DNS reqests then using ECH #480
Description
When using flag --tls-ech-enable, wstunnel makes 3 DNS requests 1 HTTPS, 1 A and 1 AAAA.
I think A and AAAA requests are superfluous, since HTTPS already contains addresses for connecting:
Standard query 0xf3fa HTTPS example.com
Standard query response 0xf3fa HTTPS example.com HTTPS OPT
Standard query 0xe230 A example.com
Standard query 0x07c2 AAAA example.com
Standard query response 0xe230 A example.com A 172.......
Standard query response 0x07c2 AAAA example.com AAAA 2606:.......
Answers
example.com: type HTTPS, class IN
Name: example.com
Type: HTTPS (65) (HTTPS Specific Service Endpoints)
Class: IN (0x0001)
Time to live: 173 (2 minutes, 53 seconds)
Data length: 136
SvcPriority: 1
TargetName: <Root>
SvcParam: alpn=h3,h2
SvcParam: ipv4hint=104.........
SvcParamKey: ipv4hint (4)
SvcParamValue length: 8
IP: 104.........
IP: 172.........
SvcParam: ech
SvcParamKey: ech (5)
SvcParamValue length: 71
ECHConfigList length: 69
ECHConfig: id=241 cloudflare-ech.com
Version: 0xfe0d
Length: 65
HPKE Key Config
Config Id: 241
KEM Id: DHKEM(X25519, HKDF-SHA256) (32)
Public Key length: 32
Public Key: ................
Cipher Suites length: 4
Cipher Suites (1 suite)
Maximum Name Length: 0
Public Name length: 18
Public Name: cloudflare-ech.com
Extensions length: 0
SvcParam: ipv6hint=2606:.......
SvcParamKey: ipv6hint (6)
SvcParamValue length: 32
IP: 2606:.........
IP: 2606:..........
Your wstunnel setup
- client:
./wstunnel client --log-lvl INFO --http-headers='host: example.com' -L 'tcp://1443:127.0.0.1:1443' --http-upgrade-path-prefix "123" --tls-ech-enable --tls-verify-certificate wss://example.com:443
- server:
./wstunnel server wss://0.0.0.0:443 --restrict-http-upgrade-path-prefix "123" --restrict-to "127.0.0.1:4444" --tls-certificate "/opt/ssl/ssl.pem" --tls-private-key "/opt/ssl/ssl.key"
Desktop:
- OS: Debian 12 amd64