[getdns-users] Procedure to decrypt encrypted DNS query/response packets inside Wireshark ?

Sara Dickinson sara at sinodun.com
Fri Jun 2 09:43:26 UTC 2017

> On 1 Jun 2017, at 18:32, Robert Edmonds <edmonds at debian.org> wrote:
> Sara Dickinson wrote:
>> From this you can see that you either need access to the private key of the server (works for RSA cipher suites) or to be able to create a SSL key log file from the DNS client (not so easy, not directly supported in Stubby).
> Seems like it would be easier and more useful to implement dnstap
> support in stubby + Wireshark than whatever is needed to break forward
> secrecy.

I’m inclined to agree with Robert here, in that I think a better solution is to implement some sort of generic debugging/logging mechanism that will work with all transports. The getdns response tree already provides a pretty detailed breakdown of the response contents including binary format for RDATA, we could consider extending the data provided there.  


More information about the Users mailing list