DNS Privacy Project

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 19 Next »


LDNS (drill) 1.6.17

  • Source: ldns 1.6.17 source code available from this link to NLNet Labs: ldns-1.6.7
  • Patch: Grab and apply the patch to ldns-1.6.17 from out git repository. Also see the notes here.
  • Query: To query this with drill use: (the IP address is used here simply to stop the server name resolution falling back to TCP because your local resolver doesn't support DNS-over-TLS).

    • drill -t             @<serverIP>  <query name>    (to see TCP query)

    • drill -l -p1021 @<serverIP>  <query name>    (to see TLS query)

    • drill -C           @<serverIP>  <query name   (to see STARTTLS query)

    • drill -C -D      @<serverIP>  <query name>    (to do a DNSSEC lookup using STARTTLS)

Digit 1.4

  • Source: Grab the digit client DNS-over-TLS tool from the ISI website:
  • Query: Build digit with openssl:

    • create a file called queries containing a query name

    •  ./digit -f queries -r <serverIP> -V -t tcp     (to see TCP query)

    •  ./digit -f queries -r <serverIP> -V -t ssl      (to see DNS-over-TLS query) 

getdns 0.3

  • Source:  https://github.com/getdnsapi/getdns
  • Query: Use API directly (see below), or use with the wrapper script getdns_query (run 'make test' then getdns_query is found in the test directory):
    • getdns_query @<serverIP> -s -A -l T  (Pipelined TCP queries)
    • getdns_query @<serverIP> -s -A -l L  (Pipelined TLS queries)
    • getdns_query @<serverIP> -s -A -l S  (Pipelined STARTTLS queries)
    • getdns_query @<serverIP> -s -A -lLT  (Pipelined TLS queries with fallback to TCP)

getdns API

In the 0.3 release of getdns there is an experimental implementation of the new transports options in section 8.3 of the API:

   getdns_context             *context,
   size_t                      transport_count, 
   getdns_transport_list_t    *transports);

"The 'transports' array contains an ordered list of transports that will be used for DNS lookups. If only one transport value is specified it will be the only transport used. Should it not be available basic resolution will fail. Fallback transport options are specified by including multiple values in the list. The values are
The default is a list containing GETDNS_TRANSPORT_UDP then GETDNS_TRANSPORT_TCP."


  • This implementation defaults to using port 1021 for TLS (can be overridden in upstream attribute 'tls_port'). 
  • These two transport values are not yet fully supported for recursive mode. See the table below for details. 
  • No authentication is done in this implementation with regard to the certificate presented by the upstream server.
TLS as only option
  • Not supported. 
Fully supported.
STARTTLS as only option
  • Not supported. 
Fully supported.

* Uses TLS v1.2 only

How to Decode TLS packets in Wireshark

If you want to decode the DNS packets in Wireshark (use 1.12.1 or later) to get support TLSv1.2

  • Obtain the server key file

  • Configure the key in wireshark in Edit->Preferences

    • open the protocol list in the right hand menu and select SSL from the list
    • Click on the RSA keys list 'Edit' box and then click on 'New' in the dialog that appears
      • Enter remote servers IP address and the port for TLS (1021), and 'http' or 'spdy' for the protocal (DNS is not yet available here).
      • Use the Key File selector to choose the key file you downloaded
    • Save this by hitting OK, OK and Apply.
    • Back in the main window use the Analyze->Decode as... option to choose to decode as SSL
    • Click on one of the packets labelled 'Application data' and you should see an additional tab appear in the Packet bytes view window of wireshark labelled "Decrypted SSL data".


  • No labels