The Computer Oracle

How to query for DNS over HTTPS/DNS over TLS using command line?

--------------------------------------------------
Hire the world's top talent on demand or became one of them at Toptal: https://topt.al/25cXVn
--------------------------------------------------

Music by Eric Matyas
https://www.soundimage.org
Track title: Puzzle Game 5 Looping

--

Chapters
00:00 How To Query For Dns Over Https/Dns Over Tls Using Command Line?
00:45 Answer 1 Score 14
01:10 Accepted Answer Score 34
01:56 Answer 3 Score 7
02:21 Answer 4 Score 9
02:42 Thank you

--

Full question
https://superuser.com/questions/1532975/...

--

Content licensed under CC BY-SA
https://meta.stackexchange.com/help/lice...

--

Tags
#commandline #dns

#avk47


ACCEPTED ANSWER

Score 34


I didn't find a single tool for both the purpose, but I did find ways to use them.

There are two ways to query DoH:

# json
curl -H 'accept: application/dns-json' 'https://cloudflare-dns.com/dns-query?name=example.com&type=A' | jq .
# dns wireformat
curl -H 'accept: application/dns-message' 'https://dns.google/dns-query?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB'  | hexdump -c

For DoT, you can use kdig tool provided by knot. The command line is similar to dig:

apt-get install knot-dnsutils
# For macOS:
# brew install knot
kdig -d @8.8.8.8 +tls-ca +tls-host=dns.google.com example.com

where the 8.8.8.8 is the pre-resolved address of the tls host (dns.google.com).

Update: Here is a tool (https://github.com/ameshkov/dnslookup) that supports all major DNS protocols on its own and is able to produce machine-readable output.



ANSWER 2

Score 14


curl has official DoH support since version 7.62.0 (the question is how many of your target endpoints have curl uptodate to this version.)

Use it by utilizing the --doh-url option. Example:

curl --doh-url https://cloudflare-dns.com/dns-query https://www.google.com

See: https://github.com/curl/curl/wiki/DOH-implementation https://daniel.haxx.se/blog/2018/09/06/doh-in-curl/



ANSWER 3

Score 9


Dog is a dig alternative written in Rust and supporting DOH/DOT. installation

Examples:

dog -H @https://dns.google/dns-query google.com

dog google.com --tls @dns.google

It can also output as json.



ANSWER 4

Score 7


If dig is compiled to support it +tls:

dig @127.0.0.1 google.com +tls

; <<>> DiG 9.17.8 <<>> @127.0.0.1 google.com +tls
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54991
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 065928dae0bd1d28010000005fdd61d904c6723221991bf3 (good)
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             300     IN      A       172.217.0.238

;; Query time: 1123 msec
;; SERVER: 127.0.0.1**#853**(127.0.0.1) **(TLS)**
;; WHEN: Sat Dec 19 02:13:45 UTC 2020
;; MSG SIZE  rcvd: 83