EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Disable default DNS.

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
#18786
Posted: 01/21/2012 10:07:11
by Petr Munzar (Standard support level)
Joined: 06/06/2011
Posts: 15

Hello,

I would like to use alternative DNS server. Like Google dns (8.8.8.8). Instead system DNS. And don't use system DNS at all.

My Code:

Code
HTTPSClient.DNS.Enabled = true;
HTTPSClient.DNS.UseSecurity = false;
HTTPSClient.DNS.Servers.Add("8.8.8.8");


It seems that it still tries to use default system DNS. When I set up system DNS as non-existing address. It will wait a few seconds. And then it use Google DNS.


Petr Munzar, programmer of Identity Cloaker (www.identitycloaker.com), Czech Republic
#18787
Posted: 01/21/2012 10:40:38
by Eugene Mayevski (EldoS Corp.)

I have traced through the source code and didn't see any problems - only your explicitly specified server is used. System servers are used only if DNS.Enabled is false.
#18788
Posted: 01/21/2012 12:49:57
by Petr Munzar (Standard support level)
Joined: 06/06/2011
Posts: 15

Ok, sorry I have mislead you a little bit. I have used WireShark and figured it out.
Problem is in this code:

Code
      private void HTTPSClient_OnCertificateValidate(object Sender, SBX509.TElX509Certificate X509Certificate, ref bool Validate)
        {            
            
            TSBCertificateValidity Validity = TSBCertificateValidity.cvInvalid;
            int Reason = 0;
            if ((X509Certificate.Chain == null) || (X509Certificate.Chain.get_Certificates(0) == X509Certificate))
            {              
                CertificateValidator.ValidateForSSL(X509Certificate, HTTPSClient.RemoteHost, HTTPSClient.RemoteIP, TSBHostRole.hrServer, null, false, false, DateTime.Now, ref Validity, ref Reason);
                Validate = (Validity == TSBCertificateValidity.cvOk) || (Validity == TSBCertificateValidity.cvSelfSigned);
            }
           else
              Validate = true;          
        }

(I have copied it from your sample code.) It will use default DNS. This is why it will wait till timeout. So I gues that I will not be validating certificate with alternative DNS ?


Petr Munzar, programmer of Identity Cloaker (www.identitycloaker.com), Czech Republic
#18789
Posted: 01/21/2012 13:27:02
by Eugene Mayevski (EldoS Corp.)

No, why should it? You have specified DNS only for the HTTPSClient which you use to send a request.

In your code snippet ValidateForSSL probably sends a CRL or OCSP request during validation, and this goes with default DNS of course. You can handle TElX509CertificateValidator's events, namely OnBefore*Use, and tune-up HTTP client used in CRL retriever and OCSP responder. Or you can create your own CRL retriever and OCSP responder - the sample for doing this is present in SecureBlackbox 9.1.213 in \Samples\Delphi\PKI\CertValidator sample (I've copied our classes' source code there and simplified it a bit).


Sincerely yours
Eugene Mayevski
#18790
Posted: 01/21/2012 14:08:26
by Petr Munzar (Standard support level)
Joined: 06/06/2011
Posts: 15

Ok, thank you. I will do that. And last question. Does HTTPSClient DNS support caching? Like if I read data from www.google.com. Three times in 10 seconds. Then it won't ask DNS server three times (and it will save some time)?


Petr Munzar, programmer of Identity Cloaker (www.identitycloaker.com), Czech Republic
#18791
Posted: 01/22/2012 03:35:08
by Eugene Mayevski (EldoS Corp.)

Not at the moment. You can add an idea to the wishlist to see how popular it is, but since it's first time the question about using custom DNS servers is asked, I believe this is not a widespread feature. But who knows ...


Sincerely yours
Eugene Mayevski
#18792
Posted: 01/22/2012 03:51:14
by Eugene Mayevski (EldoS Corp.)

I've missed the point that you have the source code, so you don't need a sample - just look into SBHTTPOCSPClient.pas and SBHTPCRL.pas


Sincerely yours
Eugene Mayevski
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 816 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!