0

I assume the easy answer here is no, but I'm wondering the following. Without having to pre-install a certificate on each client, can I get TLS support for domains if I self-host a DNS server?

For example:

  • I host a DNS server that maps serverfault.com to my private IP address.
  • Some TLS termination would happen at this point of the communication and then I'd just forward off to whatever I want

The reason I say no is because for a trusted CA or service like Let's Encrypt, they do external verification of the domain to ensure you own it via TXT record or file upload.

The only way I can assume this is possible is if I pre-install a custom root CA on each client device connecting then I would see TLS without any suspicion from the user.

user38643
  • 103
  • 2
  • 1
    Depending what your clients are, DANE is exactly filling this need... except that browsers do not read those TLSA records. – Patrick Mevzek Jan 09 '23 at 20:35

1 Answers1

1

When the server certificate itself is not known as trusted by the client (i.e. pre-installed as trusted on the client) then the trust into this certificate needs to derived from somewhere.

Typically this is done by using root CA pre-installed as trusted on the client, for example as part of the operating system or browser installation. Then build a trust chain from the leaf certificate send by the server in the TLS handshake down to the trusted root certificate pre-installed on the client system and thus derive the trust from the root CA up to the server certificate.

When running your own DNS server for domains which don't belong to you, you don't get publicly issued certificates for these domains, since your DNS server would not be seen as responsible for the domain and thus not be asked by the CA (ignoring DNS spoofing attacks here - see here for how CA can protect against this).

All you get is that the DNS lookup resolves to your own IP address for the clients controlled by you which use your specific DNS server. If you want to serve these foreign domains by your own (i.e. impersonation attack) you still need to provide these clients with a certificate they will trust - which as described you cannot get from a CA the clients trust.

Steffen Ullrich
  • 13,227
  • 27
  • 39