DEV Community 👩‍💻👨‍💻

Cover image for DOT(.TCP) DOH(oooHTTP) via curl & kdig
Ashish R Bhandari
Ashish R Bhandari

Posted on • Updated on

DOT(.TCP) DOH(oooHTTP) via curl & kdig

> Feel Free to Point Out If I have made any mistakes

Intro To DNS

DNS (Plain Text Over UDP)
Well Also Over TCP But Still Plain Text

I Love Cloudflare Docs and It Pretty Much Covers Most of the part with Ease.
https://www.cloudflare.com/learning/dns/what-is-dns/

DNSSEC (Security Extn But Still Plain Text)

Well still Plain Text Over UDP, But validates the DNS Records
https://www.cloudflare.com/learning/dns/dns-security/

And Then Comes Security(Encryption) DOT & DOH

Here is Where Plain Text is Encrypted Text
[DOT] https://www.cloudflare.com/learning/dns/dns-over-tls/

Cloudflare Detailed Explanation and Practical View
[DOT] https://developers.cloudflare.com/1.1.1.1/dns-over-tls
[DOH] https://developers.cloudflare.com/1.1.1.1/dns-over-https

I am Capturing the Practical View , How it looks like and how you can try one via CLI using CURL and Kdig.
Cloudflare Provides details on how you can achieve it via CURL
https://developers.cloudflare.com/1.1.1.1/dns-over-tls

So Let's Begin With The Practical View

DOH (DNS Over HTTP)

A DOH Query using Curl Pre-requisites: Curl v7.4+

So, Below it basically does is, it gets the DNS Record (IP) from the DOH Server (cloudflare-dns.com) Since it is Over HTTP and you need a Resource so it is Therefore (https://cloudflare-dns.com/dns-query).
And The Makes a Connection After Fetching the IP

A Simple Curl
(-v => Verbose)
(-I => Head Request)
(--doh-url => Ask DNS Over HTTP to which DOH Server >https://cloudflare-dns.com/dns-query)

$ curl -v -I --doh-url https://cloudflare-dns.com/dns-query https://www.google.com 
Enter fullscreen mode Exit fullscreen mode

Details:

$ curl -v -I --doh-url https://cloudflare-dns.com/dns-query https://www.google.com

* Found bundle for host cloudflare-dns.com: 0x7fffe56ebe80 [serially]
* Server doesn't support multiplex (yet)
*   Trying 104.16.249.249:443...
* TCP_NODELAY set
* Hostname 'cloudflare-dns.com' was found in DNS cache
*   Trying 104.16.249.249:443...
* TCP_NODELAY set
* Connected to cloudflare-dns.com (104.16.249.249) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* Connected to cloudflare-dns.com (104.16.249.249) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=cloudflare-dns.com
*  start date: Jan 28 00:00:00 2019 GMT
*  expire date: Feb  1 12:00:00 2021 GMT
*  subjectAltName: host "cloudflare-dns.com" matched cert's "cloudflare-dns.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert ECC Secure Server CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fffe56e5290)
> POST /dns-query HTTP/2
Host: cloudflare-dns.com
accept: */*
content-type: application/dns-message
content-length: 32

* We are completely uploaded and fine
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=cloudflare-dns.com
*  start date: Jan 28 00:00:00 2019 GMT
*  expire date: Feb  1 12:00:00 2021 GMT
*  subjectAltName: host "cloudflare-dns.com" matched cert's "cloudflare-dns.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert ECC Secure Server CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fffe56df9e0)
> POST /dns-query HTTP/2
Host: cloudflare-dns.com
accept: */*
content-type: application/dns-message
content-length: 32

* We are completely uploaded and fine
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200
< date: Sun, 30 Aug 2020 14:22:56 GMT
< content-type: application/dns-message
< content-length: 74
< access-control-allow-origin: *
< cf-request-id: 04e15902c60000de8edb16a200000001
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< server: cloudflare
< cf-ray: 5caf2ab13b45de8e-BLR
<
* Connection #1 to host cloudflare-dns.com left intact
* a DOH request is completed, 1 to go
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200
< date: Sun, 30 Aug 2020 14:22:56 GMT
< content-type: application/dns-message
< content-length: 62
< access-control-allow-origin: *
< cf-request-id: 04e15902d60000deb22981d200000001
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< server: cloudflare
< cf-ray: 5caf2ab15b01deb2-BLR
<
* Connection #0 to host cloudflare-dns.com left intact
* a DOH request is completed, 0 to go

