> Feel Free to Point Out If I have made any mistakes
Intro To DNS
DNS (Plain Text Over UDP)
Well Also Over TCP But Still Plain Text
I Love Cloudflare Docs and It Pretty Much Covers Most of the part with Ease.
https://www.cloudflare.com/learning/dns/what-is-dns/
DNSSEC (Security Extn But Still Plain Text)
Well still Plain Text Over UDP, But validates the DNS Records
https://www.cloudflare.com/learning/dns/dns-security/
And Then Comes Security(Encryption) DOT & DOH
Here is Where Plain Text is Encrypted Text
[DOT] https://www.cloudflare.com/learning/dns/dns-over-tls/
Cloudflare Detailed Explanation and Practical View
[DOT] https://developers.cloudflare.com/1.1.1.1/dns-over-tls
[DOH] https://developers.cloudflare.com/1.1.1.1/dns-over-https
I am Capturing the Practical View , How it looks like and how you can try one via CLI using CURL and Kdig.
Cloudflare Provides details on how you can achieve it via CURL
https://developers.cloudflare.com/1.1.1.1/dns-over-tls
So Let's Begin With The Practical View
DOH (DNS Over HTTP)
A DOH Query using Curl Pre-requisites: Curl v7.4+
So, Below it basically does is, it gets the DNS Record (IP) from the DOH Server (cloudflare-dns.com) Since it is Over HTTP and you need a Resource so it is Therefore (https://cloudflare-dns.com/dns-query).
And The Makes a Connection After Fetching the IP
A Simple Curl
(-v => Verbose)
(-I => Head Request)
(--doh-url => Ask DNS Over HTTP to which DOH Server >https://cloudflare-dns.com/dns-query)
$ curl -v -I --doh-url https://cloudflare-dns.com/dns-query https://www.google.com
Details:
$ curl -v -I --doh-url https://cloudflare-dns.com/dns-query https://www.google.com
* Found bundle for host cloudflare-dns.com: 0x7fffe56ebe80 [serially]
* Server doesn't support multiplex (yet)
* Trying 104.16.249.249:443...
* TCP_NODELAY set
* Hostname 'cloudflare-dns.com' was found in DNS cache
* Trying 104.16.249.249:443...
* TCP_NODELAY set
* Connected to cloudflare-dns.com (104.16.249.249) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* Connected to cloudflare-dns.com (104.16.249.249) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=cloudflare-dns.com
* start date: Jan 28 00:00:00 2019 GMT
* expire date: Feb 1 12:00:00 2021 GMT
* subjectAltName: host "cloudflare-dns.com" matched cert's "cloudflare-dns.com"
* issuer: C=US; O=DigiCert Inc; CN=DigiCert ECC Secure Server CA
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fffe56e5290)
> POST /dns-query HTTP/2
Host: cloudflare-dns.com
accept: */*
content-type: application/dns-message
content-length: 32
* We are completely uploaded and fine
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=cloudflare-dns.com
* start date: Jan 28 00:00:00 2019 GMT
* expire date: Feb 1 12:00:00 2021 GMT
* subjectAltName: host "cloudflare-dns.com" matched cert's "cloudflare-dns.com"
* issuer: C=US; O=DigiCert Inc; CN=DigiCert ECC Secure Server CA
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fffe56df9e0)
> POST /dns-query HTTP/2
Host: cloudflare-dns.com
accept: */*
content-type: application/dns-message
content-length: 32
* We are completely uploaded and fine
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200
< date: Sun, 30 Aug 2020 14:22:56 GMT
< content-type: application/dns-message
< content-length: 74
< access-control-allow-origin: *
< cf-request-id: 04e15902c60000de8edb16a200000001
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< server: cloudflare
< cf-ray: 5caf2ab13b45de8e-BLR
<
* Connection #1 to host cloudflare-dns.com left intact
* a DOH request is completed, 1 to go
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200
< date: Sun, 30 Aug 2020 14:22:56 GMT
< content-type: application/dns-message
< content-length: 62
< access-control-allow-origin: *
< cf-request-id: 04e15902d60000deb22981d200000001
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< server: cloudflare
< cf-ray: 5caf2ab15b01deb2-BLR
<
* Connection #0 to host cloudflare-dns.com left intact
* a DOH request is completed, 0 to go
----- DOH Response [Starts] -----
* DOH Host name: www.google.com
* TTL: 43 seconds
* DOH A: 172.217.160.164
* DOH AAAA: 2404:6800:4009:080a:0000:0000:0000:2004
----- DOH Response [Ends] -----
* Trying 172.217.160.164:443...
