my current setup is pihole + unbound, but because of recent wars i get to see the ugly face of censorship so i cannot access rt.com, the ISP is hijacking the connection and the certificate
what are my options? Remove unbound and switch to DOH?
That may work. Try it and see. If you encrypt your DNS to an upstream server, your ISP can't see or tamper with the queries. But, they are free to block the IP if they are intent on censorship.
Or use a VPN service to hide all your traffic from your ISP.
Have you viewed the certificate to see what problems are shown?
Thats indeed not the cert for rt.com:
pi@ph5b:~ $ echo | openssl s_client -connect rt.com:443 -servername rt.com </dev/null 2>/dev/null | openssl x509 -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0e:16:02:3e:77:84:26:4f:27:92:b0:59:5b:2e:d2:85
Signature Algorithm: sha256WithRSAEncryption
------> Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = GeoTrust RSA CA 2018
------> Validity
Not Before: May 11 00:00:00 2021 GMT
Not After : Jun 11 23:59:59 2022 GMT
------> Subject: C = RU, L = Moscow, O = ANO TV-Novosti, CN = *.rt.com
Subject Public Key Info:
------> Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:da:67:a8:31:af:6a:dd:58:86:58:c4:89:e9:0a:
60:e3:e4:25:54:82:7b:c1:9e:81:4f:d3:c5:51:16:
42:3f:e0:fe:c6:a1:42:d8:6f:9b:68:72:4c:a3:84:
ea:fd:84:2f:c2:a9:6f:e6:a6:ff:16:52:f6:05:e6:
a8:c2:3a:04:06:12:f1:1f:82:9c:8d:03:2f:c5:7e:
7b:a8:26:a4:9e:a7:28:03:a4:7e:a3:e7:3f:40:4b:
49:f0:cc:0a:2e:b3:f3:92:3e:f2:5a:cb:eb:6d:07:
22:25:7d:6b:99:8e:be:0a:82:e6:a7:eb:32:18:d4:
d1:a7:76:65:ea:1e:48:10:b2:25:60:d2:6f:00:c8:
57:1d:5e:2b:80:93:7e:6b:a3:c2:09:b2:c9:26:d2:
8f:7d:c7:e4:16:eb:72:06:e5:63:87:e8:10:bd:4f:
13:69:ab:0b:27:cf:8b:a2:f9:ee:5d:2f:f5:a2:e9:
06:30:90:db:5c:6f:50:e4:5f:3a:b6:70:dc:9b:90:
9b:92:eb:a7:18:0a:81:65:a3:45:a7:7d:25:d1:8e:
6b:ba:3c:c5:68:52:e5:c6:5e:20:20:72:2c:c2:ab:
06:a3:88:e5:c8:3d:5b:b0:ab:e3:3d:4c:e6:73:51:
54:d8:a4:bc:2f:19:5e:7c:e7:95:c7:bc:b3:7f:37:
14:d7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:90:58:FF:B0:9C:75:A8:51:54:77:B1:ED:F2:A3:43:16:38:9E:6C:C5
X509v3 Subject Key Identifier:
F9:45:D7:3B:37:8B:B3:90:AA:B8:A4:9F:61:18:63:22:83:97:28:B2
------> X509v3 Subject Alternative Name:
DNS:*.rt.com, DNS:rt.com
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://cdp.geotrust.com/GeoTrustRSACA2018.crl
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.2
CPS: http://www.digicert.com/CPS
Authority Information Access:
OCSP - URI:http://status.geotrust.com
CA Issuers - URI:http://cacerts.geotrust.com/GeoTrustRSACA2018.crt
X509v3 Basic Constraints: critical
CA:FALSE
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 29:79:BE:F0:9E:39:39:21:F0:56:73:9F:63:A5:77:E5:
