Cloudflare ECH Conflict Resolver

A Comprehensive Guide to Fixing Internal Server Access on Proxied Domains

Live Network Diagnostics

⚠️ **Note:** Network access is required. If running from file:///, external API calls will fail. For best results, use http://dns.oneprotection.ca/...

Understanding the Problem: Split-Horizon DNS vs. ECH

If you're using **Cloudflare** to proxy your public domains (like yourdomain.com) and also access those domains from **inside your home network** with a local DNS server (like Pi-hole or AdGuard Home), you might be encountering connection issues in modern browsers.

Specifically, **Google Chrome** and **Microsoft Edge** (and other Chromium-based browsers) have started to leverage a new privacy feature called **Encrypted Client Hello (ECH)**. While great for privacy, it creates a conflict with a common network setup known as **Split-Horizon DNS**.

The Error: Protocol Mismatch

You'll typically see errors like ERR_ECH_FALLBACK_CERTIFICATE_INVALID, ERR_SSL_PROTOCOL_ERROR, or ERR_ECH_NOT_NEGOTIATED. These indicate that your browser initiated a connection expecting ECH, but your internal server didn't respond correctly, leading to a failed handshake.

The Cloudflare Trigger: HTTPS (Type 65) Records

Cloudflare automatically publishes a new type of DNS record called an **HTTPS Resource Record (Type 65)** for proxied domains. This record contains the necessary ECH configuration data, effectively telling compatible browsers to use ECH.

The Split-Horizon Breakdown

With Split-Horizon DNS, your local DNS server correctly provides the **internal IP address** (A-Record) for your domains. However, it often *doesn't* provide the corresponding **HTTPS (Type 65)** record. Chrome then gets the internal IP from your local DNS but fetches the ECH-enabled record from an external DNS (like Cloudflare's public resolvers). This conflict—an internal IP with an external ECH expectation—causes the connection to fail.

The Solution: Publish a Blank ECH Override Locally

By configuring your local DNS server to *also* publish a **blank** or dummy Type 65 record, you override the external ECH record and forces the browser to fall back gracefully to a standard HTTPS connection to your internal IP.

Select Your Local DNS Server for the Fix

Choose your DNS server below. A detailed, step-by-step guide will appear in a modal window.