Blocking or allowing domains should not mess up SSL. Is there anything else filtering or intercepting the trafic ?
this post was submitted on 01 Jan 2026
147 points (92.5% liked)
Technology
78341 readers
4350 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
Nope when I turn off Adguard DNS implementation (which uses the phone’s VPN slot), the app works normally.
What's configured for blocked domains? If you answer with a custom IP the SSL won't match the domain name. Try nxdomain instead.
It was on default (i.e 0.0.0.0). Switching to NXDOMAIN worked. Thanks.
Don't delete your post, update it with the proper info so others know the fix in the future
Yep did that just now. Also added a context.
Usually DNSBL will do this, yes.
“Network with invalid server certificate” lol wtf is that supposed to mean?
It means they know the hash or whatever for their cert, and intentionally fail if there's any kind of MITM funkiness (which you'd have for an ad blocker doing https intercept)
It could also be that the app is looking at parameters other than the hash (which would probably be that of the certificate authority rather than the domain's certificate), like the CN, which is potentially fakeble. You can also try to mess with the APK file, maybe find the strings associated with the certificate check and replace them. I won't fault the app's authors for making such a check though, MITM is so easy to do without certificate validation.
HTTPS filtering in adguard requires the installation of a user certificate by adguard to filter HTTPS traffic. Apps like firefox complain and won't work unless you allow user CA
Maybe I do not understand the vector here, but I think you should be able to use a DNS filter log, like a whitelist firewall. Use the log to see what servers are blocked when you try to open the app. Then just whitelist those servers.
The proper argument is not for Ad Block. That is just a lazy hack. The proper argument is that you have a right to a front door on your home – a digital front door, a right to lock it, and a right to decide who may enter your home. This is what a DNS whitelist filter does. If you are not allowed to use a DNS whitelist, your home has had the door ripped off and are being forced to allow stalkers, thieves, and slavers into your home to manipulate and exploit you. Never talk about ad block. That is politically irrelevant. I do not care if the lock on your front door in the real world has great pick resistance. It is just as much a symbol as it is a device. The primary reason for losing rights is from people failing to argue well, and understand their rights like this. I am one of the few people that does DNS the hard way and run a whitelist filter.
All the blocked requests are app analytics and trackers. Whitelisting them will defeat the purpose. I might just switch to Google Pay’s UPI rather than fighting the government app or just use cash.
Also using DNS filters in a whitelist mode is very inefficient and defeats the purpose of using the internet. I don’t want to make a fool of myself in front of my friends when I am unable to figure out which domains does the restaurant’s digital menu uses so I can go and whitelist them.
You have multiple devices and networks.
Please cross-post to a privacy community. Ultimately, this sounds like it's going to produce a situation where a dumbphone that allows for hotspots and them a smartphone without UPI or a SIM and with a VPN are a workable solution.
Which app is this? BHIM?
It literally says that in the screenshot