----- DOH Response [Starts] -----
* DOH Host name: www.google.com
* TTL: 43 seconds
* DOH A: 172.217.160.164
* DOH AAAA: 2404:6800:4009:080a:0000:0000:0000:2004
----- DOH Response [Ends] -----

*   Trying 172.217.160.164:443...
* TCP_NODELAY set
* Connected to www.google.com (172.217.160.164) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=Mountain View; O=Google LLC; CN=www.google.com
*  start date: Aug 11 08:59:33 2020 GMT
*  expire date: Nov  3 08:59:33 2020 GMT
*  subjectAltName: host "www.google.com" matched cert's "www.google.com"
*  issuer: C=US; O=Google Trust Services; CN=GTS CA 1O1
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fffe56bfaa0)
> HEAD / HTTP/2
> Host: www.google.com
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
HTTP/2 200
< content-type: text/html; charset=ISO-8859-1
content-type: text/html; charset=ISO-8859-1
< p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
< date: Sun, 30 Aug 2020 14:22:56 GMT
date: Sun, 30 Aug 2020 14:22:56 GMT
< server: gws
server: gws
< x-xss-protection: 0
x-xss-protection: 0
< x-frame-options: SAMEORIGIN
x-frame-options: SAMEORIGIN
< expires: Sun, 30 Aug 2020 14:22:56 GMT
expires: Sun, 30 Aug 2020 14:22:56 GMT
< cache-control: private
cache-control: private
< set-cookie: 1P_JAR=2020-08-30-14; expires=Tue, 29-Sep-2020 14:22:56 GMT; path=/; domain=.google.com; Secure
set-cookie: 1P_JAR=2020-08-30-14; expires=Tue, 29-Sep-2020 14:22:56 GMT; path=/; domain=.google.com; Secure
< set-cookie: NID=204=faTLwUwByLcvvqmTO0G45YKfiKg9_eBHAJG51-GL6xLFiSZSGxNPB4_AEi1NbR_3MkBFwBu1Km2PLw0h6Xh2ZjGO6RHbTR7AEnPHcHiqkC90Zc9XJqsQugw4zOzThkXwufU_YM2x1o4N40JrWvnKKhxG8v5ntJYdlZbWIF13EXk; expires=Mon, 01-Mar-2021 14:22:56 GMT; path=/; domain=.google.com; HttpOnly
set-cookie: NID=204=faTLwUwByLcvvqmTO0G45YKfiKg9_eBHAJG51-GL6xLFiSZSGxNPB4_AEi1NbR_3MkBFwBu1Km2PLw0h6Xh2ZjGO6RHbTR7AEnPHcHiqkC90Zc9XJqsQugw4zOzThkXwufU_YM2x1o4N40JrWvnKKhxG8v5ntJYdlZbWIF13EXk; expires=Mon, 01-Mar-2021 14:22:56 GMT; path=/; domain=.google.com; HttpOnly
< alt-svc: h3-29=":443"; ma=2592000,h3-27=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
alt-svc: h3-29=":443"; ma=2592000,h3-27=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"

<
* Connection #0 to host www.google.com left intact


Enter fullscreen mode Exit fullscreen mode

DOT (DNS Over TCP)

Pre-requisites: kdig
A DOH Query using kdig

$ apt install knot-dnsutils
$ kdig -d @1.1.1.1 +tls-host=cloudflare-dns.com  google.com
Enter fullscreen mode Exit fullscreen mode

Details:

# kdig -d @1.1.1.1 +tls-host=cloudflare-dns.com  google.com
;; DEBUG: Querying for owner(google.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 138 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG:      SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG:      SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20-POLY1305)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 33976
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; PADDING: 409 B

;; QUESTION SECTION:
;; google.com.                  IN      A

;; ANSWER SECTION:
google.com.             101     IN      A       216.58.193.78

;; Received 468 B
;; Time 2020-12-30 02:36:00 UTC
;; From 1.1.1.1@853(TCP) in 9.6 ms

Enter fullscreen mode Exit fullscreen mode

Top comments (0)

🌚 Life is too short to browse without dark mode