How to query for DNS over HTTPS/DNS over TLS using command line

command linedns

I'm writing a script that needs to query DNS record with a user specified DNS server. The DNS server may be in any protocol, including UDP, TCP, DNS over HTTPS (DoH), and DNS over TLS (DoT).

I know dig is able to handle DNS for UDP and TCP (with +tcp flag). Is there a way I can use dig or other tool to query DoH and DoT server?

I prefer already existing popular tools like curl so my script would be more portable, but other suggestions are welcomed as well.

Best Answer

I didn't find a single tool for both the purpose, but I did find ways to use them.

There are two ways to query DoH:

# json
curl -H 'accept: application/dns-json' 'https://cloudflare-dns.com/dns-query?name=example.com&type=A' | jq .
# dns wireformat
curl -H 'accept: application/dns-message' 'https://dns.google/dns-query?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB'  | hexdump -c

For DoT, you can use kdig tool provided by knot. The command line is similar to dig:

apt-get install knot-dnsutils
# For macOS:
# brew install knot
kdig -d @8.8.8.8 +tls-ca +tls-host=dns.google.com example.com

where the 8.8.8.8 is the pre-resolved address of the tls host (dns.google.com).

Update: Here is a tool (https://github.com/ameshkov/dnslookup) that supports all major DNS protocols on its own and is able to produce machine-readable output.

Best Answer

Related Solutions

Related Question