diff --git a/README.md b/README.md index 315c268..8e3c81a 100644 --- a/README.md +++ b/README.md @@ -51,10 +51,8 @@ Application Options: --no-reuse-conn Use a new connection for each query --txtconcat Concatenate TXT responses --recaxfr Perform recursive AXFR - -f, --format= Output format (pretty, json, yaml, raw) - (default: pretty) - --pretty-ttls Format TTLs in human readable format (default: - true) + -f, --format= Output format (pretty, json, yaml, raw) (default: pretty) + --pretty-ttls Format TTLs in human readable format (default: true) --color Enable color output --question Show question section --answer Show answer section (default: true) @@ -63,14 +61,12 @@ Application Options: -S, --stats Show time statistics --all Show all sections and statistics -w Resolve ASN/ASName for A and AAAA records - -r, --value Show record values only - -R, --resolve-ips Resolve PTR records for IP addresses in A and - AAAA records + -r, --short Show record values only + -R, --resolve-ips Resolve PTR records for IP addresses in A and AAAA records --aa Set AA (Authoritative Answer) flag in query --ad Set AD (Authentic Data) flag in query --cd Set CD (Checking Disabled) flag in query - --rd Set RD (Recursion Desired) flag in query - (default: true) + --rd Set RD (Recursion Desired) flag in query (default: true) --ra Set RA (Recursion Available) flag in query --z Set Z (Zero) flag in query --t Set TC (Truncated) flag in query @@ -80,18 +76,18 @@ Application Options: --tls-max-version= Maximum TLS version to use (default: 1.3) --tls-next-protos= TLS next protocols for ALPN --tls-cipher-suites= TLS cipher suites + --tls-client-cert= TLS client certificate file + --tls-client-key= TLS client key file --http-user-agent= HTTP user agent --http-method= HTTP method (default: GET) --quic-alpn-tokens= QUIC ALPN tokens (default: doq, doq-i11) --quic-no-pmtud Disable QUIC PMTU discovery --quic-no-length-prefix Don't add RFC 9250 compliant length prefix --dnscrypt-tcp Use TCP for DNSCrypt (default UDP) - --dnscrypt-udp-size= Maximum size of a DNS response this client can - sent or receive (default: 0) + --dnscrypt-udp-size= Maximum size of a DNS response this client can sent or receive (default: 0) --dnscrypt-key= DNSCrypt public key --dnscrypt-provider= DNSCrypt provider name - --default-rr-types= Default record types (default: A, AAAA, NS, MX, - TXT, CNAME) + --default-rr-types= Default record types (default: A, AAAA, NS, MX, TXT, CNAME) --udp-buffer= Set EDNS0 UDP size in query (default: 1232) -v, --verbose Show verbose log messages --trace Show trace log messages @@ -145,10 +141,7 @@ go install -ldflags="-s -w -X main.version=release" ### TLS Decryption `q` supports TLS decryption through a key log file generated when -the `SSLKEYLOGFILE` environment variable is set to the absolute path of a -writable file. - -The generated file may be used by Wireshark to decipher the captured traffic. +the `SSLKEYLOGFILE` environment variable is set to a file path. ### Feature Comparison diff --git a/cli/flags.go b/cli/flags.go index 54ffd82..addfb19 100644 --- a/cli/flags.go +++ b/cli/flags.go @@ -33,7 +33,7 @@ type Flags struct { ShowStats bool `short:"S" long:"stats" description:"Show time statistics"` ShowAll bool `long:"all" description:"Show all sections and statistics"` Whois bool `short:"w" description:"Resolve ASN/ASName for A and AAAA records"` - ValueOnly bool `short:"r" long:"value" description:"Show record values only"` + ValueOnly bool `short:"r" long:"short" description:"Show record values only"` ResolveIPs bool `short:"R" long:"resolve-ips" description:"Resolve PTR records for IP addresses in A and AAAA records"` // Header flags @@ -45,13 +45,15 @@ type Flags struct { Zero bool `long:"z" description:"Set Z (Zero) flag in query"` Truncated bool `long:"t" description:"Set TC (Truncated) flag in query"` - // TCP parameters - TLSNoVerify bool `short:"i" long:"tls-no-verify" description:"Disable TLS certificate verification"` - TLSServerName string `long:"tls-server-name" description:"TLS server name for host verification"` - TLSMinVersion string `long:"tls-min-version" description:"Minimum TLS version to use" default:"1.0"` - TLSMaxVersion string `long:"tls-max-version" description:"Maximum TLS version to use" default:"1.3"` - TLSNextProtos []string `long:"tls-next-protos" description:"TLS next protocols for ALPN"` - TLSCipherSuites []string `long:"tls-cipher-suites" description:"TLS cipher suites"` + // TLS parameters + TLSNoVerify bool `short:"i" long:"tls-no-verify" description:"Disable TLS certificate verification"` + TLSServerName string `long:"tls-server-name" description:"TLS server name for host verification"` + TLSMinVersion string `long:"tls-min-version" description:"Minimum TLS version to use" default:"1.0"` + TLSMaxVersion string `long:"tls-max-version" description:"Maximum TLS version to use" default:"1.3"` + TLSNextProtos []string `long:"tls-next-protos" description:"TLS next protocols for ALPN"` + TLSCipherSuites []string `long:"tls-cipher-suites" description:"TLS cipher suites"` + TLSClientCertificate string `long:"tls-client-cert" description:"TLS client certificate file"` + TLSClientKey string `long:"tls-client-key" description:"TLS client key file"` // HTTP HTTPUserAgent string `long:"http-user-agent" description:"HTTP user agent" default:""` diff --git a/main.go b/main.go index 81502b5..ab673cf 100644 --- a/main.go +++ b/main.go @@ -444,6 +444,16 @@ All long form (--) flags can be toggled with the dig-standard +[no]flag notation CipherSuites: parseTLSCipherSuites(opts.TLSCipherSuites), } + // TLS client certificate authentication + if opts.TLSClientCertificate != "" { + cert, err := tls.LoadX509KeyPair(opts.TLSClientCertificate, opts.TLSClientKey) + if err != nil { + return fmt.Errorf("unable to load client certificate: %s", err) + } + tlsConfig.Certificates = []tls.Certificate{cert} + } + + // TLS secret logging if klf := os.Getenv("SSLKEYLOGFILE"); klf != "" { log.Warnf("SSLKEYLOGFILE is set! TLS master secrets will be logged.") keyLog, err := os.OpenFile(klf, os.O_WRONLY|os.O_APPEND|os.O_CREATE, 0666)