DEV Community

Cover image for DOT(.TCP) DOH(oooHTTP) via curl & kdig
Ashish R Bhandari
Ashish R Bhandari

Posted on • Edited on

3 2

DOT(.TCP) DOH(oooHTTP) via curl & kdig

#dnsovertcp #dnsoverhttp #dot #doh

> Feel Free to Point Out If I have made any mistakes

Intro To DNS

DNS (Plain Text Over UDP)
Well Also Over TCP But Still Plain Text

I Love Cloudflare Docs and It Pretty Much Covers Most of the part with Ease.
https://www.cloudflare.com/learning/dns/what-is-dns/

DNSSEC (Security Extn But Still Plain Text)

Well still Plain Text Over UDP, But validates the DNS Records
https://www.cloudflare.com/learning/dns/dns-security/

And Then Comes Security(Encryption) DOT & DOH

Here is Where Plain Text is Encrypted Text
[DOT] https://www.cloudflare.com/learning/dns/dns-over-tls/

Cloudflare Detailed Explanation and Practical View
[DOT] https://developers.cloudflare.com/1.1.1.1/dns-over-tls
[DOH] https://developers.cloudflare.com/1.1.1.1/dns-over-https

I am Capturing the Practical View , How it looks like and how you can try one via CLI using CURL and Kdig.
Cloudflare Provides details on how you can achieve it via CURL
https://developers.cloudflare.com/1.1.1.1/dns-over-tls

So Let's Begin With The Practical View

DOH (DNS Over HTTP)

A DOH Query using Curl Pre-requisites: Curl v7.4+

So, Below it basically does is, it gets the DNS Record (IP) from the DOH Server (cloudflare-dns.com) Since it is Over HTTP and you need a Resource so it is Therefore (https://cloudflare-dns.com/dns-query).
And The Makes a Connection After Fetching the IP

A Simple Curl
(-v => Verbose)
(-I => Head Request)
(--doh-url => Ask DNS Over HTTP to which DOH Server >https://cloudflare-dns.com/dns-query)



$ curl -v -I --doh-url https://cloudflare-dns.com/dns-query https://www.google.com
Enter fullscreen mode Exit fullscreen mode

Details:



$ curl -v -I --doh-url https://cloudflare-dns.com/dns-query https://www.google.com

* Found bundle for host cloudflare-dns.com: 0x7fffe56ebe80 [serially]
* Server doesn't support multiplex (yet)
*   Trying 104.16.249.249:443...
* TCP_NODELAY set
* Hostname 'cloudflare-dns.com' was found in DNS cache
*   Trying 104.16.249.249:443...
* TCP_NODELAY set
* Connected to cloudflare-dns.com (104.16.249.249) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* Connected to cloudflare-dns.com (104.16.249.249) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=cloudflare-dns.com
*  start date: Jan 28 00:00:00 2019 GMT
*  expire date: Feb  1 12:00:00 2021 GMT
*  subjectAltName: host "cloudflare-dns.com" matched cert's "cloudflare-dns.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert ECC Secure Server CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fffe56e5290)
> POST /dns-query HTTP/2
Host: cloudflare-dns.com
accept: */*
content-type: application/dns-message
content-length: 32

* We are completely uploaded and fine
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=cloudflare-dns.com
*  start date: Jan 28 00:00:00 2019 GMT
*  expire date: Feb  1 12:00:00 2021 GMT
*  subjectAltName: host "cloudflare-dns.com" matched cert's "cloudflare-dns.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert ECC Secure Server CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fffe56df9e0)
> POST /dns-query HTTP/2
Host: cloudflare-dns.com
accept: */*
content-type: application/dns-message
content-length: 32

* We are completely uploaded and fine
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200
< date: Sun, 30 Aug 2020 14:22:56 GMT
< content-type: application/dns-message
< content-length: 74
< access-control-allow-origin: *
< cf-request-id: 04e15902c60000de8edb16a200000001
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< server: cloudflare
< cf-ray: 5caf2ab13b45de8e-BLR
<
* Connection #1 to host cloudflare-dns.com left intact
* a DOH request is completed, 1 to go
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200
< date: Sun, 30 Aug 2020 14:22:56 GMT
< content-type: application/dns-message
< content-length: 62
< access-control-allow-origin: *
< cf-request-id: 04e15902d60000deb22981d200000001
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< server: cloudflare
< cf-ray: 5caf2ab15b01deb2-BLR
<
* Connection #0 to host cloudflare-dns.com left intact
* a DOH request is completed, 0 to go

----- DOH Response [Starts] -----
* DOH Host name: www.google.com
* TTL: 43 seconds
* DOH A: 172.217.160.164
* DOH AAAA: 2404:6800:4009:080a:0000:0000:0000:2004
----- DOH Response [Ends] -----

