View Source

Experimental DNS Privacy Recursive Servers

The following servers are configured to support TLS on port 853 for testing purposes. Note that they are experimental offerings with no guarantees on the lifetime of the service or service level provided.

Hosted by	IP addresses	Hostname for TLS authentication	SPKI pin for TLS authentication (RFC7858)	Supports RFC7858	Supports RFC7766 fully	Software	Notes
getdnsapi.net	185.49.141.38 2a04:b900:0:100::38	getdnsapi.net	foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S=	No	No	Unbound
Surfnet	145.100.185.15 2001:610:1:40ba:145:100:185:15	dnsovertls.sinodun.com		No	No, but does do concurrent processing of queries. Supports TFO	HAProxy + BIND	Only listening on TLS on port 853
Surfnet	145.100.185.16 2001:610:1:40ba:145:100:185:16	dnsovertls1.sinodun.com		No	No, but does do concurrent processing of queries	Nginx + BIND	Only listening on TLS on port 853
OARC	See OARC website					Unbound

How to Decode TLS packets in Wireshark

If you want to decode the DNS packets in Wireshark (use 1.12.1 or later) to get support TLSv1.2

Obtain the server key file
Configure the key in wireshark in Edit->Preferences
- open the protocol list in the right hand menu and select SSL from the list
- Click on the RSA keys list 'Edit' box and then click on 'New' in the dialog that appears
  - Enter remote servers IP address e.g.173.255.254.151 and the port for TLS (1021), and 'http' or 'spdy' for the protocal (DNS is not yet available here).
  - Use the Key File selector to choose the key file you downloaded
- Save this by hitting OK, OK and Apply.
- Back in the main window use the Analyze->Decode as... option to choose to decode as SSL
- Click on one of the packets labelled 'Application data' and you should see an additional tab appear in the Packet bytes view window of wireshark labelled "Decrypted SSL data".