DNS over HTTPS — the tip of a network visibility iceberg
Within the industry there’s been a lot of talk lately around DNS over HTTPS (DoH) and how adversaries use the channel to perform C2 DNS lookups and exfiltrate data via tunneling without detection by security apparatus.
Along with DoH, two additional lesser-known mechanisms provide encrypted DNS resolution online. The trifecta of protocols is as follows:
- DNS over HTTPS (DoH)
- DNS over TLS (DoT)
- DNSCrypt
DoH and DoT operate over TCP ports 443 and 853 respectively by default, and DNSCrypt services commonly run over both TCP and UDP port 443. The three protocols are different but achieve the same goal — DNS queries are passed over a secure channel to a server that in-turn provides a response.
Chaoyi Lu et al published a paper in 2019 titled An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come? that describes the DNSCrypt, DoT, and DoH timeline and IETF working groups, as below.
The visibility challenge is a symptom of a larger problem
Many network sensors and DNS threat blocking platforms are blindsided by encrypted services, and this isn’t just a DNS problem. Adversaries use a number of methods to bypass detection, including domain fronting via HTTPS into CDN infrastructure, use of third-party VPN software, anonymizing circuits (e.g. Tor), and remote access tools such as TeamViewer and AnyDesk.
Ultimately, to solve the visibility and enforcement problem it’s important to establish choke points (e.g. mandated DNS resolvers within your environment or a web proxy that all traffic is routed through) and block unauthorized channels, such as DoH, DoT, DNSCrypt, Tor, I2P, and Freenet.
Policy enforcement technologies
Next-generation firewall products with awareness of particular protocols (e.g. Tor, DoH, NordVPN, and TeamViewer) can in-turn enforce policy to block offending sessions. Secure Internet gateway platforms (e.g. Cisco Umbrella) can also be used to channel end-user traffic through a proxy. In both cases, egress network traffic is passed through a control layer where it is inspected and can be blocked in-line with a policy.
Introducing the AlphaSOC encrypted DNS server feed
With regard to identifying and blocking encrypted DNS sessions, we have published a feed that can be used to identify DoH, DoT, and DNSCrypt traffic within your environment. We found that other blocklists do not provide port or protocol details, prompting us to create a high fidelity curated master list of encrypted DNS services online, as below.
https://feeds.alphasoc.net/encrypted_dns.txt
The feed is refreshed daily and the CSV field format is as follows:
- IP address (IPv4 and IPv6 both supported)
- Port and protocol (e.g. port 443 over TCP for DoH)
- Encrypted DNS service (e.g. DoH, DoT, or DNSCrypt)
- Service operator (such as Cloudflare, BlahDNS, etc.)
About AlphaSOC
AlphaSOC provides deep analysis and alerting of suspicious events. Customers send network telemetry (e.g. firewall, DNS query, and web proxy logs) to our analytics engine, which performs fast multi-dimensional processing to uncover both known and unknown emerging threats. Our integrations for Splunk, Elastic, Corelight, Demisto, and other platforms are free to evaluate for 30 days without restriction.
Learn more:
