top of page
  • Writer's pictureLaura Chappell

Watch for a New DNS Type: HTTPS

You've captured some DNS traffic and are perusing through the packets.

You see the regular Resource Record (RR) Type A requests for IPv4 addresses.

You see the regular RR Type AAAA requests for IPv6 addresses.

And then you see... Type 65 - HTTPS.

DNS Request - HTTPS

This DNS Type is covered in RFC 9460, Service Binding and Parameter Specification via the DNS (SVCB and HTTPS Resource Records). (Start reading at Section 9.)

Essentially, HTTPS records enable browsers to get more information about a website than just its IP address. For example, you can find out what version of HTTP the server supports. The purpose of the HTTPS record is to save the browser from doing a bunch of other DNS lookups and protocol negotiation.

Currently, you will see a lot of SOA responses to HTTPS requests - no additional information will be provided. This clearly indicates that no endpoint information is available via the DNS response.

Inside HTTPS response

In the image above, we only received SOA (Start of Zone Authority) information in response to the HTTPS request. Nothing interesting was learned from that response (other than name server information).

Wondering if you have some of these packets lingering around in your trace file? Apply this display filter:

dns.qry.type == 65

Try this

Download DNS-HTTPStype.pcapng to see an example of this HTTPS Type in action. Frames 2 and 4 contain responses to HTTPS Type requests.

HTTPS ALPN Information

Can you create a display filter to detect responses that contain HTTPS endpoint information?

In this response, you notice the Service Parameter Key 1 (alpn). ALPN stands for Application Layer Protocol Negotiation. In this response, we have learned that supports HTTP/2 and HTTP/3 (as defined by "h2" and "h3" in the ALPN fields).

Not familiar with ALPNs? I'll try to document a bit more about them in future blogs. Keep following along - hopefully, you'll learn something new each week.



bottom of page