How to get an DNS client that supports modern records

Introduction

Hello, I'm debiru (@debiru_R).

I'm a member of the Japanese DNS community group “Don't say Propagation”. The leader there is @tss_ontap_o.

This article describes how to query SVCB (TYPE64) / HTTPS (TYPE65) records in DNS.

The following uses the *.dns.netmeister.org domain name provided for verification purposes. See https://www.netmeister.org/blog/dns-rrs.html for more information.

I'll state my conclusion first

The easiest way is to install drill.

See #in-case-of-using-drill section.

In case of using dns.google

dns.google is a web service that allows you to make non-recursive queries online.

• https://dns.google/query?name=svcb.dns.netmeister.org.&rr_type=SVCB
• https://dns.google/query?name=https.dns.netmeister.org.&rr_type=HTTPS

In case of using dig

For old dig (<= 9.16.20)

SVCB / HTTPS types are not supported by old dig, but TYPE64 / TYPE65 can be queried instead. However, the string that can be retrieved will be an undecoded value.

Query SVCB on old dig

Old dig does not support SVCB.

Result of query

dig +norec SVCB svcb.dns.netmeister.org. @panix.netmeister.org.

; <<>> DiG 9.10.6 <<>> +norec SVCB svcb.dns.netmeister.org. @panix.netmeister.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31307
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;SVCB.				IN	A

;; Query time: 9 msec
;; SERVER: 192.168.40.1#53(192.168.40.1)
;; WHEN: Mon Feb 03 23:35:04 JST 2025
;; MSG SIZE  rcvd: 33

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38523
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;svcb.dns.netmeister.org.	IN	A

;; AUTHORITY SECTION:
dns.netmeister.org.	3600	IN	SOA	panix.netmeister.org. jschauma.netmeister.org. 2024102520 3600 300 3600000 3600

;; Query time: 194 msec
;; SERVER: 166.84.7.99#53(166.84.7.99)
;; WHEN: Mon Feb 03 23:35:04 JST 2025
;; MSG SIZE  rcvd: 117

Query HTTPS on old dig

Old dig does not support HTTPS.

Result of query

dig +norec HTTPS https.dns.netmeister.org. @panix.netmeister.org.

; <<>> DiG 9.10.6 <<>> +norec HTTPS https.dns.netmeister.org. @panix.netmeister.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56394
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;HTTPS.				IN	A

;; Query time: 19 msec
;; SERVER: 192.168.40.1#53(192.168.40.1)
;; WHEN: Mon Feb 03 23:38:28 JST 2025
;; MSG SIZE  rcvd: 34

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30366
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;https.dns.netmeister.org.	IN	A

;; AUTHORITY SECTION:
dns.netmeister.org.	3600	IN	SOA	panix.netmeister.org. jschauma.netmeister.org. 2024102520 3600 300 3600000 3600

;; Query time: 220 msec
;; SERVER: 166.84.7.99#53(166.84.7.99)
;; WHEN: Mon Feb 03 23:38:28 JST 2025
;; MSG SIZE  rcvd: 118

Query TYPE64 on old dig

If you want to get the value of the SVCB type in old dig, query TYPE64.

Result of query

dig +norec TYPE64 svcb.dns.netmeister.org. @panix.netmeister.org.

; <<>> DiG 9.10.6 <<>> +norec TYPE64 svcb.dns.netmeister.org. @panix.netmeister.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42776
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 12 ("..")
;; QUESTION SECTION:
;svcb.dns.netmeister.org.	IN	TYPE64

;; ANSWER SECTION:
svcb.dns.netmeister.org. 3600	IN	TYPE64	\# 50 00010570616E69780A6E65746D656973746572036F72670000030002 22B8000600102602F97708000000E27663FFFE723900

;; AUTHORITY SECTION:
dns.netmeister.org.	3600	IN	NS	panix.netmeister.org.

;; Query time: 236 msec
;; SERVER: 166.84.7.99#53(166.84.7.99)
;; WHEN: Mon Feb 03 23:40:59 JST 2025
;; MSG SIZE  rcvd: 134

Query TYPE65 on old dig

If you want to get the value of the HTTPS type in old dig, query TYPE65.

Result of query

dig +norec TYPE65 https.dns.netmeister.org. @panix.netmeister.org.

