The aim of this post is to explain how DNS Over Https works, what are its advantages over the traditional Domain Name System in terms of user privacy but also how it is more and more exploited by hackers to carry out cyber attacks and what organizations can do in order to defend themselves from such attacks.
DNS over HTTPS (in short: DoH) is a new generation protocol that allows internet users to perform the remote Domain Name System (DNS) resolution using the HTTPS protocol. Compared to the traditional DNS, it is considered apparently more secure, especially because it helps protect the privacy of the user. However, almost all ISP and WISP operators have expressed heavy criticism for its performance since, compared to the traditional and very fast DNS over UDP protocol, it obtains much lower performance results.
With a traditional DNS, your Internet search works like this:
» You type the web address of the website you want to reach in the address bar of the browser
» The browser sends a request through the Internet in order to retrieve the IP address of the website you have chosen
» The request is sent using a plain text connection, which is not encrypted. This means it is easy for third parties to eavesdrop and see what website you are trying to access.
With DNS Over Https your Internet search will work a bit differently: instead of using a plain text connection, the browser will send the website name you typed to an HTTPS through an encrypted connection. With an encrypted connection, third parties will not be able, apparently, to peek at what website you want to reach. But the manager of the DoH service, especially if it’s a public one, will know our preferences and will be able to perform sampling with marketing and advertising aims.
The DNS Over Https protocol is relatively recent. In October 2018 the IETF t published the document RFC8484, which defined the proposed standard. The IETF is the Internet Engineering Task Force, an open international community of network designers, operators and researchers who do R&D in the realm of the evolution of the Internet architecture.
Document RFC8484 represents the consensus of the IETF community over the new protocol. As reported by the document: “DoH encrypts DNS traffic and requires authentication of the server. This mitigates both passive surveillance [RFC7258] and active attacks that attempt to divert DNS traffic to rogue servers.”
As mentioned above, the aim of the DNS Over Https protocol is to increase user privacy and security. But how does it manage to reach this target? Unlike a traditional DNS system, DoH does not use port 53 of the DNS to ask for the website name through a UDP (User Datagram Protocol) or TCP (Transmission Control Protocol) packet.
Rather, the DoH protocol encodes a single DNS query into an Http request through Https GET or POST method:
» with the POST method, the message of the Http request will include the DNS query;
» with the GET method, the single variable “dns” is defined as the content of the DNS.
The DNS Over Https protocol encrypts DNS traffic. In this way, both passive surveillance and the manipulation of DNS data through intermediate attacks are mitigated. Moreover, using port 443, which is the default port for Https, and mixing DoH traffic with other Https traffic over the same connection helps deter attempts by third parties to interfere with the DNS operations. As a result of this, DNS traffic analysis will also be more difficult, theoretically.
Exactly because of its clear-cut transmission, the DoH service allows users to easily overcome navigation Filters (unless specific protection is present on the DoH, which FlashStart provides) and hence be vulnerable during web surfing.
Indeed, DoH represents a real problem for network administrators and connectivity managers, who have to completely rethink the security and filtering of Internet access for their users.
Imagine for example a company with 100 work posts, which finds itself with no control whatsoever on Internet navigation. Users will enjoy free access to malicious websites, unsuitable contents, violent and often illegal contents, and the company will not be able to prevent any of this.
There are well-defined paths and resolutions that allow users to “force” the classical DNS protocol and set, within the LAN network, a safe name resolution, without exposing data outside. However, as of today, governing DoH in the networks of public and private organizations represents a very important red flag, strategic for data, infrastructure and users’ security
As it has by now become customary, as soon as a new protocol, development or application becomes available, hackers start studying the new tool and analysing it in order to understand whether they can use it to carry out a cyber attack. And more than if, it is rather a matter of understanding how they can do it, finding a vulnerability in the system and exploiting it to their advantage.
The DNS Over Https protocol has not been an exception to the rule. By now, most organisations have, among their Internet protection systems, an Internet content filter. The Internet content filter maintains deny lists (or blacklists), which contain the details of known malicious domains whose access should be blocked.
So usually, if the DNS request is towards a dangerous website, an alert message will appear to the user. With DoH, however, since DNS requests are encrypted, it becomes much more difficult to identify such dangerous requests, thus resulting in a new security problem. Moreover, the main vulnerabilities nowadays concern Web Servers: think about the recent “Log4Shell” exploit, which risks compromising the Internet network at the global level (more about this here: https://flashstart.com/it/bug-log4j/).
The first reported instance of a cyber attack carried out using the DNS Over Https protocol is dated 1 July 2019, so nine months after the IETF published its document defining the new standard. The malware’s name was Godula and it exploited DoH in its second and third phases in order to obtain the address of the targeted command and control servers.
In this case, the Lua byte code file was used to store the DNS TXT record in flat text. The malware then sent a request using the DoH protocol to obtain the result of the DNS TXT.
Later in 2019, during the month of September, the second case of malware using DoH was identified. The malware’s name is PsiXBot and this is actually an older malware, which came to the attention of the IT community for the first time in 2017 and was probably created by a Russian hacker group. PsiXBot, which was born as a simple trojan, over time evolved to become a full malware entity, capable of compromising entire networks.
The latest versions of the malware allowed it to activate the webcam and microphone on the computers of users who were playing pornographic contents, which is yet another reason why organisations should protect the laptops of their employees with an Internet content filter that can remain active also when the device is outside the company network.
PsiXBot contained command-and-control domains, which were encrypted using RC4. In order to retrieve them, it exploited the Google DoH service.
At the end of July 2020 Oilrig was the first hacker group to be identified for using the DoH protocol in its attacks. Oilrig used an open-source tool, DNS Exfiltration, to handle, move and exfiltrate data.
There are several generic measures that companies and organizations can take in order to contrast attacks based on the DNS Over Https protocol. These include:
» Control DoH endpoints and the traffic going through them;
» Install internal DoH resolvers, like the new FlashStart “Cloud Box”, which will be available shortly;
» Monitor DoH usage in order to identify “application/dns-jason” or “application/dns-message” content types;
» Check outgoing traffic for abnormal packet sizes.
The DNS Over Https service allows attackers to hide DNS queries from command-and-control domains. If organizations do not inspect their traffic continuously, attacks that exploit DoH might go unnoticed. A lot of research and development still needs to be done in order to protect organizations and internet users from this emerging and fast-growing threat.
This is why, as of today, using the DoH protocol in professional environments is highly discouraged and is considered dangerous for Internet security. Also one of the founding fathers of several RFCs for Internet and numerous open-source softwares, Paul Vixie, is strongly against the use of DoH.
Flashstart is a safe tool to navigate online both on-premise and remotely during smart working
Request a quotation or try it now
You can activate the FlashStart® Cloud protection on any sort of Router and Firewall to secure desktop and mobile devices and IoT devices on local networks.
