1 .\" https://man.openbsd.org/mdoc.7
16 .Op Fl doh Ar URL | Fl dot Ar HOST : Ns Ar PORT | Fl udp Ar HOST : Ns Ar PORT
17 .Op Fl pubkey Ar HEX | Fl pubkey-file Ar FILENAME
19 .Ar LOCALADDR : Ns Ar LOCALPORT
25 is the client portion of a DNS tunnel.
26 It receives TCP connections at
27 .Ar LOCALADDR : Ns Ar LOCALPORT
29 encoded as a sequence of DNS messages
30 and via a recursive resolver,
33 running as the authoritative name server for
35 The DNS messages may be carried over
38 or classical DNS over UDP.
41 You must use exactly one of the
47 to specify what form of DNS to use:
54 is the URL of the DNS over HTTPS resolver,
57 path if used by the resolver.
61 .Lk https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-servers
62 for a list of public DNS over HTTPS resolvers.
64 .It Fl dot Ar HOST : Ns Ar PORT
69 are the TCP address of the DNS over TLS resolver.
75 .Lk https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Public+Resolvers#DNSPrivacyPublicResolvers-DNS-over-TLS%28DoT%29
76 for a list of public DNS over TLS resolvers.
78 .It Fl udp Ar HOST : Ns Ar PORT
83 are the UDP address of the DNS resolver.
89 you have the option of communicating directly with an instance of
91 without going through a recursive resolver.
94 may point directly at the authoritative name server for
103 In addition, you must use one of the
107 options to specify the public key used
108 for authenticating the server and encrypting the channel.
109 The public key should have been generated by
110 .Ql dnstt-server -gen-key .
112 prints its public key at the beginning of its log output.
118 is a string of 64 hexadecimal digits.
120 .It Fl pubkey-file Ar FILENAME
122 is the name of a file containing
123 64 hexadecimal digits and an
124 optional training newline character.
135 .Op Ar weight Ns Sy * Ns
138 Set the weighted distribution of TLS fingerprints.
143 .Lk https://github.com/refraction-networking/utls "uTLS"
144 to disguise its TLS fingerprint.
145 By default, a fingerprint is selected randomly from a weighted distribution.
146 You can control the distribution using the
148 option, which takes an argument of a comma-separated
149 list of fingerprint labels,
150 each optionally preceded by an integer weight and
152 If a weight is omitted, it is taken to be 1.
156 .Bl -item -offset indent -compact
158 -utls '3*Firefox,2*Chrome,1*iOS'
170 option to see the default distribution
171 and the set of available fingerprint labels.
174 stands for a randomized fingerprint.
177 disables uTLS and uses the native Go crypto/tls fingerprint.
180 Describes command line usage.
181 Shows the default value of
183 and the available TLS fingerprint labels.
190 Tunnel through the DNS over HTTPS resolver at
191 .Cm https://resolver.example/dns-query
192 to the authoritative name server for
196 for connections to forward through the tunnel.
197 Use the server public key stored in the file
200 .Bd -literal -offset indent
201 dnstt-client -doh https://resolver.example/dns-query -pubkey-file server.pub t.example.com 127.0.0.1:7000
205 Tunnel through the DNS over TLS resolver at
206 .Cm resolver.example:853
207 to the authoritative name server for
211 for connections to forward through the tunnel.
212 Use the given hex string as the server public key.
214 .Bd -literal -offset indent
215 dnstt-client -dot resolver.example:853 -pubkey 14ca15f53660e248d289d9302f992c4bee518f2361d6343dafa7b417b5a3d752 t.example.com 127.0.0.1:7000
222 writes running logs to standard error.
226 logs the amount of useful payload capacity that can be stored
227 in each DNS query, after accounting for the overhead of encoding.
228 This number will vary depending on the length of
231 .Dl effective MTU 128
234 .Sh SECURITY CONSIDERATIONS
238 option is not covert,
239 and is intended for debugging and special configurations.
244 modes provide protection against detection of the tunnel,
245 because they encrypt DNS messages between
247 and the recursive resolver.
250 mode sends plaintext DNS messages,
251 which reveal the use of a DNS tunnel by their special format.
257 it may be possible for an observer to infer
259 by traffic metadata features such as
260 traffic volume and timing.
261 The recursive resolver can see the plaintext of DNS messages
262 and is always in a position to easily detect the use of a tunnel.
264 But even if the use of a tunnel is detected, the
266 of the tunnel remain encrypted and authenticated.
267 The end-to-end encryption and authentication of the tunnel is a separate layer,
268 independent of the encryption
269 provided by DNS over HTTPS or DNS over TLS.
276 .Lk https://www.bamsoftware.com/software/dnstt/
281 .An David Fifield Aq Mt david@bamsoftware.com