Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Identifying DNS-Over-HTTPS Traffic Without Decryption Possible: Researcher

DNS-over-HTTPS (DoH) traffic can apparently be identified without actually decrypting it, a security researcher has discovered.

The DoH protocol is aimed at improving the overall security of the Internet by using TLS when sending DNS queries and getting DNS responses over HTTP.

DNS-over-HTTPS (DoH) traffic can apparently be identified without actually decrypting it, a security researcher has discovered.

The DoH protocol is aimed at improving the overall security of the Internet by using TLS when sending DNS queries and getting DNS responses over HTTP.

By encrypting DNS traffic and requiring authentication of the server, DoH aims to mitigate both passive surveillance and active redirection attacks. Similar protections are provided via DNS over TLS.

According to Johannes Ullrich, dean of research at the SANS Technology Institute, one could actually identify DoH traffic by observing all traffic to and from a host.

The researcher used Firefox for his experiment, because Mozilla makes it easy to enable DoH — the Internet organization has been working with DoH since 2017 — and because the browser allows the collection of TLS master keys via the SSLKEYLOGFILE environment variable (Chrome allows this as well).

Firefox 71 on Mac, with Cloudflare as a resolver — Mozilla recently also added NextDNS to its Trusted Recursive Resolver (TRR) program — was used for the experiment.

Although not conclusive, especially since it involved the collection of only a few minutes of traffic, the test showed that DoH traffic is actually easy to identify.

After running tcpdump, the researcher launched Firefox and navigated to a few dozen sites. The packet capture file and the SSL Key Logfile were then loaded into Wireshark 3.1.0, which fully supports DoH and HTTP2 (Firefox uses HTTP2 for DoH).

Advertisement. Scroll to continue reading.

“I identified the DoH traffic using the simple display filter ‘dns and tls.’ The entire DoH traffic was confined to a single connection between my host and mozilla.cloudflare-dns.com (2606:4700::6810:f8f9),” the researcher notes.

In this specific case, it was possible to identify the traffic using the hostname, but one could also run their own DoH server.

Further analysis also revealed that the payload length for DoH can be used to identify traffic. DNS queries and responses are normally no larger than a couple of hundred bytes, while HTTPS connections tend to fill the maximum transmission unit (MTU), Ullrich explains.

“In short: if you see long-lasting TLS connections, with payloads that rarely exceed a kByte, you probably got a DoH connection,” the researcher notes.

Some of the artifacts discovered during the experiment might be implementation-specific, but additional testing could surface some more conclusive results, Ullrich also says.

Related: NextDNS to Provide Encrypted DNS Services to Firefox

Related: DNS-over-HTTPS Coming to Firefox

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.