BE:57:7D:9C:60:0A:F8:F9:4D:5D:26:5C:25:5D:C7:84
Timestamp : May 11 13:26:19.416 2021 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:22:6C:2F:9C:38:28:48:35:A6:29:6A:9E:
0C:4B:A8:A0:5E:BD:F6:D0:47:4D:B1:87:02:09:83:D6:
8A:87:97:40:02:20:4D:F4:33:F5:A1:25:2D:BC:8F:D3:
34:7B:D5:71:72:91:9C:5D:45:E9:E9:DE:99:AD:C9:5E:
FB:91:96:E9:F6:7C
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 22:45:45:07:59:55:24:56:96:3F:A1:2F:F1:F7:6D:86:
E0:23:26:63:AD:C0:4B:7F:5D:C6:83:5C:6E:E2:0F:02
Timestamp : May 11 13:26:19.498 2021 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:08:D9:9F:16:7E:F0:55:6E:BC:39:07:CC:
08:96:1B:12:F3:9A:48:AB:E6:74:D4:00:F8:6D:90:17:
5F:20:E8:F2:02:21:00:E1:FC:FA:AC:81:2C:2B:B4:4B:
E0:7E:A6:8E:0A:74:BD:07:C7:E8:53:D2:FF:75:14:6C:
E3:5A:B1:D3:E4:45:D9
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 51:A3:B0:F5:FD:01:79:9C:56:6D:B8:37:78:8F:0C:A4:
7A:CC:1B:27:CB:F7:9E:88:42:9A:0D:FE:D4:8B:05:E5
Timestamp : May 11 13:26:19.530 2021 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:03:AC:97:9A:7C:B1:87:CE:0E:5B:8D:D9:
08:A7:32:BA:69:52:49:37:30:27:C2:8A:C8:BD:FC:29:
89:E3:3B:C7:02:21:00:C3:FC:97:E6:6C:D3:97:8D:E8:
29:B9:70:8D:F1:F0:6B:ED:EC:07:E8:7B:21:3F:C7:27:
68:C4:E1:5E:66:29:31
------> Signature Algorithm: sha256WithRSAEncryption
40:df:24:57:96:ba:99:b4:0f:b7:7b:96:8e:7a:4a:58:48:28:
26:bf:f4:b5:c9:47:e1:03:63:df:a5:35:6f:3a:50:ca:05:de:
84:09:5d:19:d0:3e:99:1d:80:34:9f:9e:6f:90:b4:e1:37:5c:
ea:42:00:60:26:16:3b:86:44:78:c0:5b:b9:61:d0:a2:6c:25:
91:5b:9f:41:ab:8b:59:49:56:e4:1f:48:98:e2:e2:88:41:70:
b9:4a:e1:b7:9a:19:f7:b8:67:af:06:b8:c3:40:3e:2e:0e:cc:
76:33:24:bf:ea:ed:a3:ad:df:82:c6:e2:39:c4:5b:55:83:1c:
f5:98:f7:3b:4d:fd:21:3e:9c:16:cd:57:92:2f:0c:75:9d:1e:
91:98:71:5a:ad:7b:e0:0b:02:2c:d3:12:f7:2b:12:03:77:57:
b4:22:3e:1f:02:ea:2e:60:4e:99:11:57:1e:79:de:63:e1:99:
4b:b5:92:20:83:ef:3d:a8:a5:b2:85:1e:d8:69:b0:1e:63:90:
cd:10:0c:55:31:06:e4:28:03:6a:f0:af:be:1d:a5:cd:b8:59:
f7:2a:67:e5:8c:db:fc:9a:ad:c5:f0:a3:09:f9:0e:28:ef:c3:
56:83:1f:1f:cb:ae:ab:85:75:57:43:74:5d:fd:7f:e1:e0:a4:
98:0b:7e:c9
pi@ph5b:~ $ curl -IkLv -A 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0' rt.com
* Trying 91.215.41.4:80...
* Connected to rt.com (91.215.41.4) port 80 (#0)
> HEAD / HTTP/1.1
> Host: rt.com
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
< Server: ddos-guard
Server: ddos-guard
< Date: Wed, 13 Apr 2022 20:33:19 GMT
Date: Wed, 13 Apr 2022 20:33:19 GMT
< Connection: keep-alive
Connection: keep-alive
< Keep-Alive: timeout=60
Keep-Alive: timeout=60
< Location: https://rt.com/
Location: https://rt.com/
<
* Connection #0 to host rt.com left intact
* Issue another request to this URL: 'https://rt.com/'
* Trying 91.215.41.4:443...
