Volume Key Server - Don't block DNS over TLS

[buckohfive]

Hi!

Since this took me several days to puzzle through, I'll post my findings in the hopes that someone might also be having the same issue.

There is an error case where MakeMKV does not/is not able to download the latest SDF and/or latest volume keys. In an effort to bypass unfriendly DNS servers, MakeMKV will attempt to use DNS over TLS to several IPs (observed: 8.8.8.8, 1.1.1.1, 9.9.9.10). If you're the security-conscious type, you might be running your own DNS server and ensuring DNS queries from within your network route through by blocking public DNS servers - this is quite easy to do in pfSenss via pfBlockNG, or via a PiHole or similar.

MakeMKV does not alert to failure to resolve DNS; instead, it silently fails. You are not receiving the latest keys if you do not have the line "Downloading latest SDF to C:\Users\USER/.MakeMKV ..." in your log. The solution is to unblock 8.8.8.8:443 (or one of the others) for MakeMKV while you're using it.

Mike - maybe an error message about blocked DNS lookup?

Keep being awesome.

[Woodstock]

There's also the simple bypass of the lock, using your system's existing hosts file, detailed here...

[buckohfive]

Re: /etc/hosts, good idea; its host specific.

My larger point was, I didn't know I hadn't downloaded a file from the beginning of a new install of MakeMKV because there was no warning. It just generated tgz files to send for decryption. So I fussed for several days until I noted the blocked DNS over TLS blocks in my firewall logs - was the only indication that there was a problem.

[Woodstock]

The "silently fails" is a dual-edged sword. Unless you do something that requires a download, it doesn't complain about it. Do something that requires it, though... and you'll get a message, but not a big warning.

That's why the truly cautious can disable the hosts entry when they KNOW it doesn't require a download, preventing unwanted connections.