.c.lh3-dz.photos-autopush.sandbox.google.com *.c.lh3.googleusercontent.com *.c.lh3.photos.google.com *.c.mail.google.com *.c.offline.maps.google.com *.c.pack.google.com *.c.play.google.com *.c.video.google.com *.c.youtube.com *.cache1.c.docs.google.com *.cache1.c.play.google.com *.cache1.c.video.google.com *.cache1.c.youtube.com *.cache2.c.docs.google.com *.cache2.c.play.google.com *.cache2.c.video.google.com *.cache2.c.youtube.com *.cache3.c.docs.google.com *.cache3.c.play.google.com *.cache3.c.video.google.com *.cache3.c.youtube.com *.cache4.c.docs.google.com *.cache4.c.play.google.com *.cache4.c.video.google.com *.cache4.c.youtube.com *.cache5.c.docs.google.com *.cache5.c.play.google.com *.cache5.c.video.google.com *.cache5.c.youtube.com *.cache6.c.docs.google.com *.cache6.c.play.google.com *.cache6.c.video.google.com *.cache6.c.youtube.com *.cache7.c.docs.google.com *.cache7.c.play.google.com *.cache7.c.video.google.com *.cache7.c.youtube.com *.cache8.c.docs.google.com *.cache8.c.play.google.com *.cache8.c.video.google.com *.cache8.c.youtube.com *.dai.googlevideo.com *.googlevideo.com *.googlezip.net *.gvt1.com *.offline-maps.gvt1.com *.snap.gvt1.com *.xn--ngstr-lra8j.com xn--ngstr-lra8j.com
>
> --
> You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-disc...@googlegroups.com.
> To post to this group, send email to public-dn...@googlegroups.com.
> Visit this group at https://groups.google.com/group/public-dns-discuss.
> To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/CAPTAgB77QPtz0KJB338jEC2Kj66cGCRPaVgEFr5%2BuQXJ7JYhVg%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.
If you download the certificate using openssl and decode it, you can
the CN and SAN entries for it.
$ openssl s_client -connect 8.8.8.8:853 -servername dns.google -showcerts
CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN
= dns.google
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=dns.google
i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
-----BEGIN CERTIFICATE-----
MIIE2zCCA8OgAwIBAgIIXR7MPIf1lXEwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UE
BhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczElMCMGA1UEAxMc
R29vZ2xlIEludGVybmV0IEF1dGhvcml0eSBHMzAeFw0xODEyMTkwODE3MDBaFw0x
OTAzMTMwODE3MDBaMGQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
MRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKDApHb29nbGUgTExDMRMw
EQYDVQQDDApkbnMuZ29vZ2xlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEA47broNTkwpSMcUePEk1w8Bo6gwAES+VbBo5lcgXXCj0rDD5BONDNJmeWpiCl
LyICPQUswQwYMj/0govqrdVlqUohBJqAKj5OAMg8W1aEVZUDy7PszEvoYZYRfl2G
Bfp+jOg+y21N7CzY3s0gPL5N2jLdo+f4mFaFqbEwKz4n5ocT+4ZIMuVxx3npW7Wx
H21pX4GJ8ILh1FTOBePdWvXzqnSfMKwd4NP+QAq6lGLlNxCW4SLQHec5P+KjjbgO
141+hBt8jYBeCV2zQwzTufXREKZnSU89Y92yzh2ZaqNWawd5keNh1cpSw1518j7B
ngid4kYDDxbLUpR5EWq93TZGFwIDAQABo4IBnzCCAZswEwYDVR0lBAwwCgYIKwYB
BQUHAwEwdgYDVR0RBG8wbYIKZG5zLmdvb2dsZYcQIAFIYEhgAAAAAAAAAAAAZIcQ
IAFIYEhgAAAAAAAAAABkZIcQIAFIYEhgAAAAAAAAAACIRIcQIAFIYEhgAAAAAAAA
AACIiIcECAgEBIcECAgICIILODg4OC5nb29nbGUwaAYIKwYBBQUHAQEEXDBaMC0G
CCsGAQUFBzAChiFodHRwOi8vcGtpLmdvb2cvZ3NyMi9HVFNHSUFHMy5jcnQwKQYI
KwYBBQUHMAGGHWh0dHA6Ly9vY3NwLnBraS5nb29nL0dUU0dJQUczMB0GA1UdDgQW
BBQIDuNjyWEDEgU/HYyfRss/2er70jAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaA
FHfCuFCaZ3Z2sS3ChtCDoH6mfrpLMCEGA1UdIAQaMBgwDAYKKwYBBAHWeQIFAzAI
BgZngQwBAgIwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC5wa2kuZ29vZy9H
VFNHSUFHMy5jcmwwDQYJKoZIhvcNAQELBQADggEBABdba5uilNliTTe2XDY9AL7j
tmVNjiSZ8N5Mh7KYEpUQ9SGw2+ipSASHNrfKTy7u6mRu54sVuLKACwYpZlkh2d93
HNTaMurDjbaEq2Tr95R4alZ4Ps9+2hOnY/xcB/VyXH5xA8uH7XlOVmlrLr8GsGp6
TnjKA+S/RrzQ9TGHPWm+Tufao0D3r9eSdMXcfRgXx9mz8sFquKddtDKyfRp2iH7w
SYxmAQ6+kqS9Rv6ltgk5X2LpJEywGp5Pp0gSrtK8fxj9dgTtPJnXL+zZKf0sN68b
DqGE0i9/+s78OgAJLAIHEepS0W3F14coucrN6cTCTb3HoMCo5X1sbTkzMUjA48w=
-----END CERTIFICATE-----
<snip rest of the output>
===============================================
Certificate Information
Common Name: dns.google
Subject Alternative Names: dns.google, IP
Address:2001:4860:4860:0:0:0:0:64 , IP
Address:2001:4860:4860:0:0:0:0:6464 , IP
Address:2001:4860:4860:0:0:0:0:8844 , IP
Address:2001:4860:4860:0:0:0:0:8888 , IP Address:8.8.4.4, IP
Address:8.8.8.8, 8888.google
Organization: Google LLC
Locality: Mountain View
State: California
Country: US
Valid From: December 19, 2018
Valid To: March 13, 2019
Issuer: Google Internet Authority G3, Google Trust Services
Serial Number: 6710025055179740529 (0x5d1ecc3c87f59571)
On Thu, Jan 10, 2019 at 12:46 AM 'Mike Borsetti' via
public-dns-discuss <public-dn...@googlegroups.com> wrote:
>
> The certificate served by dns.google for DNS-over-TLS is untrusted as it does not include "dns.google" in its common or alternative names (doh!).
