Custom App-ID for DNS-over-https

Hi community

As you may have noticed DNSSec is extremely slowly getting attention and it even does not improve the users privacy because the dns request are only signed but not encrypted. So other people and companies are searching alternatives to secure DNS requests. One of these alternatives which could already be approved by the IETF in octobet 2018 is DNS-over-HTTPS (DoH). Mozilla already plans to enable DoH by default in the near future with the DoH server of cloudflare. In current versions it is already possible to enable DoH manually in the firefox browser (in about:config you will find the correspondig config entries with the searchstring "trr" (trusted recoursive resolver)),

While DoH is great mainly because of privacy reasons, it might be a risk in companies where the DNS requests are monitored, controlled and with firewalls restricted to the corporate DNS servers. With DoH all existing protections are mostly useless - and also the DNS-proxy and DNS-sinkhole feature in Paloaltofirewalls so far does not know about this new DNS method.

Because of that probably the only option is to block DoH on the firewall to retain existing protections. So I created a custom App-ID with which it is possible to block the existing DoH implementation in Firefox 61, the methods that cloudflare DoH DNS server offers and the DoH IETF draft.

TLS Decryption is (obviously) required to make it work.

This App-ID probably needs some changes and additional signatures in the future, but so far it works do block these requests to force a fallback to traditional DNS requests over an unencrypted UDP connection.

Feel free to improve this App-ID, but if you do so I kindly ask you to post it again here so other can also benefit.

Regards,

Remo

    <application>
      <entry name="dns-over-https">
        <default>
          <port>
            <member>tcp/443</member>
          </port>
        </default>
        <signature>
          <entry name="dns-over-https">
            <and-condition>
              <entry name="And Condition 2">
                <or-condition>
                  <entry name="Or Condition 1">
                    <operator>
                      <pattern-match>
                        <pattern>accept: application/dns-udpwireformat</pattern>
                        <context>http-req-headers</context>
                      </pattern-match>
                    </operator>
                  </entry>
                  <entry name="Or Condition 2">
                    <operator>
                      <pattern-match>
                        <pattern>accept: application/dns-message</pattern>
                        <context>http-req-headers</context>
                      </pattern-match>
                    </operator>
                  </entry>
                  <entry name="Or Condition 3">
                    <operator>
                      <pattern-match>
                        <pattern>accept: application/dns-json</pattern>
                        <context>http-req-headers</context>
                      </pattern-match>
                    </operator>
                  </entry>
                </or-condition>
              </entry>
            </and-condition>
            <scope>protocol-data-unit</scope>
            <order-free>no</order-free>
            <comment>dns-udpwireformat / dns-message / dns-json</comment>
          </entry>
        </signature>
        <subcategory>infrastructure</subcategory>
        <category>networking</category>
        <technology>network-protocol</technology>
        <risk>2</risk>
        <parent-app>web-browsing</parent-app>
        <description>Signature to detect the DoH implementation in firefox, the methods that cloudflare DoH DNS supports and the IETF draft for DoH</description>
      </entry>
    </application>