Messages

If i enter multiple servers for the same Domain and the first server is offline, a client requesting DNS entries for the overridden domain is getting an error. Is it possible to have multiple entries for the same domain, so that even if one of the servers fails, a client is getting correct results?
I am trying to use the firewall as main DNS server for the clients, but since we are using Active Directory, our internal domain must be available too, even if one of the Domain Controllers is offline or updating or something like that.

Hallo zusammen,

wenn ich im Unbound einen Domain Override konfiguriere scheint er entsprechende Anfragen nur an den ersten Eintrag bzw die erste IP weiterzuleiten. Wenn ich jetzt für Ausfallsicherheit mehrere DNS Server für die Domain betreibe, wie bekomme ich es hin, das bei Ausfall des ersten DNS Servers an den nächsten weitergeleitet wird?

Gibt es da eine Best Practice oder ähnliches?

Yes, and i try to minimize the impact of serverside misconfiguration on my users.

Search for SQUID and AIA.

Best advice ever - thank you very much, it is exactly what i was looking for ;D

For a test, i inserted the following lines i copied from http://lists.squid-cache.org/pipermail/squid-users/2020-July/022425.html

Code Select Expand

# allow fetching of missing intermediate certificates
acl fetch_intermediate_certificate transaction_initiator certificate-fetching
http_access allow fetch_intermediate_certificate
cache allow fetch_intermediate_certificate

and at least https://incomplete-chain.badssl.com/ worked like a charm. This leads me to believe that the default configuration blocks the access of squid itself to the AIA URLs to download missing certfificates.
This is by no means a clean solution and i got other errors i can't inspect more closely at the moment - but something like this should be considered as an option in the GUI.

Okay, i am just asking because i found https://www.spinics.net/lists/squid/msg94071.html which suggests that Squid should try to fetch missing certificates...

I have a transparent proxy up and running which also uses SSL bumping. It works for most websites but some SSL sites do not deliver their intermediate certificate like https://incomplete-chain.badssl.com/ for example. This results in opnsense presenting the following errors to a client:

(92) Protocol error (TLS code: X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
SSL Certficate error: certificate issuer (CA) not known: /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA

Since normal web browsers do not display that error and can verify the complete certificate chain there must be a way to download these missing certificates automatically. Can this be done in the web proxy too, so that even misconfigured servers can be reached?