Skip to content

DoH

DNS over HTTPS

JSON:

>>> curl -H 'accept: application/dns-json' 'https://1.1.1.1/dns-query?name=generalzero.org&type=A'
{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"generalzero.org","type":1}],"Answer":[{"name":"generalzero.org","type":1,"TTL":1799,"data":"51.15.203.210"}]}

JSON Short:

>>> curl -s -H 'accept: application/dns-json' 'https://1.1.1.1/dns-query?name=generalzero.org&type=A' | jq --raw-output '.Answer[].data'
51.15.203.210

UDP POST Request:

>>> echo -n 'q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | base64 -d | curl -H 'content-type: application/dns-message' --data-binary @- https://1.1.1.1/dns-query -o - | hexdump -C
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    82  100    49  100    33   1884   1269 --:--:-- --:--:-- --:--:--  3153
00000000  ab cd 81 80 00 01 00 01  00 00 00 00 03 77 77 77  |.............www|
00000010  07 65 78 61 6d 70 6c 65  03 63 6f 6d 00 00 01 00  |.example.com....|
00000020  01 c0 0c 00 01 00 01 00  01 25 62 00 04 5d b8 d8  |.........%b..]..|
00000030  22                                                |"|
00000031

UDP GET Request:

>>> curl -H 'accept: application/dns-message' -s 'https://1.1.1.1/dns-query?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB' | hexdump -C
00000000  ab cd 81 80 00 01 00 01  00 00 00 00 03 77 77 77  |.............www|
00000010  07 65 78 61 6d 70 6c 65  03 63 6f 6d 00 00 01 00  |.example.com....|
00000020  01 c0 0c 00 01 00 01 00  01 34 5a 00 04 5d b8 d8  |.........4Z..]..|
00000030  22                                                |"|
00000031

Encrypted SNI

Gets the Public Key from the dns call. Which is used to encrypt the server name.

  • Used in the new TLS 1.3 protocol.
  • Get the Public Key from a DNS TXT data. (Ex. _esni.f949b3dc-ea0a-42e0-93e9-26c5de94b1a6.encryptedsni.com)
  • Uses the Public Key to encrypt the SNI Hostname
    • Using a DNS proxy tis key can be replaced.
  • This new encrypted Host name is placed in the same spot that the original unencrypted SNI is located

Check if your browser supports Encrypted SNI

First makes a DNS request

ESNI PublicKey:

>>> dig -t TXT _esni.f949b3dc-ea0a-42e0-93e9-26c5de94b1a6.encryptedsni.com +short
"/wG0rSUwACQAHQAgYKd5Qkd+Ef7GNSDq6DvAb0B6yidPYygGpar8O8iW0EoAAhMBAQQAAAAAX/o1cAAAAABgAh5wAAA="