Perform Secure-by-default or Woefully Insecure ‘DNS’ Queries
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

9.2 KiB

output: rmarkdown::github_document
chunk_output_type: console
```{r pkg-knitr-opts, include=FALSE}
knitr::opts_chunk$set(collapse=TRUE, fig.retina=2, message=FALSE, warning=FALSE)

[![Travis-CI Build Status](](
[![Coverage Status](](

# clandnstine

Perform Secure-by-default 'DNS' Queries

## Description

Perform and process 'DNS over TLS' and 'DNS over HTTPS' queries.


Requires [`getdns`]( to be installed and available for compilation (no guard rails setup yet):

- Use `brew install getdns` on macOS
- Install `libgetdns-dev` or `libgetdns-devel` on debian/ubuntu (version 1.5.1 or higher)
- (Nothing to see here Windows folks stuck in a backwards ecosysem)

You're going to need version 1.5.1 of `getdns` for this package to install.

I've gotten this running on macOS and Ubuntu 16.04. For the latter I had to ensure `libidn2-0-dev` and
`libunbound-dev` were installed then had to grab the 1.5.1 tarball (e.g. `aria2c`), extract it and `config`/`make`/`make install` (plus `ldconfig` after).


I finally grok the getdns api so the package api is going to change wildly and fast. The default mode will be to perform queries using DNS over TLS but also supports UDP and TCP transports along with support for DNS over HTTPS.

## Why?

Well, for starters, to help research DNS over TLS/DNS over HTTPS servers. Plus, for fun!

If you're asking "Why DNS over TLS/HTTPS at all?" then "faux" privacy. Why "faux"? Well, _something_ is handing your query and that something knows your IP address and what you looked for. So, you're relying on the good faith, honest nature and technical capability of the destination server to not mess with you. I don't trust Cloudflare or Google and am witholding judgement on Quad9 either way (they've been doing good things and are less "look at how cool we are" than CF is).

Also "faux" in that you're going to be using (for DoT) a standard port (853) and a TLS session for the queries so your internet provider will know you're doing _something_ and the current, sorry state of SSL certificates, certificate authorities, and authoritarian companies and regimes combined means confidentiality and integrity are always kinda in question unless done super-well.

## What's Different About This vs Regular DNS?

Well, if we lookup the addresses for `` the old-fashioned way it's cleartext UDP on the wire:

1 0.000000 → DNS 80 Standard query 0x8af8 A OPT
2 0.003297 → DNS 176 Standard query response 0x8af8 A A A A A A A OPT

I watched for port 53 UDP traffic with `tshark` as `` was being looked up. Notice the fast and diminuitive — and plaintext — response. (I'm fibbing a bit since I pre-loaded the local home DNS server with this query since I tested it alot before knitting this readme. My home server forwards all queries to a custom DNS over TLS server since I really don't trust any of the providers when it comes down to it. So, in reality for me, it's even slower than the below — at least initially).

This is the same query via DNS over TLS

1 0.000000 → TCP 78 52128 → 853 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=64 TSval=602885491 TSecr=0 SACK_PERM=1 TFO=R
2 0.021188 → TCP 74 853 → 52128 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=3426782438 TSecr=602885491 WS=256
3 0.021308 → TLSv1 373 Client Hello
4 0.045324 → TLSv1.2 1514 Server Hello
5 0.045333 → TLSv1.2 73 [TCP Previous segment not captured] , Ignored Unknown Record
6 0.045334 → TCP 1514 [TCP Out-Of-Order] 853 → 52128 [ACK] Seq=1449 Ack=308 Win=30208 Len=1448 TSval=3426782459 TSecr=602885512
7 0.045491 → TCP 78 52128 → 853 [ACK] Seq=308 Ack=1449 Win=130304 Len=0 TSval=602885536 TSecr=3426782459 SLE=2897 SRE=2904
