Controversy over DoH

DNS over HTTPS (DoH) is a protocol for encapsulating DNS requests within an HTTPS connection, for the purposes of increased privacy. Mozilla has championed its use, and in February announced that the protocol will be enabled by default for all US-based users. Last month Chrome made a similar announcement and Microsoft provided a limited release of the first OS-layer version of DoH support in Win10 (Linux clients have been available for a few years) and it seems to be slowly gaining ubiquitous acceptance.

DoH is not without controversy. While it does protect the privacy of DNS requests, there are so many other ways for activity to be tracked, and far better tools for users that wish to remain anonymous.

Hiding From Who?

DoH only encrypts the connection from the client to the DoH server, which must then resolve the DNS query using traditional protocols and provide the response.  Whoever supplies the DoH service can still track requests. The two most popular publicly available servers are operated by Google and Cloudflare.

The Consumer Market

Most residential and consumer ISPs don't actually sniff and track DNS requests, they rely on data that can be mined from their own DNS servers, which are provided as the default in DHCP responses when customers request an IP.  Simply changing the default DNS server won't guarantee DNS privacy, but it will most likely eliminate annoying search results and advertisements served by the ISP.

Enterprise Cybersecurity Impact

Many cybersecurity tools and techniques rely on DNS for detection and mitigation of suspicious activity.

  • Redirection of requests to known malicious addresses
  • Blocking requests to look-alike and puny-code domains
  • Blocking requests to recently registered "baby" domains
  • DGA (domain generation algorithm) detection
  • Observation of peculiar DNS patterns (e.g. large TXT records, enormous request volume, or high entropy responses) to detect DNS-based C2 (command and control) traffic and DNS-based data exfiltration

DoH can additionally leak internal hostnames, cause applications to fail (because those internal hostnames won't resolve correctly), and can effect system response time and performance.  

Blocking DoH

If DoH is not properly controlled, malicious actors will be more than happy to make use of it.

The best way to block DoH traffic is at the proxy or using a next-gen firewall that can inspect requests and detect the difference between a standard web query and a DoH request. This will prevent users from bypassing DNS controls, and will block any malicious software attempting to obfuscate DNS traffic.  It is also possible, though not nearly as effective, to block the addresses of known public DoH resolvers.

It is additionally possible to block the OS and browser of enterprise devices.  Because it is client based, this should not be considered an effective control.  It does, however, functions as an extra later of defense and will cut down on unnecessary logs and system noise. Win10 requires requires several registry keys to be set in order to enable DoH. These can be forced to disable using group policy. Chrome settings can also be enforced using GPO, and Firefox settings can be enforced with a locked mozilla.cfg file.

If for some reason DoH can't be blocked or if an organization truly has the need for it, DNS can still be leveraged for threat hunting and malware detection.  It is possible to run internal DoH servers. If that is not an option, most browsers are capable of saving DNS logs to a local file. So can most operating systems (or to syslog or similar), and proxies can be programmed to log requests. Unfortunately most tools don't currently support these formats for retrieval and analysis out of the box.

Detecting DoH

If DoH is disabled, its usage can also be a good indicator of unauthorized activity.  IPS/IDS signatures, assuming they can decrypt traffic, may be able to detect devices that are attempting DoH traffic, and with appropriate logging from proxies and firewalls, SIEMs should be able to detect the traffic as well.

DoH Is Here To Stay

Despite some backlash from the InfoSec community, DoH has been taking off with a solid trajectory. Although the underlying DNS threat hunting techniques don't need to change, teams and products may both need to pivot on how they receive and analyze underlying DNS data.