I try to create a DoT Gateway with nginx. However, i get every time when i try to connect via Android private DNS a status 500 response.

My Nginx config looks like this:

stream {
    log_format basic '$remote_addr [$time_local] $protocol $status $bytes_sent $bytes_received $session_time $upstream_addr';

    upstream dns {
        server 8.8.8.8:53;
    }

    server {
        listen 853 ssl;
        access_log /var/log/nginx/dot-access.log basic;
        error_log /var/log/nginx/dot-error.log;
        ssl_certificate /etc/letsencrypt/live/my.domain.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/my.domain.com/privkey.pem;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_session_timeout 4h;
        ssl_handshake_timeout 10s;
        proxy_pass dns;
    }
}

I have tried to solve the error with https://medium.com/@nykolas.z/troubleshooting-dns-over-tls-e7ca570b6337 and https://www.aaflalo.me/2019/03/dns-over-tls/. A test request with https://getdnsapi.net/query/ works fine and i get "status": GETDNS_RESPSTATUS_GOOD. In in /var/log/nginx/dot-access.log i see

185.49.141.27 [01/Oct/2021:11:59:57 0200] TCP 200 56 130 0.210 8.8.8.8:53

However, if i enter "my.domain.com" in Android private DNS settings, i get the error message "Connection not possible" and in /var/log/nginx/dot-access.log

84.33.44.28 [01/Oct/2021:11:55:01 0200] TCP 500 0 0 0.131 -

For me, this means that this setup basically works, however not with Android Private DNS. Anyone with ideas?

CodePudding user response：

I have exactly the same setup and it worked until yesterday. There seems to be an issue with Let's Encrypt certificates: https://twitter.com/WatfordJC/status/1443611562028245005

The problem can be solved by adding --preferred-chain="ISRG Root X1" to your certbot request. I just force renewed my certificate and now it is working again. Other users discussing the topic: https://www.reddit.com/r/Adguard/comments/pynis4/agh_android_private_dns_couldnt_connect/