I'm trying to implement DNS-over-TLS using pihole behind Traefik.
My setup is almost working, but despite Traefik not setup to passthrough the TLS to the TCP service the service is receiving encrypted data. I found that out doing a tcpdump of the port 53 on my pihole docker interface.
If I do a
dig @pihole_docker_ip_address linux.org I can see in the tcpdump that the packets are in clear text and I get a result to my query.
When I try to connect my Android client to my DoT setup Traefik throws me an error
"Error during connection: readfrom tcp 172.18.0.2:49132->172.18.0.4:53: remote error: tls: expired certificate"
172.18.0.2 being Traefik and 172.18.0.4 being the pihole DNS service.
tcpdump show encrypted packets coming from Traefik to the dns interface.
All my certs are valid and working, I'm using CloudFlare API.
Traefik WebUI show that my router is not in passthrough but yet traffic seems to be passthrough encrypted. How can I force Traefik to terminate the TLS connection and pass the packets decrypted to my service?
January 17, 2023, 1:47pm
Thanks for your interest in Traefik!
The documentation has
more info about TLS termination.
See this YAML example:
## Dynamic configuration
# will terminate the TLS request by default
Thank you for your reply.
I'm using labels in docker compose and my router does need to serve a tls certificate. Here what I have regarding this router at the moment in my docker compose.
dnsovertls is defined as follow in my traefik config file:
Can you share your full Traefik static and dynamic config, and
docker-compose.yml if used?
Traefik debug log and check for "error".
Here are my configs! Thanks again for the interest you have in my problem, I'm sure a lot of guys would like to be able to do the same as me.
docker-compose.yml for Traefik
# format: common
# Dynamic configuration
docker-compose.yml for pihole
# web interface
# make sure '/admin' is there
The error I'm getting is this one:
traefik | time="2023-01-18T03:24:32Z" level=error msg="Error during connection: readfrom tcp 172.18.0.2:38970->172.18.0.4:53: remote error: tls: expired certificate"
It appear when I try to setup DoT on my Android as a client. I get no other error than that one... Very non descriptive.
Did you manage to solve it?
I have it working and these are my labels for DoT for the Adguard container:
I also had to add this to my TLS options:
Nope it still doesn't work. I haven't worked on it since though.
I tried to add the alpnProtocols like you suggest but it didn'e help.
AdGuard does handle DoT by itself this is why you can connect to your service using port 853.
Pi-Hole does not implement DoT in itself.
The error I'm getting now is :
traefik | time="2023-02-02T15:31:53Z" level=error msg="Error during connection: readfrom tcp 172.18.0.2:50072->172.18.0.4:53: remote error: tls: expired certificate"
Traefik being .2 and pi-hole geing .4
Look like Traefik still want to establish a secure connection to pihole, but it cannot port 53 does not supply any certificate, heck pihole doesn't do TLS.
I just validated from extracting information from acme.json that my certificate for that HostSNI is valid and not expired.
Am I the only one trying to make pi-hole work in DNS-over-TLS behind Traefik?
February 14, 2023, 11:09am
I am running into the same issue with android 10 and lower. I could be that the older android version uses the older lets encrypt root certificate? (
Android devices with DoT configured; interaction with new default chain - #14 by jsuelwald - Help - Let's Encrypt Community Support)
Indeed it has to do with the root cert.
I fixed it by adding:
preferredChain: 'ISRG Root X1'
So traefik.yml becomes:
#caserver: https://acme-staging-v02.api.letsencrypt.org/directory #only for debug
preferredChain: 'ISRG Root X1'
Remove your current acme.json file and restart traefik.
Thanks for sharing your solution. I went an other direction with this problem in the end. I ended up using "Technitium DNS Server" which support DNS-over-TLS directly, so I don't have to fiddle with Traefik. The only thing with this solution tough is that I have to have a ceperate certbot running for the certificate of my DoT server, because the generated certificate need to be transformed to PKCS
#12 for Technitium can use it. It's not been 90 days yet, so I expect something breaking when the cert renew, I'll adjust the convert script to restart the container if needed. Also I find "Technitium DNS Server" a little more geek like than pi-hole.