Can you self-host a DNS server with custom domains and still get TLS?

user38643

1/9/24, 7:34 PM

I assume the easy answer here is no, but I'm wondering the following. Without having to pre-install a certificate on each client, can I get TLS support for domains if I self-host a DNS server?

For example:

I host a DNS server that maps serverfault.com to my private IP address.
Some TLS termination would happen at this point of the communication and then I'd just forward off to whatever I want

The reason I say no is because for a trusted CA or service like Let's Encrypt, they do external verification of the domain to ensure you own it via TXT record or file upload.

The only way I can assume this is possible is if I pre-install a custom root CA on each client device connecting then I would see TLS without any suspicion from the user.

1 + 1

domain-name-system

ssl

man-in-the-middle

mitmproxy

Patrick Mevzek

1/9/24, 8:35 PM

Depending what your clients are, DANE is exactly filling this need... except that browsers do not read those TLSA records.

Score:1

Server

Steffen Ullrich

1/9/24, 8:24 PM

When the server certificate itself is not known as trusted by the client (i.e. pre-installed as trusted on the client) then the trust into this certificate needs to derived from somewhere.

Typically this is done by using root CA pre-installed as trusted on the client, for example as part of the operating system or browser installation. Then build a trust chain from the leaf certificate send by the server in the TLS handshake down to the trusted root certificate pre-installed on the client system and thus derive the trust from the root CA up to the server certificate.

When running your own DNS server for domains which don't belong to you, you don't get publicly issued certificates for these domains, since your DNS server would not be seen as responsible for the domain and thus not be asked by the CA (ignoring DNS spoofing attacks here - see here for how CA can protect against this).

All you get is that the DNS lookup resolves to your own IP address for the clients controlled by you which use your specific DNS server. If you want to serve these foreign domains by your own (i.e. impersonation attack) you still need to provide these clients with a certificate they will trust - which as described you cannot get from a CA the clients trust.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Can you self-host a DNS server with custom domains and still get TLS?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.