; <<>> DiG 9.10.6 <<>> +norec TYPE65 https.dns.netmeister.org. @panix.netmeister.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6385
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 12 ("..")
;; QUESTION SECTION:
;https.dns.netmeister.org.	IN	TYPE65

;; ANSWER SECTION:
https.dns.netmeister.org. 3600	IN	TYPE65	\# 47 0001000001000C02683208687474702F312E3100040004A654076300 0600102602F97708000000E27663FFFE723900
https.dns.netmeister.org. 3600	IN	TYPE65	\# 22 0000037777770A6E65746D656973746572036F726700

;; AUTHORITY SECTION:
dns.netmeister.org.	3600	IN	NS	panix.netmeister.org.

;; Query time: 184 msec
;; SERVER: 166.84.7.99#53(166.84.7.99)
;; WHEN: Mon Feb 03 23:41:49 JST 2025
;; MSG SIZE  rcvd: 172

For new dig (>= 9.16.21)

Support for HTTPS and SVCB record types has been added. (This does not include ADDITIONAL section processing for these record types, only basic support for RR type parsing and printing.)

• http://www.ring.gr.jp/pub/net/bind/9.16.50/doc/arm/html/notes.html#notes-for-bind-9-16-21

Query SVCB on new dig

Result of query

dig +norec SVCB svcb.dns.netmeister.org. @panix.netmeister.org.

; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> +norec SVCB svcb.dns.netmeister.org. @panix.netmeister.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57154
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: b0c68d36929687890100000067a0ddfa9b595d971c091756 (good)
; EDE: 18 (Prohibited)
;; QUESTION SECTION:
;svcb.dns.netmeister.org.	IN	SVCB

;; ANSWER SECTION:
svcb.dns.netmeister.org. 3600	IN	SVCB	1 panix.netmeister.org. port=8888 ipv6hint=2602:f977:800:0:e276:63ff:fe72:3900

;; AUTHORITY SECTION:
dns.netmeister.org.	3600	IN	NS	panix.netmeister.org.

;; Query time: 179 msec
;; SERVER: 166.84.7.99#53(panix.netmeister.org.) (UDP)
;; WHEN: Tue Feb 04 00:17:14 JST 2025
;; MSG SIZE  rcvd: 162

Query HTTPS on new dig

Result of query

dig +norec HTTPS https.dns.netmeister.org. @panix.netmeister.org.

; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> +norec HTTPS https.dns.netmeister.org. @panix.netmeister.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47514
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 87809ffad4fadb1b0100000067a0dd1fead31a4ecc5ff33c (good)
; EDE: 18 (Prohibited)
;; QUESTION SECTION:
;https.dns.netmeister.org.	IN	HTTPS

;; ANSWER SECTION:
https.dns.netmeister.org. 3600	IN	HTTPS	0 www.netmeister.org.
https.dns.netmeister.org. 3600	IN	HTTPS	1 . alpn="h2,http/1.1" ipv4hint=166.84.7.99 ipv6hint=2602:f977:800:0:e276:63ff:fe72:3900

;; AUTHORITY SECTION:
dns.netmeister.org.	3600	IN	NS	panix.netmeister.org.

;; Query time: 172 msec
;; SERVER: 166.84.7.99#53(panix.netmeister.org.) (UDP)
;; WHEN: Tue Feb 04 00:13:35 JST 2025
;; MSG SIZE  rcvd: 200

Note about new dig

Querying TYPE64 or TYPE65 yields the same decoded result.

The following are the same results for each.

dig +norec SVCB svcb.dns.netmeister.org. @panix.netmeister.org.
dig +norec TYPE64 svcb.dns.netmeister.org. @panix.netmeister.org.

dig +norec HTTPS https.dns.netmeister.org. @panix.netmeister.org.
dig +norec TYPE65 https.dns.netmeister.org. @panix.netmeister.org.

In case of using drill

How to install drill for Linux (debian / ubuntu)

sudo apt install ldnsutils

How to install drill for MacOS

brew install ldns

Query SVCB on drill

Result of query

drill -o rd SVCB svcb.dns.netmeister.org. @panix.netmeister.org.
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 49927
;; flags: qr aa ; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 
;; QUESTION SECTION:
;; svcb.dns.netmeister.org.	IN	SVCB

;; ANSWER SECTION:
svcb.dns.netmeister.org.	3600	IN	SVCB	1 panix.netmeister.org. port=8888 ipv6hint=2602:f977:800:0:e276:63ff:fe72:3900

;; AUTHORITY SECTION:
dns.netmeister.org.	3600	IN	NS	panix.netmeister.org.