8 0.045492 → TCP 66 52128 → 853 [ACK] Seq=308 Ack=2904 Win=128832 Len=0 TSval=602885536 TSecr=3426782459
9 0.050527 → TLSv1.2 192 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
10 0.069107 → TLSv1.2 117 Change Cipher Spec, Encrypted Handshake Message
11 0.069255 → TCP 66 52128 → 853 [ACK] Seq=434 Ack=2955 Win=131008 Len=0 TSval=602885559 TSecr=3426782487
12 0.069516 → TLSv1.2 225 Application Data
13 0.091087 → TLSv1.2 303 Application Data
14 0.091207 → TLSv1.2 225 Application Data
15 0.106738 → TLSv1.2 231 Application Data
16 0.106836 → TCP 66 52128 → 853 [ACK] Seq=752 Ack=3357 Win=130880 Len=0 TSval=602885595 TSecr=3426782525
17 0.107200 → TLSv1.2 97 Encrypted Alert
18 0.107411 → TCP 66 52128 → 853 [FIN, ACK] Seq=783 Ack=3357 Win=131072 Len=0 TSval=602885595 TSecr=3426782525
19 0.126603 → TLSv1.2 97 Encrypted Alert
20 0.126608 → TCP 66 853 → 52128 [FIN, ACK] Seq=3388 Ack=784 Win=32256 Len=0 TSval=3426782545 TSecr=602885595
21 0.126717 → TCP 54 52128 → 853 [RST] Seq=784 Win=0 Len=0
22 0.126718 → TCP 54 52128 → 853 [RST] Seq=784 Win=0 Len=0

It's stupid slow, consumes more CPU and bandwidth but forces adversaries to work pretty hard to try to figure out what you're looking for.

## What's Inside The Tin

The following functions are implemented:

### DNS over HTTPS

- `doh_post`: Make a DoH Request (POST/wireformat)
- `doh_servers`: Built-in list of DoH servers.

### DNS over TLS

- `gdns_context`: Create a gdns DNS over TLS context and populate it with a resolver for use in resolution functions
- `gdns_get_address`: Resolve a host to an addrss
- `gdns_get_resolution_type`: Get the current resolution type setting
- `gdns_get_timeout`: Retreive the number of milliseconds to wait for request to return
- `gdns_get_tls_ca_file`: Retreive the file location with CA certificates for verification purposes
- `gdns_get_tls_ca_path`: Retreive the value with which the context's upstream recursive servers and suffixes were initialized
- `gdns_get_transports`: Retreive what transports are used for DNS lookups.
- `gdns_lib_version`: Return gdns library version
- `gdns_query`: Arbitrary DNS queries
- `gdns_set_hosts`: Initialized the context's local names namespace with values from the given hosts file.
- `gdns_set_resolution_type`: Specify whether DNS queries are performed with recursive lookups or as a stub resolver
- `gdns_set_round_robin_upstreams`: Set/unset context to round robin queries over the available upstreams when resolving with the stub resolution type.
- `gdns_set_timeout`: Specify the number of milliseconds to wait for request to return
- `gdns_set_tls_ca_file`: Specify the file with CA certificates for verification purposes
- `gdns_set_tls_ca_path`: Specify where the location for CA certificates for verification purposes are located
- `gdns_set_transports`: Specifies what transport(s) is/ar used for DNS lookups
- `gdns_update_resolvers`: Changes the list of resolvers in an already created context for use in resolution functions

## Installation

```{r install-ex, eval=FALSE}
# or
# or

## Usage

```{r lib-ex}

# current version


### Get an address(es) from a name:

```{r addr}

(x <- gdns_context())

(x <- gdns_context(""))

(x <- gdns_context(c("", "", "")))

(gdns_set_timeout(x, 2000))

(gdns_update_resolvers(x, ""))

(gdns_set_transports(x, c("udp", "tls", "tcp")))

(gdns_get_address(x, ""))

(gdns_get_address(x, ""))

(gdns_get_address(x, "yahoo.commmm"))

### Any record type query:

```{r generic}
str(leno <- gdns_query(x, "", "txt"), 1)


Yep. Advertising even in DNS `TXT` records (see item number 8).

### DOH

```{r doh}

## clandnstine Metrics

```{r cloc, echo=FALSE}

## Code of Conduct

Please note that this project is released with a [Contributor Code of Conduct](
By participating in this project you agree to abide by its terms.