Pihole returns valid ssl certificates to sites.
What I’m seeing:
Pihole with unbound (DNS) will serve invalid certificates for sites. I can refresh and get a different invalid certificate. If I switch to a vpn, I get the correct certificate. From then on the site will work if I switch back to pihole.
See images of an example when trying store.ui.com
Is this happening on other sites also?
The version of the site you receive could be geofenced or otherwise IP limited and you don't see the same content via the VPN.
If it's limited to one site then given that the certificates you are getting are for the dev site of some dodgy looking game app I'd be concerned with some sort of ad hijacking on that domain.
If it's other sites too then probably more concerning.
(I'm unable to reproduce this personally, the store.ui.com website seems to be working just fine with unbound).
It’s random. Sometimes happens with other sites, but isn’t like it is all of them or none. It’s not always the same site. I haven’t figured out a pattern.
The weird part is that I can refresh the page and I will still get the invalid certificate. If I close browser, it doesn’t make a difference. If I connect to vpn, and the go to the site, it works fine with the certificate. From that point on, the site will function correctly. It “feels” like some type of caching issue.
** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✓] stxmumxjxbeud.store is NOERROR on lo (127.0.0.1)
[✓] stxmumxjxbeud.store is NOERROR on eth0 (192.168.1.58)
[✗] Failed to resolve doubleclick.com via a remote, public DNS server (8.8.8.8)
Do you have some firewall rules set up to block all DNS traffic on the network segment? Maybe DNATing those queries to Pi-hole?
If you take a look at the Pi-hole query log, /var/log/pihole/pihole.log you can see the queries from the clients and then where Pi-hole is forwarding the queries. I see a lot of queries for AWS Elastic Load Balancers.
Pi-hole (and unbound) can't really change TLS certs, there's no function for that to happen. I guess you could have a bad IP address and have the web server serve an outdated certificate but I'm not sure how that would work.
Are all of the TLS certificates from the Amazon Root?
I do have 8.8.8.8 google dns blocked to cut down on services that try to bypass pihole dns resolution. This is at the firewall/router level. If I have that set incorrectly or if there is a better way within pihole to achieve, I will do that.
Your goal would be better achieved using a DNAT to redirect unwanted DNS requests to Pihole. I have Pihole running under a UDM-SE, and I can share my DNAT setup with you if you like, or you can find how to do this on the community forums for Unifi.
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.