* Connected to rt.com (91.215.41.4) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=RU; L=Moscow; O=ANO TV-Novosti; CN=*.rt.com
* start date: May 11 00:00:00 2021 GMT
* expire date: Jun 11 23:59:59 2022 GMT
* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=GeoTrust RSA CA 2018
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x19a5d20)
> HEAD / HTTP/2
> Host: rt.com
> user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 403
HTTP/2 403
< server: ddos-guard
server: ddos-guard
< date: Wed, 13 Apr 2022 20:33:20 GMT
date: Wed, 13 Apr 2022 20:33:20 GMT
< set-cookie: __ddgid_=ZT1M9bMYb6CT5e8a; Domain=.rt.com; HttpOnly; Path=/; Expires=Thu, 13-Apr-2023 20:33:20 GMT
set-cookie: __ddgid_=ZT1M9bMYb6CT5e8a; Domain=.rt.com; HttpOnly; Path=/; Expires=Thu, 13-Apr-2023 20:33:20 GMT
< set-cookie: __ddgmark_=kyga7UPzuMw1jEi9; Domain=.rt.com; HttpOnly; Path=/; Expires=Thu, 14-Apr-2022 20:33:20 GMT
set-cookie: __ddgmark_=kyga7UPzuMw1jEi9; Domain=.rt.com; HttpOnly; Path=/; Expires=Thu, 14-Apr-2022 20:33:20 GMT
< set-cookie: __ddg5_=XYIVySrPNrhFJefs; Domain=.rt.com; Path=/; Expires=Wed, 13-Apr-2022 23:33:20 GMT
set-cookie: __ddg5_=XYIVySrPNrhFJefs; Domain=.rt.com; Path=/; Expires=Wed, 13-Apr-2022 23:33:20 GMT
< cache-control: no-cache, no-store, must-revalidate
cache-control: no-cache, no-store, must-revalidate
< content-type: text/html; charset=UTF-8
content-type: text/html; charset=UTF-8
< content-length: 8156
content-length: 8156
<
* Connection #1 to host rt.com left intact
What IP does it resolve to on the Pi-hole host?
pi@ph5b:~ $ dig @localhost rt.com
; <<>> DiG 9.16.22-Raspbian <<>> @localhost rt.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28436
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;rt.com. IN A
;; ANSWER SECTION:
rt.com. 65 IN A 91.215.41.4
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Wed Apr 13 22:17:37 CEST 2022
;; MSG SIZE rcvd: 51
And below one run on the client from which you got the cert info screenshot?
C:\>nslookup rt.com
Server: ph5a.home.dehakkelaar.nl
Address: 10.0.0.2
Non-authoritative answer:
Name: rt.com
Address: 91.215.41.4
Ow ps, you mentioned Unbound.
If this was installed using a distro with a recent openresolv package:
pi@ph5b:~ $ apt policy openresolv
openresolv:
Installed: 3.12.0-1
Candidate: 3.12.0-1
Version table:
*** 3.12.0-1 500
500 http://raspbian.raspberrypi.org/raspbian bullseye/main armhf Packages
100 /var/lib/dpkg/status
And below file exists (it doesnt on my setup):
pi@ph5b:~ $ sudo find /etc/unbound/ -iname resolvconf_resolvers.conf
pi@ph5b:~ $
I advice you to do below to prevent unexpected/improper behaviour (DNS loops etc):
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;rt.com. IN A
;; ANSWER SECTION:
rt.com. 300 IN A 91.215.41.4
;; Query time: 231 msec
Non-authoritative answer:
Name: rt.com
Address: 91.215.41.4
1 Like
sorry i dont follow/understand your post
Which one?
why i need to do the change in the config, afaik i dont have a loop problem
Because of a recent change in the openresolv package that comes with amongst others the Raspbian/Pi-OS Bullseye releases.
More info can be found below:
Ow ps. because of the unbound misconfiguration, unbound could be configured to use your routers advertised DNS servers (most likely forwarding to your ISP DNS servers) instead of functioning as a true recursive DNS server.
Without you even knowing it.
If below resolvconf_resolvers.conf file does not exist, your in the clear:
ok, the file dont exist 
1 Like
going back to the topic of censorship
enabling DOH on firefox https://1.0.0.1/help returns
yes 1.1.1.1 is blocked
On topic again, sounds like some big nasty firewall redirecting traffic to a host with the wrong cert.
SNI, used during the initial SSL/TLS handshake can be sniffed easily and filtered so VPN or Tor comes to mind as a solution.
Or if you use browsers, enable the DoH option.
EDIT: our postings crossed paths 
1 rt.com is not accessible even if DOH is active on firefox
2 tor works
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.