"Failed to connect to 1.1.1.1 port 443: No route to host" when DNS transit requests blocked

[helcoder]

Всем доброго дня!

В DNS Resolution Profiles настроен профиль google с адресом 8.8.8.8, у него стоит "Transit requests blocked". Клиент у которого выбран этот профиль не может открыть https://1.1.1.1/help/

$ curl https://1.1.1.1/help -v
*   Trying 1.1.1.1:443...
* TCP_NODELAY set
* connect to 1.1.1.1 port 443 failed: No route to host
* Failed to connect to 1.1.1.1 port 443: No route to host
* Closing connection 0
curl: (7) Failed to connect to 1.1.1.1 port 443: No route to host

 

Если сделать "Transit requests allowed", то всё сразу начинает работать:

curl https://1.1.1.1/help -v
*   Trying 1.1.1.1:443...
* TCP_NODELAY set
* Connected to 1.1.1.1 (1.1.1.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=cloudflare-dns.com
*  start date: Jul 30 00:00:00 2024 GMT
*  expire date: Jan 21 23:59:59 2025 GMT
*  subjectAltName: host "1.1.1.1" matched cert's IP address!
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x56243c0030e0)
> GET /help HTTP/2
> Host: 1.1.1.1
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 301
< date: Fri, 22 Nov 2024 14:09:07 GMT
< content-length: 0
< location: https://one.one.one.one/help
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ush%2F6SN%2FttSZ6SJJivW1%2FylLGcA6q6gmbQ3GHoNoJRKLQM5TzjT3ikkMgi0la6hQ3TGOj%2BJxCE%2B4Vzr%2FIRt3R1Xhvkinwb%2FJYS0wq%2F4nqP9Tp0B2la7YWiE%3D"}],"group":"cf-nel","max_age":604800}
< nel: {"report_to":"cf-nel","max_age":604800}
< server: cloudflare
< cf-ray: 8e697ed88ef0ec5b-DME
<
* Connection #0 to host 1.1.1.1 left intact

 

Подскажите почему такое поведение? С другими ресурсами проблем не замечал, да и тут вроде как директивно по ip обращение идёт, не совсем понимаю причём тут DNS.

[Le ecureuil]

Это связано с тем, что на 1.1.1.1 висит DNS-over-HTTPS, который непросто снаружи отличить от обычного TLS.