Servers supporting DNS-over-TLS

The following servers are configured to support TLS on port 1021 and STARTTLS on port 53 for testing purposes.

Open resolver

• Hosted by the getdns API implementation project at getdnsapi.net (Unbound 1.5.6):

  • IP address: 185.49.141.38 and 2a04:b900:0:100::38
  • (Note this server does not support UDP)

Authoritative test server hosted by Verisign Labs:

• Verisign Labs are kindly hosting a test zone on a server (running a patched version of NSD):

  • The zone is named dns-over-tls.verisignlabs.com and it has A, AAAA, and TXT records for names from 'L001' to 'L100'. 

  • The IP address of the server is currently 173.255.254.151. 

  • Server key file is available to download here: nsd.key

  • The zone is signed

  • This server also supports TCP fast open

Authoritative getdnsapi.net servers [currently offline]

• The authoritative servers for getdnsapi.net are running a patched version of NSD:
• IP address: 185.49.141.37 and 2a04:b900:0:100::37
• The server key file is available for download here: 185.49.141.37-nsd.key

How to Decode TLS packets in Wireshark

If you want to decode the DNS packets in Wireshark (use 1.12.1 or later) to get support TLSv1.2

• Obtain the server key file

• Configure the key in wireshark in Edit->Preferences

  • open the protocol list in the right hand menu and select SSL from the list
  • Click on the RSA keys list 'Edit' box and then click on 'New' in the dialog that appears
    • Enter remote servers IP address e.g.173.255.254.151 and the port for TLS (1021), and 'http' or 'spdy' for the protocal (DNS is not yet available here).
    • Use the Key File selector to choose the key file you downloaded
  • Save this by hitting OK, OK and Apply.
  • Back in the main window use the Analyze->Decode as... option to choose to decode as SSL
  • Click on one of the packets labelled 'Application data' and you should see an additional tab appear in the Packet bytes view window of wireshark labelled "Decrypted SSL data".