Parental control certificate error dns.adguard.com

[smic717394]

Hi,

I Have a question, maybe someone can help. I enabled the parental control, and its works fine, trying to access a prohibited page will be blocked but instead of getting the green page with the bear with the message "We blocked this page because of parental filter restrictions" I get a "Your connection is not private" error wit a certificate error. checking the certificate the cn issuer is "ZeroSSL ECC Domain Secure Site CA" and the cn issued to is dns.adguard.com. Now in the Settings > Encryption I enable the "DNS-over-HTTPS and DNS-over-TLS" option, under hots I placed my own domain that I have, and I added the certificate and the private key for the certificate that are validated fine. But still I get the same error.

[tobiaswx]

The reason for this error message is simple: When you access a page via HTTPS, your browser expects a valid SSL certificate from the responding web server. This certificate should be issued in the name of the domain being accessed. However, if Adguard blocks such a page, it responds to your browser with the address of an Adguard web server. In this specific case, it uses a certificate issued to dns.adguard.com to respond with the 'parental control' page, as you have correctly recognized.

Why isn't it easy for Adguard to solve this problem?

Because valid SSL certificates must always include the name or IP of the website being accessed AND be issued by a trusted Certificate Authority at the same time. The reason is simple: Your browser aims to protect you from potential Man-in-the-Middle Attacks (MITM). An attacker uses various methods to try to redirect you to their web server under the guise of a trusted domain (e.g. my-bank.com), in order to steal data from you, for example. And to prevent this from happening, certificates are only issued to the valid owner of a domain or a trustworthy organization on behalf of this owner.

Why am I telling you this?

Because that's basically what Adguard is doing here. It creates a MITM attack (responds to your DNS request with a different address) to redirect you to its web server so that your children, among others, can see that access to this site (adult-content.com) has been blocked for them by Adguard.

In order to solve the problem, Adguard would have to generate or have issued a valid certificate for each domain that they redirect to their server as part of this parental control.

Technically this is theoretically possible if Adguard themselves were recognized as a trusted Certificate Authority or you install their root certificate on each of your clients and trust it, but honestly I don't think that's going to happen.

Because that again raises questions, especially related to the trustworthiness of Adguard and would require strict regulation and many other measures to prevent abuse and ensure the security of the service.

What would be the alternative?

The alternative would be to respond directly to blocked pages with the address of Adguard Home (i.e. your DNS server) and issue certificates for the requested domains. This would also technically be a MITM attack but, if configured, it is what you want.

As already mentioned, however, this would require each Adguard Home instance to create its own root certificate for signing the SSL certificates and that you install these on your clients and trust them.

Whether it is worth the effort and whether Adguard or a fork will ever implement this is questionable, but I personally do not want to judge that.