TLS Handshake error

Hi,

I have a problem (I guess) with the TLS Handshake as long as I use Pi-Hole (installed a few days ago) as DNS.

Yesterday I wanted to visit a website and it timed out. I was baffled and checked it with my smartphone (WIFI, same network) and the website was working. I wanted to write an friend a mail about it, but my mail-website didn’t work as well. The only thing they had in common was that the last thing I could read at the status bar was about the TLS-handshake.

I tried out a bunch of things (date & time, other websites, some ‘is my browsers ssl ok’ websites). At the end I kicked out the pi-hole of the DNS setting of my Win 10 machine… and voila, everything works fine.

How could that happen?

As far as I find out until now, disabling IPv6 solves the problem. So the pi-hole is not ready for IPv6?

Is this problem confined to one client and one browser, or does it occur on multiple clients and different browsers?

Actually it seems confined to one client; there to all browsers. My assumption about IPv6 was wrong btw - if I switch of IPv6, I can see some website, but not all. If I took 1.1.1.1 as DNS everything works fine.

I tried my notebook - same error there.

This would indicate that it is not a Pi-Hole specific issue, but a problem in the settings or behavior of that single client. Take a careful look at the traffic from that client (I would use a packet sniffer such as Wireshark) and see the details of the TLS handshake process.

The client mentioned first is a desktop connected via LAN cable. No firewall or antivirus installed.

I was one second too late it seems: I tried out my notebook (Win 10); it has exactly the same error.

This expands the problem to two clients running Win10. I would Wireshark them, and see what is happening with the TLS handshake process with Pi-Hole running. Then put them on a DNS other than Pi-Hole (or temporarily disable Pi-Hole) and compare the handshake to the previous results.

These kind of errors are mostly due to a incorrect MTU. You can test it by go to a site to check if my MTU is correct inside a VPN.

The site is a normal site which loads slow or not when the MTU is incorrect.

site: antary.de

It has to load in one go and not telling waiting for TLS handshake.

No. If I add the pihole, I receive the error. If I remove the pihole, everthing works fine. There is no need to check my clients. This is 100 % a pihole related problem.

No, it has nothing to do with the MTU. If that would be the case I would have this problem all the time. But I only have it with the pihole as DNS server. The MTU is defined by the router, not the DNS server. And why should it be wrong anyway?

And why should I check your site with a vpn? Honestly, I don’t know what you are talking about. I have no vpn on my raspberry.

How do you think Pi-Hole might be involved in the problem? Pi-Hole provides DNS resolution, nothing more. The client asks Pi-Hole to resolve a domain name to an IP, and Pi-Hole returns an IP. With the IP in hand, the client goes to the internet via the router to load that IP. Pi-Hole is not involved in any of the process of the client loading any content or making any connections to the IP - it only provided the IP.

Have you compared the IP returned when Pi-Hole provides DNS resolution to the IP returned by another DNS server? If the two DNS servers return different IP’s, then try loading the IPs directly by number in the browsers and see if the connection is unsuccessful in either case.

You are going to have to do some troubleshooting to see what’s happening at the client.