svcb-inspect
v0.1.0
Published
Resolve and decode DNS HTTPS/SVCB records (RFC 9460), including full ECHConfigList decoding. Zero dependencies.
Maintainers
Readme
svcb-inspect
Resolve and decode DNS HTTPS and SVCB resource records (RFC 9460), including a full ECHConfigList decode (RFC 9849 / Encrypted Client Hello). Zero dependencies, runs over DNS-over-HTTPS, nothing is stored or sent anywhere except your chosen resolver.
Unlike dig HTTPS example.com, which leaves the ech= parameter as an opaque base64 blob, svcb-inspect decodes the ECHConfigList into readable fields (version, KEM, cipher suites, public_name) and prints every SvcParam — or emits machine-readable JSON.
Usage
No install needed:
npx svcb-inspect cloudflare-ech.com
npx svcb-inspect example.com --svcb
npx svcb-inspect cloudflare.com --json
npx svcb-inspect --decode-ech "AEX+DQBBbAAg..." # decode a base64 ECHConfigList offlineExample output:
cloudflare-ech.com [HTTPS] via https://cloudflare-dns.com/dns-query
TTL: 300s
Record #1: priority 1 (service), target .
alpn: h3, h2
ipv4hint: 104.18.10.118, 104.18.11.118
ech:
ECHConfig #1 — ECH (0xfe0d, RFC 9849)
config_id: 3
kem: DHKEM(X25519, HKDF-SHA256)
public_key: 32 bytes
cipher_suites: HKDF-SHA256/AES-128-GCM
public_name: cloudflare-ech.com
ipv6hint: 2606:4700::6812:a76, 2606:4700::6812:b76Options
| Option | Description |
|---|---|
| --type <https\|svcb\|both> | Record type to query (default: https) |
| --svcb | Shorthand for --type svcb |
| --resolver <name\|url> | DoH resolver: cloudflare (default), google, or an https://…/dns-query URL |
| --json | Machine-readable JSON output |
| --ech-only | Print only the decoded ECH block |
| --timeout <ms> | Query timeout (default: 5000) |
| --no-color | Disable ANSI color (also honors NO_COLOR) |
| -h, --help | Show help |
| -v, --version | Show version |
Exit codes: 0 a record was found, 1 no such record / NXDOMAIN, 2 usage or runtime error.
Library
import { lookup, parseSvcbRdata, parseECHConfigList } from "svcb-inspect";
const result = await lookup("cloudflare-ech.com", "HTTPS");
// result.status === "ok" | "nodata" | "nxdomain"
// result.records[].params — decoded SvcParams (alpn, port, ipv4hint, ech, …)parseSvcbRdata(rdata) and parseECHConfigList(bytesOrBase64) are pure functions you can use on raw wire data without any DNS lookup.
Prior art
There are excellent lower-level tools that overlap in scope: dig/kdig, openssl ech, goech, c2FmZQ/ech, and the miekg/dns library. They are mostly Go/C libraries, decode from a base64 string you already hold, or build full ECH clients. svcb-inspect fills a different niche: a friendly, zero-install npm CLI that goes from a bare domain to a fully-decoded HTTPS/SVCB + ECH report (or JSON). Generating ECH configs, opening ECH connections, and DNSSEC validation are intentionally out of scope.
Made by packet.guru
Built alongside packet.guru — free, privacy-first network forensics. Try the hosted ECH checker at packet.guru/web/ech-check and read the deep-dive on Encrypted Client Hello.
Contributing
Issues and PRs welcome. Run npm test and npm run build before submitting.
