Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Identifying DNS-Over-HTTPS Traffic Without Decryption Possible: Researcher

DNS-over-HTTPS (DoH) traffic can apparently be identified without actually decrypting it, a security researcher has discovered.

The DoH protocol is aimed at improving the overall security of the Internet by using TLS when sending DNS queries and getting DNS responses over HTTP.

DNS-over-HTTPS (DoH) traffic can apparently be identified without actually decrypting it, a security researcher has discovered.

The DoH protocol is aimed at improving the overall security of the Internet by using TLS when sending DNS queries and getting DNS responses over HTTP.

By encrypting DNS traffic and requiring authentication of the server, DoH aims to mitigate both passive surveillance and active redirection attacks. Similar protections are provided via DNS over TLS.

According to Johannes Ullrich, dean of research at the SANS Technology Institute, one could actually identify DoH traffic by observing all traffic to and from a host.

The researcher used Firefox for his experiment, because Mozilla makes it easy to enable DoH — the Internet organization has been working with DoH since 2017 — and because the browser allows the collection of TLS master keys via the SSLKEYLOGFILE environment variable (Chrome allows this as well).

Firefox 71 on Mac, with Cloudflare as a resolver — Mozilla recently also added NextDNS to its Trusted Recursive Resolver (TRR) program — was used for the experiment.

Although not conclusive, especially since it involved the collection of only a few minutes of traffic, the test showed that DoH traffic is actually easy to identify.

After running tcpdump, the researcher launched Firefox and navigated to a few dozen sites. The packet capture file and the SSL Key Logfile were then loaded into Wireshark 3.1.0, which fully supports DoH and HTTP2 (Firefox uses HTTP2 for DoH).

“I identified the DoH traffic using the simple display filter ‘dns and tls.’ The entire DoH traffic was confined to a single connection between my host and mozilla.cloudflare-dns.com (2606:4700::6810:f8f9),” the researcher notes.

In this specific case, it was possible to identify the traffic using the hostname, but one could also run their own DoH server.

Further analysis also revealed that the payload length for DoH can be used to identify traffic. DNS queries and responses are normally no larger than a couple of hundred bytes, while HTTPS connections tend to fill the maximum transmission unit (MTU), Ullrich explains.

“In short: if you see long-lasting TLS connections, with payloads that rarely exceed a kByte, you probably got a DoH connection,” the researcher notes.

Some of the artifacts discovered during the experiment might be implementation-specific, but additional testing could surface some more conclusive results, Ullrich also says.

Related: NextDNS to Provide Encrypted DNS Services to Firefox

Related: DNS-over-HTTPS Coming to Firefox

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Cybercrime

A database containing over 235 million unique records of Twitter users is now available for free on the web, cybercrime intelligence firm Hudson Rock...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...