Skip to content

Instantly share code, notes, and snippets.

@0xdevalias

0xdevalias/dns-over-tls-spki-fingerprint-pinning-issue-debugging.md

Last active January 13, 2026 06:13
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save 0xdevalias/e5430349a3e6e5feb347f8a373877f4e to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save 0xdevalias/e5430349a3e6e5feb347f8a373877f4e to your computer and use it in GitHub Desktop.
Download ZIP
Some notes on debugging a recent DNS issue that I eventually found was related to DNS over TLS (DoT)
Raw
dns-over-tls-spki-fingerprint-pinning-issue-debugging.md

DNS over TLS (DoT) SPKI Fingerprint Pinning Issue Debugging

Some notes on debugging a recent DNS issue that I eventually found was related to DNS over TLS (DoT), and the certificate that we had pinned expiring soon + being replaced with a new certificate. The solution was to verify the new certificate, calculate the hash for it, and update the pinned hash.

Notes from chat

[13/01/2026, 16:12:03] devalias: So the Internet issues seemed to be DNS related.

I have the router set up to use DNS over TLS (DoT) for security; using cloudflare’s 1.1.1.1 / 1.0.0.1 servers.

It also has the DNS-over-TLS protocol set to strict; which means I have the SPKI fingerprint of the TLS certificate saved; and it checks that matches before establishing a connection (certificate pinning).

As best I can tell from some debugging; that certificate fingerprint seems to have changed; which would cause the DNS connection in the router to fail presumably

[13/01/2026, 16:13:16] devalias: https://10.13.37.1:8443/Advanced_WAN_Content.asp (you wont be able to access this page, but I can)

[13/01/2026, 16:14:55] devalias:

image

[13/01/2026, 16:15:33] devalias: Using a CLI tool to check the DNS from my laptop directly, and see the server certificate:

kdig -d @1.0.0.1 +tls-ca +tls-host=cloudflare-dns.com example.com

[13/01/2026, 16:16:29] devalias:

image

[13/01/2026, 16:16:57] devalias: In this screenshot, I had already updated the SPKI pin there to the new one I got from the kdig tool; and I think that fixed things, at least seemed to from my phone/etc

[13/01/2026, 16:18:51] devalias: But if a certificate fingerprint changes.. you sort of want to know why it did.. as the whole point of pinning them is so you don't blindly accept a change, as maybe someone is using a dodgy self signed man in the middle certificate to try and hack you or similar (which should get rejected by default based on default root trust chains.. but maybe they got it signed legit somehow through social engineering / hacking a root signer / etc)

So we can check the SSL certificate transparency logs: https://crt.sh/?q=one.one.one.one

[13/01/2026, 16:19:32] devalias:

image

[13/01/2026, 16:19:56] devalias: We can see on this online cert checker, it's still seeing the old certificate, with the hash we had pinned:

https://www.ssllabs.com/ssltest/analyze.html?d=cloudflare%2ddns.com&s=2606%3a4700%3a0%3a0%3a0%3a0%3a6810%3af8f9&hideResults=on&ignoreMismatch=on

[13/01/2026, 16:20:48] devalias:

image

[13/01/2026, 16:21:13] devalias: We can see that it expires in like 8 days, (Jan 21st) and was issued by
DigiCert Global G2 TLS RSA SHA256 2020 CA1

[13/01/2026, 16:29:57] devalias: Clicking through to a seemed likely match on the certificate transparency log we can see details about it, including the certificate fingerprint. We could probably also calculate the SPKI fingerprint from that as well, but I cbf: https://crt.sh/?id=16251294730

[13/01/2026, 16:30:41] devalias:

image

[13/01/2026, 16:31:16] devalias: Supposedly that fingerprint is of the entire certificate, whereas the SPKI is of just the top part of the chain.

tl;dr: If the entire fingerprint matches, then the SPKI should also end up being the same.

[13/01/2026, 16:31:35] devalias: So basically, this looks like the old TLS cert that we had pinned

[13/01/2026, 16:37:08] devalias: I decided I could be f'd since I could easily download the key:

⇒ openssl x509 -in cloudflare-old.crt -pubkey -noout \  
| openssl pkey -pubin -outform DER \  
| openssl dgst -sha256 -binary \  
| openssl base64  
  
SPfg6FluPIlUc6a5h313BDCxQYNGX+THTy7ig5X3+VA=

So thats the old one that we had pinned

[13/01/2026, 16:39:53] devalias: This is one of the new ones, which doesn't seem to match:

⇒ openssl x509 -in cloudflare-new-1.crt -pubkey -noout \  
| openssl pkey -pubin -outform DER \  
| openssl dgst -sha256 -binary \  
| openssl base64  
  
gwWNXZ1vDQDB9Br3d7s8YcJ0Ax4m4D0/fq83Ed4T/R0=

And this is the other of the new ones, which does seem to match:

⇒ openssl x509 -in cloudflare-new-2.crt -pubkey -noout \  
| openssl pkey -pubin -outform DER \  
| openssl dgst -sha256 -binary \  
| openssl base64  
ltQ6aXy3tqpNZKJdnevMD7oR+IsI5rNWbOssFDrl+Ew=

[13/01/2026, 16:42:27] devalias: The matching one seems to be this: https://crt.sh/?id=23481945460

[13/01/2026, 16:43:10] devalias:

image

[13/01/2026, 16:43:55] devalias: That's basically valid till just before christmas.

So by pinning that certificate, things will work fine and be secure until then, and then i'd probably have to do this again; or I could disable to strict certificate checking, which is less secure, but unlikely to break like this in future

[13/01/2026, 16:44:18] devalias:

image

[13/01/2026, 16:45:54] devalias: If you wanted to trade security for the convenience of not breaking, you could set the DNS-over-TLS Profile in the router to 'opportunistic'; since the risk is probably low of needing to be that secure anyways

See Also

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment