[getdns-users] Procedure to decrypt encrypted DNS query/response packets inside Wireshark ?
Sara Dickinson
sara at sinodun.com
Fri Jun 2 11:43:26 CEST 2017
> On 1 Jun 2017, at 18:32, Robert Edmonds <edmonds at debian.org> wrote:
>
> Sara Dickinson wrote:
>> From this you can see that you either need access to the private key of the server (works for RSA cipher suites) or to be able to create a SSL key log file from the DNS client (not so easy, not directly supported in Stubby).
>
> Seems like it would be easier and more useful to implement dnstap
> support in stubby + Wireshark than whatever is needed to break forward
> secrecy.
I’m inclined to agree with Robert here, in that I think a better solution is to implement some sort of generic debugging/logging mechanism that will work with all transports. The getdns response tree already provides a pretty detailed breakdown of the response contents including binary format for RDATA, we could consider extending the data provided there.
Sara.
More information about the Users
mailing list