I noticed this as well. I will be updating the TLSSessionReq probe to be a
valid TLS 1.3 ClientHello message, and this service will definitely be a
requirement.

On Oct 16, 2018 2:19 PM, "David Fifield" <***@bamsoftware.com> wrote:

I tried to probe the Cloudflare DNS over TLS service at 1.1.1.1:853. It
failed because the service only supports TLSv1.2 and TLSv1.3, and it
hangs up on Nmap's SSLSessionReq probe (which is SSLv3). I also tried
adding port 853 to TLSSessionReq, which is supposed to be TLSv1.2, but
even that didn't work. Wireshark identified the TLSSessionReq probe as
"SSL 3.0", so I tried changing "^\x16\x03\0" to "^\x16\x03\x03", but
that didn't work either.

$ sudo ./nmap -p 853 --version-trace 1.1.1.1 -sV
...
Service scan sending probe SSLSessionReq to 1.1.1.1:853 (tcp)
...
NSOCK INFO [6.6290s] nsock_trace_handler_callback(): Callback: READ EOF for
EID 34 [1.1.1.1:853]
...
Service scan sending probe TLSSessionReq to 1.1.1.1:853 (tcp)
...
NSOCK INFO [6.7070s] nsock_trace_handler_callback(): Callback: READ EOF for
EID 58 [1.1.1.1:853]
...
PORT STATE SERVICE VERSION
853/tcp open domain-s?

Here's documentation on the service.
https://developers.cloudflare.com/1.1.1.1/dns-over-tls/
Cloudflare supports DNS over TLS on 1.1.1.1 and 1.0.0.1 on port
853. The certificate presented is for cloudflare-dns.com.

Cloudflare’s DNS over TLS supports TLS 1.3 and TLS 1.2.

Here's a test showing OpenSSL's s_client able to connect with TLSv1.2,
but not TLSv1.0 or TLSv1.1.
$ openssl s_client -tls1 -connect 1.1.1.1:853
SSL handshake has read 0 bytes and written 102 bytes
$ openssl s_client -tls1_1 -connect 1.1.1.1:853
SSL handshake has read 0 bytes and written 102 bytes
$ openssl s_client -tls1_2 -connect 1.1.1.1:853
SSL handshake has read 2632 bytes and written 269 bytes