Skip to content
Skip to breadcrumbs
Skip to header menu
Skip to action menu
Skip to quick search

DNS Privacy Project

Skip to end of banner Go to start of banner

DNS-over-TLS test servers

Skip to end of metadata

Created by Sara Dickinson, last modified on May 09, 2015

Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Servers supporting DNS-over-TLS

The following servers are configured to support TLS on port 1021 and STARTTLS on port 53 for testing purposes.

Open resolver

Hosted by the getdns API implementation project at getdnsapi.net (running a patched version of Unbound):
- IP address: 185.49.141.38 and 2a04:b900:0:100::38
- The server key file is available for download here: 185.49.141.38-unbound.key

Authoritative getdnsapi.net servers

The authoritative servers for getdnsapi.net are running a patched version of NSD:
- IP address: 185.49.141.37 and 2a04:b900:0:100::37
- The server key file is available for download here: 185.49.141.37-nsd.key

Authoritative test server hosted by Verisign Labs:

Verisign Labs are kindly hosting a test zone on a server (running a patched version of NSD):
- The zone is named starttls.verisignlabs.com and it has A, AAAA, and TXT records for names from 'A' to 'Z'.
- The IP address of the server is currently 173.255.254.151.
- Server key file is available to download here: nsd.key
- The zone is signed
- This server also supports TCP fast open

How to Decode TLS packets in Wireshark

If you want to decode the DNS packets in Wireshark (use 1.12.1 or later) to get support TLSv1.2

Obtain the server key file
Configure the key in wireshark in Edit->Preferences
- open the protocol list in the right hand menu and select SSL from the list
- Click on the RSA keys list 'Edit' box and then click on 'New' in the dialog that appears
  - Enter remote servers IP address e.g.173.255.254.151 and the port for TLS (1021), and 'http' or 'spdy' for the protocal (DNS is not yet available here).
  - Use the Key File selector to choose the key file you downloaded
- Save this by hitting OK, OK and Apply.
- Back in the main window use the Analyze->Decode as... option to choose to decode as SSL
- Click on one of the packets labelled 'Application data' and you should see an additional tab appear in the Packet bytes view window of wireshark labelled "Decrypted SSL data".

No labels