dns.nextdns.io website certificate revoked
As of 13.03.2021 I'm getting hundreds of certificate revocation errors from my Antivirus provider ESET Internet Security for domain dns.nextdns.io.
Seems to pop up for every DNS query my computer makes.
Using Nextdns on Windows 11 with that new Encrypted DNS feature. Worked for months until today almost without any issues.
{
"status": "ok",
"protocol": "DOH",
"profile": "***",
"client": "***",
"srcIP": "***",
"destIP": "45.90.30.90",
"anycast": true,
"server": "anexia-mow-1",
"clientName": "unknown-doh",
"deviceName": "***",
"deviceID": "***"
}
6 replies
-
ESET hijack your https connections with own certificate for all sites. Stop using it
-
Checked myself and dns.nextdns.io is using ZeroSSL, and I haven't seen anything that might point to it actually being "untrustworthy" there are bad reviews on Trustpilot but nearly all of them are about them being Free before and turning into a paid SSL solution (ZeroSSL was a LetsEncrypt frontend and now they make their own SSL certificates and are a paid solution from what I've gathered.) The complaints had nothing to do with their security so it's safe.
Here is a statement from Esets website.
"ESET SSL (Secure socket layer) scanning is a feature that allows or denies network communications based on a system of certificates that legitimate web services use to identify themselves. In some cases, a legitimate web service or network device might be denied by ESET SSL scanning because its certificate changes frequently, or it does not use an SSL certificate. You can create exceptions to SSL scanning in ESET Windows home products that will allow communications with these services or devices."
So it seems to be a false positive, allowing it should do the trick. The url above has the quote and a tutorial on how to exclude it in the Eset settings.
-
First of all, both ESET and NextDNS are paid services to me, so "stop using it" is not a good option. Have been using them for years without issues.
ESET is not a broken product, it's HTTPS scanning is a feature that most paid and endpoint antivirus providers offer.
Seems like the website use ZeroSSL indeed, but DNS queries are made to different servers at different times and one of them is Russia related so thats why ESET thinks it's revoked (maybe it really is/was). Because it was working for year or so without issues and started recently.
Content aside
- 2 yrs agoLast active
- 6Replies
- 493Views
-
2
Following