2

If i could setup a DNS server that responds with my server's IP for a certain domain, along with redirecting https and all DNS queries requests to my local https site and my local DNS server respectively, could this result the client browser getting a site certificate over https conatining credentials that match up with what the browser is getting from its DNS queries, thereby avoiding the "certificate untrusted" error?

This is based on the logic that if i only redirected https traffic and left DNS to some external server, the DNS could respond to the client's queries with an IP that doesn't match the one in the certificate thus generating the error due to the mismatch.

If it is not the case that i can do so, how does the browser know to trust the certificate it receives? Does it compare the IP given in the cert with what DNS info it has?

Dudus
  • 23
  • 3
  • 4
    Possible duplicate of [Why doesn't DNS spoofing work against HTTPS sites?](https://security.stackexchange.com/questions/94331), [Can a HTTPS connection be compromised because of a rogue DNS server](https://security.stackexchange.com/questions/3857) and others. And your specific use case (according to your comments in the answer) is addressed in [Enterprise HTTPS redirection without certificate error](https://security.stackexchange.com/questions/136290). – Steffen Ullrich Jan 07 '18 at 04:21

1 Answers1

1

Certificates do not contain IP addresses, but in fact contain the hostname of the site they are issued to. (i.e., www.google.com)

When a browser connects to an HTTPS site, it verifies several things:

  1. That the hostname in the certificate (specifically, a hostname listed in the "Subject Alternative Name" field) matches the requested hostname.
  2. The the certificate was issued by a trusted issuer (for example, a trusted Certificate Authority)
  3. That the certificate has not expired, and it is past the issue date for the certificate.

In order to successfully (meaning no browser warnings) MITM HTTPS traffic you would need a certificate for the correct hostname signed by a certificate authority trusted by the client device. Without this mechanism, HTTPS would not be effective at protecting against active attackers. (Just how effective it actually is is a matter of debate among industry professionals.)

DNS plays essentially no role in certificate verification. (There are some non-mainstream uses like RFC 4398, but I'm not aware of any browser using those.)

Community
  • 1
David
  • 15,814
  • 3
  • 48
  • 73
  • Thanks for responding. OK. So now, i have this local server on the LAN and i'd like it if the clients don't have to do that security exception thing for each https site the request. . . necessary because the setup on the LAN is such that your browser request gets redirected to the intranet site where you login first, then your page can be fetched. If a user requests for a https site, they have to add that security exception to their browser before the intranet site loads and this is confusing, difficult and scary even for some. Any way i can avoid this? – Dudus Jan 07 '18 at 01:58
  • I've seen (https://www.globalsign.com/en/blog/certificates-for-internal-servers/) – Dudus Jan 07 '18 at 01:58
  • @Dudus, if you are administering those machines as well, you can setup a local CA to sign the certificates and then install the CA certificate on the client machines. – David Jan 07 '18 at 02:03
  • Unfortunately i'm not. Its a public hotspot. – Dudus Jan 07 '18 at 03:26
  • 2
    @Dudus: what you are trying to do is essentially a malicious man in the middle attack against the client. This is the very thing HTTPS is designed to prevent. – Steffen Ullrich Jan 07 '18 at 04:20
  • Turns out I was a hacking, n I ain't emn knowit. – Dudus Sep 18 '21 at 15:30