Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

 

Servers supporting DNS-over-TLS

The following servers are configured to support TLS on port 1021 and STARTTLS on port 53 for testing purposes.

Open resolver

  • Hosted by the getdns API implementation project at getdnsapi.net (Unbound 1.5.6):

    • IP address: 185.49.141.38 and 2a04:b900:0:100::38
    • (Note this server does not support UDP)

Authoritative test server hosted by Verisign Labs:

  • Verisign Labs are kindly hosting a test zone on a server (running a patched version of NSD):

    • The zone is named dns-over-tls.verisignlabs.com and it has A, AAAA, and TXT records for names from 'L001' to 'L100'. 

    • The IP address of the server is currently 173.255.254.151

    • Server key file is available to download here: nsd.key

    • The zone is signed

    • This server also supports TCP fast open

Authoritative getdnsapi.net servers [currently offline]

  • The authoritative servers for getdnsapi.net are running a patched version of NSD:
  • IP address: 185.49.141.37 and 2a04:b900:0:100::37
  • The server key file is available for download here: 185.49.141.37-nsd.key
Server typeHosted byIP addressesServer keyHostname for TLS authentication
Open Resolvergetdnsapi.net

185.49.141.38

2a04:b900:0:100::38

 getdnsapi.net
Authoritativegetdnsapi.net

185.49.141.37

2a04:b900:0:100::37

185.49.141.37-nsd.key 
AuthoritativeVerisign Labs173.255.254.151nsd.key

starttls.verisignlabs.com [Note that this

is a self-signed certificate so does not pass

authentication by default.]

 

How to Decode TLS packets in Wireshark

If you want to decode the DNS packets in Wireshark (use 1.12.1 or later) to get support TLSv1.2

  • Obtain the server key file

  • Configure the key in wireshark in Edit->Preferences

    • open the protocol list in the right hand menu and select SSL from the list
    • Click on the RSA keys list 'Edit' box and then click on 'New' in the dialog that appears
      • Enter remote servers IP address e.g.173.255.254.151 and the port for TLS (1021), and 'http' or 'spdy' for the protocal (DNS is not yet available here).
      • Use the Key File selector to choose the key file you downloaded
    • Save this by hitting OK, OK and Apply.
    • Back in the main window use the Analyze->Decode as... option to choose to decode as SSL
    • Click on one of the packets labelled 'Application data' and you should see an additional tab appear in the Packet bytes view window of wireshark labelled "Decrypted SSL data".

 

  • No labels