From 84ba3a463a46876f3e728326034d404d02aefb67 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Wed, 5 Feb 2025 09:55:41 +0100 Subject: [PATCH] doc/netwatch-dns: warn on different certificate... ... based on indicated server name. Currently this is true for 8.8.8.8 (GTS Root R1) and dns.google (GTS Root R4). --- doc/netwatch-dns.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/doc/netwatch-dns.md b/doc/netwatch-dns.md index aa4e91f..0d94918 100644 --- a/doc/netwatch-dns.md +++ b/doc/netwatch-dns.md @@ -66,6 +66,10 @@ Importing a certificate automatically is possible. You may want to find the /tool/netwatch/add comment="doh, doh-cert=DigiCert Global Root G3" host=9.9.9.9; /tool/netwatch/add comment="doh, doh-cert=GTS Root R1" host=8.8.8.8; +> ⚠️ **Warning**: Combining these techniques can cause some confusion and +> troubles! Chances are that a service uses different certificates based +> on indicated server name. + Sometimes using just one specific (possibly internal) DNS server may be desired, with fallback in case it fails. This is possible as well: