Systemd-resolved DoT doesn't check domain name in certificate

Ask Fedora
1

The hostname is not checked at all, even if it’s completely made up. I’m not sure if this is a bug or my issue?

DNSOverTLS=
…If the hostname was specified in DNS= by using the format “address#server_name” it is used to validate its certificate…

$ nmcli conn show eth0 connection.dns-over-tls
connection.dns-over-tls:                2 (yes)

$ resolvectl dns wlp1s0 1.1.1.1#this.shouldnot.work

$ resolvectl
Global
         Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=yes/supported
  resolv.conf mode: stub

Link 2 (wlp1s0)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6
         Protocols: +DefaultRoute LLMNR=resolve -mDNS +DNSOverTLS DNSSEC=yes/supported
Current DNS Server: 1.1.1.1#this.shouldnot.work
       DNS Servers: 1.1.1.1#this.shouldnot.work

$ resolvectl query google.com
google.com: 142.250.70.206                     -- link: wlp1s0
            2404:6800:4015:800::200e           -- link: wlp1s0

-- Information acquired via protocol DNS in 91.9ms.
-- Data is authenticated: no; Data was acquired via local or encrypted transport: yes
-- Data from: network

p.s. Also systemd-resolved doesn’t seem to check OCSP stapling if it’s required by the cert. However neither does Chrome, so fine I guess…

1 Like
2

This looks like a problem with per-link setting.
It works correctly for me when DoT is enabled globally:

sudo mkdir -p /etc/systemd/resolved.conf.d
sudo tee /etc/systemd/resolved.conf.d/00-custom.conf << EOF > /dev/null
[Resolve]
DNSOverTLS=yes
EOF
sudo systemctl restart systemd-resolved.service

It would be best to report the issue upstream.