Hostname verification over TLS about doggo HOT 5 CLOSED

I was wondering if this could be solved like this (based on google dns):

doggo @tls://dns.google:443/dns-query -n 8.8.4.4 .......

Then you have the IP (no DNS leakage due to hostname resolution by doggo) already, and the hostname specified. Seems the libraries/modules used already to hostname-verification if a hostname is used (but I could be wrong).

But it seems as soon as -n is used, doggo reverts back to udp/unencrypted?

BTW: Using the --nameserver version of the option results in an error as unknown option.

from doggo.

But it seems as soon as -n is used, doggo reverts back to udp/unencrypted?

Hm, that seems a bug. I'll investigate.

from doggo.

But it seems as soon as -n is used, doggo reverts back to udp/unencrypted?

Hm, that seems a bug. I'll investigate.

It is actually doing both when specified:

doggo @https://dns.google:443/dns-query -n 8.8.4.4 -q google.com ns
NAME       	TYPE	CLASS	TTL   	ADDRESS        	NAMESERVER                       
google.com.	NS  	IN   	15862s	ns4.google.com.	8.8.4.4:53                      	
google.com.	NS  	IN   	15862s	ns1.google.com.	8.8.4.4:53                      	
google.com.	NS  	IN   	15862s	ns2.google.com.	8.8.4.4:53                      	
google.com.	NS  	IN   	15862s	ns3.google.com.	8.8.4.4:53                      	
google.com.	NS  	IN   	21600s	ns1.google.com.	https://dns.google:443/dns-query	
google.com.	NS  	IN   	21600s	ns2.google.com.	https://dns.google:443/dns-query	
google.com.	NS  	IN   	21600s	ns3.google.com.	https://dns.google:443/dns-query	
google.com.	NS  	IN   	21600s	ns4.google.com.	https://dns.google:443/dns-query

I think when something else then udp:// and tcp:// is used, the ip-address with -n should be used for the name-server hostname, instead of resolving it using the system resolver (which would be the default if -n was not specified).

This is also nice to have all dns traffic encrypted, and prevent some unencrypted leakage during bootstrap of the hostname IP.

Great tool BTW, keep up the good work!

from doggo.

I've decided to add 2 new flags:

➜  doggo git:(main) ✗ ./bin/doggo.bin google.se @tls://193.19.108.3 --tls-hostname=adblock.doh.mullvad.net
NAME      	TYPE	CLASS	TTL 	ADDRESS      	NAMESERVER       
google.se.	A   	IN   	300s	142.250.200.3	193.19.108.3:853	

➜  doggo git:(main) ✗ ./bin/doggo.bin google.se @tls://193.19.108.3 --skip-hostname-verification 
NAME      	TYPE	CLASS	TTL	ADDRESS      	NAMESERVER       
google.se.	A   	IN   	30s	142.250.200.3	193.19.108.3:853	

Will push soon.

from doggo.

Released https://github.com/mr-karan/doggo/releases/tag/v0.5.2 which has these flags.

Feel free to re-open in case I missed something.

from doggo.