Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  • Source:
  • Query: Use API directly (see below), or use with the wrapper script getdns_query (run 'make test' then getdns_query is found in the test directory):
    • getdns_query @<serverIP> -s -A -O  (Pipelined TCP queries)
    • getdns_query @<serverIP> -s -A -L  (Pipelined TLS queries)
    • getdns_query @<serverIP> -s -A -E  (Pipelined TLS queries with fallback to TCP)


  • Note that in this release when using these options, the TLS handshake made during the first resolution on given context will block other asynchronous calls.
  • No authentication is done in this implementation with regard to the certificate presented by the upstream server.
  • IPv6 support has not yet been tested.
  • It is planned to add STARTTLS as an option in the next release.
  • Note that the transport options available in the API are under review and are likely to change to better support flexible fallback mechanisms and options for TCP/TLS/STARTTLS.

Servers supporting DNS-over-TLS

Open resolver hosted by NLNetLabs:

  • NLNetLabs is kindly hosting an open resolver (running Unbound) configured to support  DNS-over-TLS on port 1021 for testing purposes.
    • IP address: and 2a04:b900:0:100::38
    • The server key file can be obtained by contacting

Authoritative server hosted by Verisign:

  • Verisign Labs are kindly hosting a zone on a server (running a patched version of NSD) configured to support DNS-over-TLS on port 1021 for testing purposes
    • The zone is named and it has A, AAAA, and TXT records for names from 'A' to 'Z'. 

    • The IP address of the server is currently

    • Server key file is available to download here: nsd.key

    • The zone is signed

    • The server also support TCP fast open


How to Decode TLS packets in Wireshark