Ask Your Question
0

Why isn't DNS-over-TLS (DoT) - RFC7858 - being dissected by Wireshark 3.0?

asked 2019-07-11 12:32:48 +0000

SaraD gravatar image

updated 2019-07-11 17:27:36 +0000

Guy Harris gravatar image

I see that Wireshark 3.0 now has support for DoH (DNS-over-HTTPS, RFC8484), but I can't see anyway to make it decode DNS-over-TLS on the IANA assigned port (853). I can decode the raw bytes, but they are not recognised as DNS.

Please let me know if this is supported and I am just missing something.

Otherwise please let me know if there are plans to support this in future?

edit retag flag offensive close merge delete

Comments

Is the decryption working? The data can't be dissected as DNS unless it can be decrypted.

grahamb gravatar imagegrahamb ( 2019-07-11 12:46:36 +0000 )edit

Are you able to share the trace, with the DoH?

xinxolHH gravatar imagexinxolHH ( 2019-07-11 14:36:38 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-07-12 15:00:45 +0000

SaraD gravatar image

updated 2019-07-12 15:21:51 +0000

grahamb gravatar image

OK - so this does work if you either

  1. simply configure the RSA key in the new 'RSA Keys' dialog in the preferences OR
  2. configure the key in the Protocols->TLS->RSA keys list AND then use the 'Decode as' dialog to instruct wireshark to decode port 853 as DNS

I was confused because when using the second method the default 'Decode as' protocol for port 853 seems to be TLS not DNS, but manually overriding this works.

edit flag offensive delete link more

Comments

DNS-over-TLS (DoT) is different from DNS-over-HTTPS (DoH). The former defaults to TCP port 853 where the latter runs over TCP port 443.

Lekensteyn gravatar imageLekensteyn ( 2019-07-20 17:28:33 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2019-07-11 12:32:48 +0000

Seen: 2,465 times

Last updated: Jul 12 '19

Related questions

is the domain from opendns ?

dns request, response malformed?

Malformed DNS response

ARP protocol in Handover

LUA script how to get all IPs from DNS.A (dns answer)

DNSSEC response marked as Malformed

DNS Checksum

DNS amplification attack

Wireshark keeps getting source port incorrect

what filter would display just dns or icmp traffic from 8.8.8.8

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2