* TCP_NODELAY set
* Connected to www.google.com (172.217.160.164) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=Google LLC; CN=www.google.com
* start date: Aug 11 08:59:33 2020 GMT
* expire date: Nov 3 08:59:33 2020 GMT
* subjectAltName: host "www.google.com" matched cert's "www.google.com"
* issuer: C=US; O=Google Trust Services; CN=GTS CA 1O1
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fffe56bfaa0)
> HEAD / HTTP/2
> Host: www.google.com
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
HTTP/2 200
< content-type: text/html; charset=ISO-8859-1
content-type: text/html; charset=ISO-8859-1
< p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
< date: Sun, 30 Aug 2020 14:22:56 GMT
date: Sun, 30 Aug 2020 14:22:56 GMT
< server: gws
server: gws
< x-xss-protection: 0
x-xss-protection: 0
< x-frame-options: SAMEORIGIN
x-frame-options: SAMEORIGIN
< expires: Sun, 30 Aug 2020 14:22:56 GMT
expires: Sun, 30 Aug 2020 14:22:56 GMT
< cache-control: private
cache-control: private
< set-cookie: 1P_JAR=2020-08-30-14; expires=Tue, 29-Sep-2020 14:22:56 GMT; path=/; domain=.google.com; Secure
set-cookie: 1P_JAR=2020-08-30-14; expires=Tue, 29-Sep-2020 14:22:56 GMT; path=/; domain=.google.com; Secure
< set-cookie: NID=204=faTLwUwByLcvvqmTO0G45YKfiKg9_eBHAJG51-GL6xLFiSZSGxNPB4_AEi1NbR_3MkBFwBu1Km2PLw0h6Xh2ZjGO6RHbTR7AEnPHcHiqkC90Zc9XJqsQugw4zOzThkXwufU_YM2x1o4N40JrWvnKKhxG8v5ntJYdlZbWIF13EXk; expires=Mon, 01-Mar-2021 14:22:56 GMT; path=/; domain=.google.com; HttpOnly
set-cookie: NID=204=faTLwUwByLcvvqmTO0G45YKfiKg9_eBHAJG51-GL6xLFiSZSGxNPB4_AEi1NbR_3MkBFwBu1Km2PLw0h6Xh2ZjGO6RHbTR7AEnPHcHiqkC90Zc9XJqsQugw4zOzThkXwufU_YM2x1o4N40JrWvnKKhxG8v5ntJYdlZbWIF13EXk; expires=Mon, 01-Mar-2021 14:22:56 GMT; path=/; domain=.google.com; HttpOnly
< alt-svc: h3-29=":443"; ma=2592000,h3-27=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
alt-svc: h3-29=":443"; ma=2592000,h3-27=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
<
* Connection #0 to host www.google.com left intact
DOT (DNS Over TCP)
Pre-requisites: kdig
A DOH Query using kdig
$ apt install knot-dnsutils
$ kdig -d @1.1.1.1 +tls-host=cloudflare-dns.com google.com
Details:
# kdig -d @1.1.1.1 +tls-host=cloudflare-dns.com google.com
;; DEBUG: Querying for owner(google.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 138 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG: SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20-POLY1305)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 33976
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; PADDING: 409 B
;; QUESTION SECTION:
;; google.com. IN A
;; ANSWER SECTION:
google.com. 101 IN A 216.58.193.78
;; Received 468 B
;; Time 2020-12-30 02:36:00 UTC
;; From 1.1.1.1@853(TCP) in 9.6 ms
Oldest comments (0)