What happened
After upgrading to dnspyre v2.19.0 or v2.21.0, I encountered an issue specific to NextDNS during DoT testing:
tls: failed to verify certificate: x509: cannot validate certificate for 45.90.30.0 because it doesn't contain any IP SANs 1 (100.00)%
Unlike other DNS services like Quad9 and 1.1.1.1, which include extensive IP SANs in their server certificates, NextDNS uses a wildcard SAN. This seems to be causing the validation failure in dnspyre from v2.19.0 onwards. This issue did not occur in earlier versions, such as v2.18.2 or v2.17.0, so it's triggered only under certain circumstances.
What you expected to happen
I expected dnspyre to validate NextDNS's certificate without issues, as it did in versions prior to v2.19.0, considering that other DNS services with detailed IP SANs in their certificates are not affected.
dnspyre command
v2.18:
$ dnspyre --version
2.18.2-linux-amd64
$ dnspyre --dot --server="test.dns.nextdns.io" google.com
Using 1 hostnames
Benchmarking test.dns.nextdns.io:853 via tls with 1 concurrent requests
Total requests: 1
DNS success codes: 1
DNS response codes:
NOERROR: 1
DNS question types:
A: 1
Time taken for tests: 172.07ms
Questions per second: 5.8
DNS timings, 1 datapoints
min: 167.77ms
mean: 171.97ms
[+/-sd]: 0s
max: 176.16ms
p99: 176.16ms
p95: 176.16ms
p90: 176.16ms
p75: 176.16ms
p50: 176.16ms
v2.19+:
$ dnspyre --version
2.19.0-linux-amd64
$ dnspyre --dot --server="test.dns.nextdns.io" google.com
Using 1 hostnames
Benchmarking 45.90.30.0:853 via tls with 1 concurrent requests
Total requests: 1
Read/Write errors: 1
Time taken for tests: 76.7ms
Questions per second: 13.0
Total Errors: 1
Top errors:
tls: failed to verify certificate: x509: cannot validate certificate for 45.90.30.0 because it doesn't contain any IP SANs 1 (100.00)%
$ dnspyre --dot --server="anycast.dns.nextdns.io" google.com
Using 1 hostnames
Benchmarking 45.90.28.0:853 via tls with 1 concurrent requests
Total requests: 1
Read/Write errors: 1
Time taken for tests: 111.21ms
Questions per second: 9.0
Total Errors: 1
Top errors:
tls: failed to verify certificate: x509: cannot validate certificate for 45.90.28.0 because it doesn't contain any IP SANs 1 (100.00)%
$ dnspyre --dot --server="firefox.dns.nextdns.io" google.com
Using 1 hostnames
Benchmarking 217.146.31.87:853 via tls with 1 concurrent requests
Total requests: 1
Read/Write errors: 1
Time taken for tests: 646.89ms
Questions per second: 1.5
Total Errors: 1
Top errors:
tls: failed to verify certificate: x509: cannot validate certificate for 217.146.31.87 because it doesn't contain any IP SANs 1 (100.00)%
cert digging command
$ openssl s_client -connect dns.quad9.net:853 -showcerts | openssl x509 -noout -text | grep -A1 'Subject Alternative Name:'
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
verify return:1
depth=0 C = US, ST = California, L = Berkeley, O = Quad9, CN = *.quad9.net
verify return:1
X509v3 Subject Alternative Name:
DNS:*.quad9.net, DNS:quad9.net, IP Address:9.9.9.9, IP Address:9.9.9.10, IP Address:9.9.9.11, IP Address:9.9.9.12, IP Address:9.9.9.13, IP Address:9.9.9.14, IP Address:9.9.9.15, IP Address:149.112.112.9, IP Address:149.112.112.10, IP Address:149.112.112.11, IP Address:149.112.112.12, IP Address:149.112.112.13, IP Address:149.112.112.14, IP Address:149.112.112.15, IP Address:149.112.112.112, IP Address:2620:FE:0:0:0:0:0:9, IP Address:2620:FE:0:0:0:0:0:10, IP Address:2620:FE:0:0:0:0:0:11, IP Address:2620:FE:0:0:0:0:0:12, IP Address:2620:FE:0:0:0:0:0:13, IP Address:2620:FE:0:0:0:0:0:14, IP Address:2620:FE:0:0:0:0:0:15, IP Address:2620:FE:0:0:0:0:0:FE, IP Address:2620:FE:0:0:0:0:FE:9, IP Address:2620:FE:0:0:0:0:FE:10, IP Address:2620:FE:0:0:0:0:FE:11, IP Address:2620:FE:0:0:0:0:FE:12, IP Address:2620:FE:0:0:0:0:FE:13, IP Address:2620:FE:0:0:0:0:FE:14, IP Address:2620:FE:0:0:0:0:FE:15
$ openssl s_client -connect 1.1.1.1:853 -showcerts | openssl x509 -noout -text | grep -A1 'Subject Alternative Name:'
Can't use SSL_get_servername
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare-dns.com
verify return:1
X509v3 Subject Alternative Name:
DNS:cloudflare-dns.com, DNS:*.cloudflare-dns.com, DNS:one.one.one.one, IP Address:1.0.0.1, IP Address:1.1.1.1, IP Address:162.159.36.1, IP Address:162.159.46.1, IP Address:2606:4700:4700:0:0:0:0:1001, IP Address:2606:4700:4700:0:0:0:0:1111, IP Address:2606:4700:4700:0:0:0:0:64, IP Address:2606:4700:4700:0:0:0:0:6400
$ openssl s_client -connect test.dns.nextdns.io:853 -showcerts | openssl x509 -noout -text | grep -A1 'Subject Alternative Name:'
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust ECC Certification Authority
verify return:1
depth=1 C = AT, O = ZeroSSL, CN = ZeroSSL ECC Domain Secure Site CA
verify return:1
depth=0 CN = dns.nextdns.io
verify return:1
X509v3 Subject Alternative Name:
DNS:dns.nextdns.io, DNS:*.dns.nextdns.io