0

I have a small home network, with DNS running through a VM with Pi-Hole. A couple of days ago, a hard drive problem took down the machine running the VM, so I temporarily set my router (an UDM SE) to use 8.8.8.8 and 8.8.4.4 as its DNS servers.

Ever since then, I've been having constant issues when accessing sites hosted by Fastly - Ones like Reddit, XKCD, and evenStack Exchange itself. Pages will occasionally work (hence why I am able to type this question at all!) but more often than not images and other content will be missing, or the connection will fail with an "ERR_CONNECTION_RESET" message.

I am at a bit of a loss as to why this is happening, and why Fastly specifically is affected. I have flushed the DNS cache on all my devices, set devices to use 8.8.8.8 or 1.1.1.1 manually bypassing the router DNS, but it seems to have no effect. I have experienced the problem on all my devices, so it's not machine-speficic, and rebooting the entirety of my network equipment did not resolve it either.

Even after repairing the VM and setting pi-hole back to the exact configuration I used after the crash, the issue remains. Checking the logs indicates that the DNS requests go through correctly, and I can both ping and tracert to the affected websites without issue, yet I cannot reliably open them in any browser I have tried.

I will list the results of trying to access the affected sites thru various programs, with modifications suggested in the comments.

1- Google Chrome: Fails with "_ERR_CONNECTION_RESET". With verbose logging on, will repeatedly give the following error:

[21228:30708:0618/021007.153:ERROR:ssl_client_socket_impl.cc(978)] handshake failed; returned -1, SSL error code 1, net_error -101

2- Google Chrome with flags to ignore certificate errors: "--ignore-certificate-errors-spki-list" is not recognized as a valid command line option. "--ignore-certificate-error" and "--ignore-ssl-errors" do not alter the behaviour, and lead to the error messages below.

PS C:\Program Files (x86)\Google\Chrome\Application> .\chrome.exe --enable-logging --v=1 --ignore-certificate-error --ignore-ssl-errors
PS C:\Program Files (x86)\Google\Chrome\Application> [17988:23136:0618/141158.044:ERROR:ssl_client_socket_impl.cc(978)] handshake failed; returned -1, SSL error code 1, net_error -101
[17988:23136:0618/141158.069:ERROR:ssl_client_socket_impl.cc(978)] handshake failed; returned -1, SSL error code 1, net_error -101
[20400:25424:0618/141158.266:ERROR:cert_issuer_source_aia.cc(34)] Error parsing cert retrieved from AIA (as DER):
ERROR: Couldn't read tbsCertificate as SEQUENCE
ERROR: Failed parsing Certificate

[20400:28820:0618/141159.529:ERROR:device_event_log_impl.cc(222)] [14:11:59.529] USB: usb_service_win.cc:415 Could not read device interface GUIDs: The system cannot find the file specified. (0x2)
[17988:23136:0618/141200.144:ERROR:ssl_client_socket_impl.cc(978)] handshake failed; returned -1, SSL error code 1, net_error -101
[20400:25424:0618/141200.307:ERROR:cert_issuer_source_aia.cc(34)] Error parsing cert retrieved from AIA (as DER):
ERROR: Couldn't read tbsCertificate as SEQUENCE
ERROR: Failed parsing Certificate

[17988:23136:0618/141207.398:ERROR:ssl_client_socket_impl.cc(978)] handshake failed; returned -1, SSL error code 1, net_error -101

3- Safari on iOS: Fails with a "Safari can't open the page because it couldn't establish a secure connection to the server." error.

4- Firefox: Fails silently. Turning on console logging shows the GET request received no response.

5- curl: Gives the following error messages, with -4 and -6 respectively.

curl -v -4 www.reddit.com

* trying 151.101.1.140:80...
* Connected to www.reddit.com (151.101.1.140) port 80 (#0)
> GET / HTTP/1.1
> Host: www.reddit.com
> User-Agent: curl/7.81.0
> Accept: */*
>
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer

curl -v -6 www.reddit.com
* Closing connection 0
curl: (7) Couldn't connect to server
Areku
  • 1
  • 1
  • Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. – Community Jun 18 '23 at 04:05
  • 1
    Which browser are you using? This error message shouldn't be fatal. For Chrome you may experiment with the switches `--ignore-certificate-error`, `--ignore-ssl-errors` and `--ignore-certificate-errors-spki-list`. – harrymc Jun 18 '23 at 09:52
  • 1
    Can you try accessing the same websites using `curl` (with the `-4` and `-6` options to possibly narrow it down?) Are you _really_ talking to 8.8.8.8 and 1.1.1.1 – have you tried setting up DoT or DoH to rule out the possibility of your ISP intercepting the DNS requests? (Alternatively, do you have any VPNs to test with?) What upstream DNS servers did the Pi-Hole use before, or none at all? (Keep in mind CDNs like Fastly often use GeoDNS, where the DNS answers may vary depending on where the client appears to be located; it might be that you were talking to different CDN nodes before.) – u1686_grawity Jun 18 '23 at 10:43
  • @user1686 Using DoH on Chrome leads to the exact same result. The Pi-Hole server was initially set up to forward non-blocked DNS requests to 8.8.8.8 with 8.8.4.4 as a secondary option. I have added the results of using curl as an edit to the question itself. – Areku Jun 18 '23 at 18:00

0 Answers0