If you want to try out DNS-over-TLS then instructions are listed below.
Try DNS-over TLS
Grab a DNS-over-TLS client tool:
- Grab the latest version of getdns or
- Grab the patch to ldns-1.6.17
Query a public NSD server patched to support DNS-over-TLS:
- Verisign Labs are kindly hosting a zone on a server running NSD patched to support DNS-over-TLS for testing purposes.
The zone is named starttls.verisignlabs.com and it has A, AAAA, and TXT records for names from 'A' to 'Z'.
The IP address of the server is currently 184.108.40.206 - it might change so check for yourself.
- To query with getdns, run 'make getdns_query' to generate the getdns_query wrapper script in the test directory then
- getdns_query @<serverIP> -s -a -A -l L (Pipelined TLS queries)
- getdns_query @<serverIP> -s -a -A -l LT (Pipelined TLS queries with fallback to TCP)
- getdns_query @<serverIP>~<hostname> -s -a -A -l L -m (Pipelined TLS queries in strict mode using server hostname for authentication)
To query this with drill use: (the IP address is used here simply to stop the server name resolution falling back to TCP because your local resolver doesn't support DNS-over-TLS).
Decode in Wireshark
If you want to decode the DNS packets in Wireshark (use 1.12.1 or later)
download the server key file: nsd.key
configure the key in wireshark in Edit->Preferences
- open the protocol list in the right hand menu and select SSL from the list
- Click on the RSA keys list 'Edit' box and then click on 'New' in the dialog that appears
- Enter '220.127.116.11' for the IP addresss, '53' for the port and 'http' or 'spdy' for the protocal (DNS is not yet available here).
- Use the Key File selector to choose the nds.key file you downloaded
- Save this by hitting OK, OK and Apply.
- Back in the main window use the Analyze->Decode as... option to choose to decode as SSL
- Click on one of the packets labelled 'Application data' and you should see an additional tab appear in the Packet bytes view window of wireshark labelled "Decrypted SSL data".
- The starttls.verisign.com zone is signed
- The verisignlab.com server also supports TCP Fast open, as do both drill and digit.