Conflicts with cloudflare-ech and local Traefik
Hi! I am running a Cloudflare Tunnel for some of my services and I have local DNS entries to override the IP for their domains when connecting locally, as I don't think I need my traefik to go through Cloudflare when I'm in the same Network as my server. However, somehow Cloudflare causes some clients to execute the ECH call to the server, which also supports TLS 1.3 and HTTP3, with an outer layer that appears as
cloudflare-ech.com instead of the actually wanted domain in a local context. This causes the Traefik to also see the requested domain to be cloudflare-ech.com and as there is no service associated and no valid certificate, it returns the default certificate, which is invalid for this domain and breaks the connection. Is it somehow possible to override this behaviour locally? Any help is appreciated!2 Replies
Https DNS record?
You mean of the type HTTPS?
Similar to something like A records or AAAA records?
Oops.
Well, at least there are no visible HTTPS records. I don't know exactly how I would approach blocking such records only in my personal network.
Are those hidden records?
I mean to ask whether those HTTPS records are hidden in the sense of not being visible in the site's DNS entries.
Hmm... I'm really wondering how to get those specifically blocked. I am merely using PiHole in my network and I don't know whether that alone could block those with the blacklist, as that only blocks certain domains I believe.
I found that I can apparently block HTTPS type requests for a domain using the PiHole blocklist.
Got it. Thank you for your help!
I'm not sure how the search engine indexing bot thing works, but in the hopes that maybe this will get indexed, you can block HTTPS queries on PiHole with the following Regex blocklist
.*;querytype=HTTPS, or for example block all subdomains of example.com with .*\.example\.com;querytype=HTTPS.