Apparently, without even decrypting it, DNS-over-HTTPS (DoH) traffic can be detected, a security researcher has discovered.
The aim of the DoH protocol is to improve the overall Internet security by using TLS when submitting DNS requests and obtaining DNS responses over HTTP.
DoH seeks to counter both passive monitoring and aggressive redirection attacks by encrypting DNS data and allowing domain authentication. Different protections are given over TLS via DNS.
One could actually identify DoH traffic by analyzing both traffic to and from a site, according to Johannes Ullrich, Dean of Research at the SANS Technology Institute.
For his project, the researcher used Firefox since Mozilla makes it easy to activate DoH — the internet agency has been operating with DoH since 2017— and because the software enables TLS master keys to be obtained via the SSLKEYLOGFILE environment variable (Chrome often allows this).
Firefox 71 on Mac was used for the experiment with Cloudflare as a resolver — Mozilla has also recently added NextDNS to its Trusted Recursive Resolver (TRR) program.
Although not definitive, particularly since only a few minutes of traffic was obtained, the test showed that DoH traffic is actually easy to identify.
The researcher launched Firefox after running tcpdump, and navigated to a few dozen sites. The packet capture file was loaded into Wireshark 3.1.0, which fully supports DoH and HTTP2 (Firefox requires HTTP2 for DoH).
“I identified the DoH traffic using the simple display filter ‘dns and tls.’ The entire DoH traffic was confined to a single connection between my host and mozilla.cloudflare-dns.com (2606:4700::6810:f8f9),” the researcher notes.
In this particular case, traffic could be identified using the hostname, but one could run their own DoH server as well.
Further research has showed that traffic can be defined using the DoH payload frequency. Usually, DNS queries and replies are no larger than a few hundred bytes, whereas HTTPS links appear to reach the entire transmission unit (MTU), describes Ullrich.
“In short: if you see long-lasting TLS connections, with payloads that rarely exceed a kByte, you probably got a DoH connection,” the researcher notes.
Some of the objects found during the trial may be unique to execution, but some more definitive findings might come from additional testing, Ullrich also states.