DNS-over-HTTPS (DoH) traffic can apparently be identified without actually decrypting it, a security researcher has discovered.
The DoH protocol is aimed at improving the overall security of the Internet by using TLS when sending DNS queries and getting DNS responses over HTTP.
By encrypting DNS traffic and requiring authentication of the server, DoH aims to mitigate both passive surveillance and active redirection attacks. Similar protections are provided via DNS over TLS.
According to Johannes Ullrich, dean of research at the SANS Technology Institute, one could actually identify DoH traffic by observing all traffic to and from a host.
The researcher used Firefox for his experiment, because Mozilla makes it easy to enable DoH — the Internet organization has been working with DoH since 2017 — and because the browser allows the collection of TLS master keys via the SSLKEYLOGFILE environment variable (Chrome allows this as well).
Firefox 71 on Mac, with Cloudflare as a resolver — Mozilla recently also added NextDNS to its Trusted Recursive Resolver (TRR) program — was used for the experiment.
Although not conclusive, especially since it involved the collection of only a few minutes of traffic, the test showed that DoH traffic is actually easy to identify.
After running tcpdump, the researcher launched Firefox and navigated to a few dozen sites. The packet capture file and the SSL Key Logfile were then loaded into Wireshark 3.1.0, which fully supports DoH and HTTP2 (Firefox uses HTTP2 for DoH).
“I identified the DoH traffic using the simple display filter ‘dns and tls.’ The entire DoH traffic was confined to a single connection between my host and mozilla.cloudflare-dns.com (2606:4700::6810:f8f9),” the researcher notes.
In this specific case, it was possible to identify the traffic using the hostname, but one could also run their own DoH server.
Further analysis also revealed that the payload length for DoH can be used to identify traffic. DNS queries and responses are normally no larger than a couple of hundred bytes, while HTTPS connections tend to fill the maximum transmission unit (MTU), Ullrich explains.
“In short: if you see long-lasting TLS connections, with payloads that rarely exceed a kByte, you probably got a DoH connection,” the researcher notes.
Some of the artifacts discovered during the experiment might be implementation-specific, but additional testing could surface some more conclusive results, Ullrich also says.
Related: NextDNS to Provide Encrypted DNS Services to Firefox
Related: DNS-over-HTTPS Coming to Firefox