;; ADDITIONAL SECTION:

;; Query time: 168 msec
;; SERVER: 166.84.7.99
;; WHEN: Tue Feb  4 00:30:03 2025
;; MSG SIZE  rcvd: 117

Query SVCB on drill

Result of query

drill -o rd HTTPS https.dns.netmeister.org. @panix.netmeister.org.
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 52238
;; flags: qr aa ; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0 
;; QUESTION SECTION:
;; https.dns.netmeister.org.	IN	HTTPS

;; ANSWER SECTION:
https.dns.netmeister.org.	3600	IN	HTTPS	1 . alpn=h2,http/1.1 ipv4hint=166.84.7.99 ipv6hint=2602:f977:800:0:e276:63ff:fe72:3900
https.dns.netmeister.org.	3600	IN	HTTPS	0 www.netmeister.org.

;; AUTHORITY SECTION:
dns.netmeister.org.	3600	IN	NS	panix.netmeister.org.

;; ADDITIONAL SECTION:

;; Query time: 173 msec
;; SERVER: 166.84.7.99
;; WHEN: Tue Feb  4 00:30:48 2025
;; MSG SIZE  rcvd: 155

In case of using dug

dug is a Japanese-made DNS library that extends dig.

• https://github.com/kazu-yamamoto/dnsext

How to install dug

Install cabal with ghcup

• https://www.haskell.org/ghcup/install/

When executing shell scripts obtained from outside sources, please check their contents before executing them carefully.

curl --proto '=https' --tlsv1.2 -sSf https://get-ghcup.haskell.org | sh

Install cab

• https://www.mew.org/~kazu/proj/cab/en/

cabal update
cabal install cab

Install dug

git clone https://github.com/kazu-yamamoto/dnsext.git
cd dnsext
sh build.sh

Query SVCB on dug

Result of query

dug svcb.dns.netmeister.org. SVCB +norec @panix.netmeister.org.
;; 166.84.7.99#53/UDP, Tx:52bytes, Rx:134bytes
;; HEADER SECTION:
;Standard query, NoError, id: 17377
;Flags: Authoritative Answer


;; OPTIONAL PSEUDO EDNS SECTION:
;Version: 0, UDP: 1232, DNSSEC OK: False, Data:[EDNSError{ info-code=18 extra-text="" [\# 0 ] }]

;; QUESTION SECTION:
;svcb.dns.netmeister.org.		IN	SVCB

;; ANSWER SECTION:
svcb.dns.netmeister.org.	3600(1 hour)	IN	SVCB	RD_SVCB {svcb_priority = 1, svcb_target = "panix.netmeister.org.", svcb_params = {port=8888, ipv6hint=[2602:f977:800:0:e276:63ff:fe72:3900]}}

;; AUTHORITY SECTION:
dns.netmeister.org.	3600(1 hour)	IN	NS	panix.netmeister.org.

;; ADDITIONAL SECTION:

;; 219usec

Query SVCB on dug

Result of query

dug https.dns.netmeister.org. HTTPS +norec @panix.netmeister.org.
;; 166.84.7.99#53/UDP, Tx:53bytes, Rx:172bytes
;; HEADER SECTION:
;Standard query, NoError, id: 65060
;Flags: Authoritative Answer


;; OPTIONAL PSEUDO EDNS SECTION:
;Version: 0, UDP: 1232, DNSSEC OK: False, Data:[EDNSError{ info-code=18 extra-text="" [\# 0 ] }]

;; QUESTION SECTION:
;https.dns.netmeister.org.		IN	HTTPS

;; ANSWER SECTION:
https.dns.netmeister.org.	3600(1 hour)	IN	HTTPS	RD_HTTPS {https_priority = 1, https_target = ".", https_params = {alpn=["h2","http/1.1"], ipv4hint=[166.84.7.99], ipv6hint=[2602:f977:800:0:e276:63ff:fe72:3900]}}
https.dns.netmeister.org.	3600(1 hour)	IN	HTTPS	RD_HTTPS {https_priority = 0, https_target = "www.netmeister.org.", https_params = {}}

;; AUTHORITY SECTION:
dns.netmeister.org.	3600(1 hour)	IN	NS	panix.netmeister.org.

;; ADDITIONAL SECTION:

;; 262usec

Finally

We have seen how to query SVCB and HTTPS records using old dig, new dig, drill, and dug. I hope this article is helpful to you.

As an aside, there is something called djbdns. This is the collective name for dnscache, a cache server developed by DJB, and tinydns, an authoritative server.

tinydns makes it easy to automatically issue TLS server certificates for wildcard domain names using the DNS-01 challenge with let's encrypt on your web server.

Try tinydns if you are interested. If you don't know how to do it, please feel free to contact @debiru_R in English or Japanese.

Learn more about DNS and enjoy DNS more!