Troubleshooting DNS over TLS

I have been using DNSCrypt and DNS over HTTPS for a bit of time, but decided to give a try to the new DNS over TLS protocol today. The first problem I faced was the lack of software support and documentation on how DNS over TLS works and how to troubleshoot it.

I will try to fill this gap and talk a bit about DNS over TLS this article.

unEncrypted DNS

DNS is one of the most critical protocols for the Internet. Almost everything you do online starts first with a DNS request. The problem with DNS is that it is a clear-text protocol and everyone that is watching the traffic between you and your DNS provider, can see (and some times modify) the requests you are doing. It is actually common for ISPs and Hotels to hijack DNS requests to their own servers.

DNS over TLS

We all have learned (I hope) that we should not enter our passwords or personal information on sites without the padlock (known as HTTP:// sites). Google, Lets Encrypt, Mozilla and others are pushing the web to go to HTTPS:// only — encrypt everything. Google is even ranking HTTPS sites higher than the ones that are non-encrypted.

TLS (aka SSL) is the protocol we use on HTTPS. It wraps our HTTP requests into an encrypted form, so nobody can see our data. And the same TLS protocol can be used to wrap and encrypt our DNS requests.

I am over summarizing TLS here, but you can read about how it can be implemented with DNS on the RFC 7858.

DNS Server Support

DNS over TLS does not have a wide range of server support yet, but DNSDist , from the PowerDNS team, added support for it in their latest version. That's a great start for anyone looking to implement it themselves.

Also, 3 public DNS providers support DNS over TLS on port 853, allowing pretty much anyone to use it today:

  • Quad9 Anycast DNS — filters malicious domains.
  • CloudFlare Anycast DNS — unfiltered
  • CleanBrowsing — Anycast DNS — filters malicious and adult/porn domains.

Troubleshooting DNS over TLS

The beauty of DNS over TLS is that it is the same DNS protocol, just wrapped around the TLS layer. That makes it very easy to debug and troubleshoot.

1- Using OpenSSL

Using the OpenSSL command line tool, we can easily check if a server has DNS over TLS support and see if the server is responding (this is specially important for that is blocked in some location). In this example, I am using the s_client option to connect to port 853 on the CleanBrowsing IP:

As you can see, they use Lets Encrypt and the server is replying properly. I can do the same thing for CloudFlare to verify my connectivity:

2- Using the DNS over TLS PHP client

OpenSSL is a great tool to test, but doesn't allow you to send and receive responses easily. DNS is a binary protocol, and we will use the lightweight PHP over TLS client to simplify it for us.

To start we need to clone the repository:

Once that is cloned, you will see the dns-over-tls-php-client directory with the PHP file dnstls.php. That's the one we will use to test and send our queries.

To do a DNS request, you can run the command as:

If DNS over TLS is not supported (or you have the CloudFlare IP blocked), you will get this error:

The tool supports CloudFlare, Quad9 and CleanBrowsing by default, but you can specify any IP address you wish. If you do not have the proper certificates installed on your server , you might get the following error:

That can be solved by upgrading OpenSSL locally on your server (or desktop). Note that if you are trying it against CleanBrowsing, it will return "domain not found" (NX) for domains that it blocks:

If you are using a custom resolver for DNS over TLS, you need to verify that its certificate is valid or you may get one of the errors I mentioned before.

DNS Privacy

And that's pretty much it for troubleshooting. DNS privacy is as important as HTTP privacy (HTTPS), so I recommend that everyone try DNS over TLS out and see if that works for you. You can also use DNSCrypt as it has more client support as this point.

Always Learning.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store