>
> See https://www.ssllabs.com/ssltest/analyze.html?d=dns.google
>
> Instructions to use dns.google for DNS-over-TLS: https://security.googleblog.com/2019/01/google-public-dns-now-supports-dns-over.html
>
> Common names *.c.docs.google.com
> Alternative names *.c.docs.google.com *.a1.googlevideo.com *.c.2mdn.net *.c.audiobooks.play.google.com *.c.bigcache.googleapis.com *.c.chat.google.com *.c.doc-0-0-sj.sj.googleusercontent.com *.c.drive.google.com *.c.googlesyndication.com *.c.googlevideo.com *.c.inbox.google.com *.c.lh3-da.googleusercontent.com *.c.lh3-da.photos0.sandbox.google.com *.c.lh3-db.googleusercontent.com *.c.lh3-db.photos1.sandbox.google.com *.c.lh3-dc.googleusercontent.com *.c.lh3-dc.photos2.sandbox.google.com *.c.lh3-dd.googleusercontent.com *.c.lh3-dd.photos3.sandbox.google.com *.c.lh3-de.googleusercontent.com *.c.lh3-de.photos4.sandbox.google.com *.c.lh3-df.googleusercontent.com *.c.lh3-df.photos5.sandbox.google.com *.c.lh3-dg.googleusercontent.com *.c.lh3-dg.photos6.sandbox.google.com *.c.lh3-dz.googleusercontent.com *.c.lh3-dz.photos-autopush.sandbox.google.com *.c.lh3.googleusercontent.com *.c.lh3.photos.google.com *.c.mail.google.com *.c.offline.maps.google.com *.c.pack.google.com *.c.play.google.com *.c.video.google.com *.c.youtube.com *.cache1.c.docs.google.com *.cache1.c.play.google.com *.cache1.c.video.google.com *.cache1.c.youtube.com *.cache2.c.docs.google.com *.cache2.c.play.google.com *.cache2.c.video.google.com *.cache2.c.youtube.com *.cache3.c.docs.google.com *.cache3.c.play.google.com *.cache3.c.video.google.com *.cache3.c.youtube.com *.cache4.c.docs.google.com *.cache4.c.play.google.com *.cache4.c.video.google.com *.cache4.c.youtube.com *.cache5.c.docs.google.com *.cache5.c.play.google.com *.cache5.c.video.google.com *.cache5.c.youtube.com *.cache6.c.docs.google.com *.cache6.c.play.google.com *.cache6.c.video.google.com *.cache6.c.youtube.com *.cache7.c.docs.google.com *.cache7.c.play.google.com *.cache7.c.video.google.com *.cache7.c.youtube.com *.cache8.c.docs.google.com *.cache8.c.play.google.com *.cache8.c.video.google.com *.cache8.c.youtube.com *.dai.googlevideo.com *.googlevideo.com *.googlezip.net *.gvt1.com *.offline-maps.gvt1.com *.snap.gvt1.com *.xn--ngstr-lra8j.com xn--ngstr-lra8j.com
>
> --
> You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-disc...@googlegroups.com.
> To post to this group, send email to public-dn...@googlegroups.com.
> Visit this group at https://groups.google.com/group/public-dns-discuss.
> To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/CAPTAgB77QPtz0KJB338jEC2Kj66cGCRPaVgEFr5%2BuQXJ7JYhVg%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.
mi...@borsetti.com
Jan 10, 2019, 1:51:41 AM1/10/19
to public-dns-discuss
Puneet,
Interesting and thanks. Qualys is usually spot-on.
I couldn't get stubby to work, ran the Qualys test and imputed it to the lack of CN per their results. Obviously not. I just reviewed stubby.yml and found a typo; it's working now.
Thanks for your help and fast response.
Alex Dupuy
Jan 10, 2019, 9:05:31 AM1/10/19
to public-dns-discuss
Mike wrote:
Interesting and thanks. Qualys is usually spot-on.
Qualys evaluates web servers only, so it was using port 443 (HTTPS) rather than port 853 (DNS-over-TLS). The certificate on port 443 is the one used by DNS-over-TLS (which doesn't currently operate on the 8.8.8.8 et al. anycast addresses).
Reply all
Reply to author
Forward
0 new messages