Debian 11 - DNS test DoT and DoH with dig

If you maintain a DNS resolver, you need to test different protocols these days. DoT (TLS), DoH (HTTPS) and regular DNS via UDP and TCP are all subjects of a modern resolver.

Unfortunately unbound and dig on Debian Bullseye both come without DoH support. Either the version is too old or the necessary compile flags were not set.

In order to at least test DoH and DoT using dig, there is a backported package available which just replaces dig and nslookup. It includes DoH support for dig.

Because of colliding libraries, bind9 server needs to be installed from backports as well if running on the same server.

# Install dnsutils from backports for DoH support
echo "deb http://deb.debian.org/debian bullseye-backports main" >> /etc/apt/sources.list
apt-get update
apt-get install dnsutils/bullseye-backports \
                bind9-dnsutils/bullseye-backports \
                bind9-host/bullseye-backports

DNS_SERVER="157.90.16.149"

# test DoT port 853
dig @${DNS_SERVER} +tls google.de

# test DoH port 443
dig @${DNS_SERVER} +https google.de

# test TCP port 53
dig @${DNS_SERVER} +tcp google.de

# test UDP port 53
dig @${DNS_SERVER} google.de

# dnssec test A
dig @${DNS_SERVER} sigok.verteiltesysteme.net

# dnssec test servfail
dig @${DNS_SERVER} sigfail.verteiltesysteme.net

Schreibe einen Kommentar