*   Trying 172.217.160.164:443...
* TCP_NODELAY set
* Connected to www.google.com (172.217.160.164) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=California; L=Mountain View; O=Google LLC; CN=www.google.com
*  start date: Aug 11 08:59:33 2020 GMT
*  expire date: Nov  3 08:59:33 2020 GMT
*  subjectAltName: host "www.google.com" matched cert's "www.google.com"
*  issuer: C=US; O=Google Trust Services; CN=GTS CA 1O1
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fffe56bfaa0)
> HEAD / HTTP/2
> Host: www.google.com
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
HTTP/2 200
< content-type: text/html; charset=ISO-8859-1
content-type: text/html; charset=ISO-8859-1
< p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
< date: Sun, 30 Aug 2020 14:22:56 GMT
date: Sun, 30 Aug 2020 14:22:56 GMT
< server: gws
server: gws
< x-xss-protection: 0
x-xss-protection: 0
< x-frame-options: SAMEORIGIN
x-frame-options: SAMEORIGIN
< expires: Sun, 30 Aug 2020 14:22:56 GMT
expires: Sun, 30 Aug 2020 14:22:56 GMT
< cache-control: private
cache-control: private
< set-cookie: 1P_JAR=2020-08-30-14; expires=Tue, 29-Sep-2020 14:22:56 GMT; path=/; domain=.google.com; Secure
set-cookie: 1P_JAR=2020-08-30-14; expires=Tue, 29-Sep-2020 14:22:56 GMT; path=/; domain=.google.com; Secure
< set-cookie: NID=204=faTLwUwByLcvvqmTO0G45YKfiKg9_eBHAJG51-GL6xLFiSZSGxNPB4_AEi1NbR_3MkBFwBu1Km2PLw0h6Xh2ZjGO6RHbTR7AEnPHcHiqkC90Zc9XJqsQugw4zOzThkXwufU_YM2x1o4N40JrWvnKKhxG8v5ntJYdlZbWIF13EXk; expires=Mon, 01-Mar-2021 14:22:56 GMT; path=/; domain=.google.com; HttpOnly
set-cookie: NID=204=faTLwUwByLcvvqmTO0G45YKfiKg9_eBHAJG51-GL6xLFiSZSGxNPB4_AEi1NbR_3MkBFwBu1Km2PLw0h6Xh2ZjGO6RHbTR7AEnPHcHiqkC90Zc9XJqsQugw4zOzThkXwufU_YM2x1o4N40JrWvnKKhxG8v5ntJYdlZbWIF13EXk; expires=Mon, 01-Mar-2021 14:22:56 GMT; path=/; domain=.google.com; HttpOnly
< alt-svc: h3-29=":443"; ma=2592000,h3-27=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
alt-svc: h3-29=":443"; ma=2592000,h3-27=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"

<
* Connection #0 to host www.google.com left intact
Enter fullscreen mode Exit fullscreen mode

DOT (DNS Over TCP)

Pre-requisites: kdig
A DOH Query using kdig 



$ apt install knot-dnsutils
$ kdig -d @1.1.1.1 +tls-host=cloudflare-dns.com  google.com
Enter fullscreen mode Exit fullscreen mode

Details:



# kdig -d @1.1.1.1 +tls-host=cloudflare-dns.com  google.com
;; DEBUG: Querying for owner(google.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 138 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG:      SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG:      SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20-POLY1305)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 33976
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; PADDING: 409 B

;; QUESTION SECTION:
;; google.com.                  IN      A

;; ANSWER SECTION:
google.com.             101     IN      A       216.58.193.78

;; Received 468 B
;; Time 2020-12-30 02:36:00 UTC
;; From 1.1.1.1@853(TCP) in 9.6 ms
Enter fullscreen mode Exit fullscreen mode
profile
AWS
 Promoted

AWS Q Developer image

Meet your AI code assistant

Top comments (0)

profile
Docusign Developers
 Promoted

Image of Docusign

🛠️ Bring your solution into Docusign. Reach over 1.6M customers.

Docusign is now extensible. Overcome challenges with disconnected products and inaccessible data by bringing your solutions into Docusign and publishing to 1.6M customers in the App Center.

Learn more

Read next

jennythomas498 profile image

Blockchain and Patent Management: A New Era for Intellectual Property

JennyThomas498 -

bobcars profile image

Art Blocks in Cyberwar Scenarios: Navigating the Cybersecurity Landscape of Digital Art

Bob Cars(on) -

vitalisorenko profile image

Blockchain and Conflict Minerals: A Path to Ethical Supply Chains

Vitali Sorenko -

pooyan profile image

To test or not to test, "How" is the question!

Pooyan Razian -