Unsolved DoT support with client ID
-
According to Adguard wiki https://github.com/AdguardTeam/AdGuardHome/wiki/Clients#clientid, the users client ID can be set based on the url used for DoT.
I'm trying to connect to my adguard instance with clientID.adguard.example.com but there is a certificate mismatch because *.adguard.example.com certificates aren't being generated. See the error message below:
dog google.com --tls @clientid.adguard.example.com
Error [tls]: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1914: (Hostname mismatch)The main reason I want to do this is to limit DNS requests to certain clientIDs so I can use the private dns function on android. I can't use my cell IP address because it's dynamic, so that is the only way I see to have a locked down DNS server. I believe all that needs to be done is to issue certs for the adguard instance (as is already done) and then a wildcard cert for *.adguard.example.com.
-
There are apps like DNS66 and others that can set your DNS server explicitly (root) or implicitly via VPN to lock down DNS requests.
Check on Fdroid.
-
From what I could make out from the AdGuard home config, only one TLS cert can be provided. This means that the cert for
*.adguard.example.com
andadguard.example.com
need to be combined into one cert. We have to add support for such a cert in Cloudron since we don't request combined certs. -
It could also be that in ClientID mode, DoH with
adguard.example.com
is not supposed to work. Onlyclient.adguard.example.com
is supposed to work.In any case, apart from the certs, we also need to set up wildcard DNS.
-
girish