Custom App-ID for DNS-over-https

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Custom App-ID for DNS-over-https

L7 Applicator

Hi community

 

As you may have noticed DNSSec is extremely slowly getting attention and it even does not improve the users privacy because the dns request are only signed but not encrypted. So other people and companies are searching alternatives to secure DNS requests. One of these alternatives which could already be approved by the IETF in octobet 2018 is DNS-over-HTTPS (DoH). Mozilla already plans to enable DoH by default in the near future with the DoH server of cloudflare. In current versions it is already possible to enable DoH manually in the firefox browser (in about:config you will find the correspondig config entries with the searchstring "trr" (trusted recoursive resolver)),

While DoH is great mainly because of privacy reasons, it might be a risk in companies where the DNS requests are monitored, controlled and with firewalls restricted to the corporate DNS servers. With DoH all existing protections are mostly useless - and also the DNS-proxy and DNS-sinkhole feature in Paloaltofirewalls so far does not know about this new DNS method.

 

Because of that probably the only option is to block DoH on the firewall to retain existing protections. So I created a custom App-ID with which it is possible to block the existing DoH implementation in Firefox 61, the methods that cloudflare DoH DNS server offers and the DoH IETF draft.

TLS Decryption is (obviously) required to make it work.

 

This App-ID probably needs some changes and additional signatures in the future, but so far it works do block these requests to force a fallback to traditional DNS requests over an unencrypted UDP connection.

 

Feel free to improve this App-ID, but if you do so I kindly ask you to post it again here so other can also benefit.

 

Regards,

Remo

 

    <application>
      <entry name="dns-over-https">
        <default>
          <port>
            <member>tcp/443</member>
          </port>
        </default>
        <signature>
          <entry name="dns-over-https">
            <and-condition>
              <entry name="And Condition 2">
                <or-condition>
                  <entry name="Or Condition 1">
                    <operator>
                      <pattern-match>
                        <pattern>accept: application/dns-udpwireformat</pattern>
                        <context>http-req-headers</context>
                      </pattern-match>
                    </operator>
                  </entry>
                  <entry name="Or Condition 2">
                    <operator>
                      <pattern-match>
                        <pattern>accept: application/dns-message</pattern>
                        <context>http-req-headers</context>
                      </pattern-match>
                    </operator>
                  </entry>
                  <entry name="Or Condition 3">
                    <operator>
                      <pattern-match>
                        <pattern>accept: application/dns-json</pattern>
                        <context>http-req-headers</context>
                      </pattern-match>
                    </operator>
                  </entry>
                </or-condition>
              </entry>
            </and-condition>
            <scope>protocol-data-unit</scope>
            <order-free>no</order-free>
            <comment>dns-udpwireformat / dns-message / dns-json</comment>
          </entry>
        </signature>
        <subcategory>infrastructure</subcategory>
        <category>networking</category>
        <technology>network-protocol</technology>
        <risk>2</risk>
        <parent-app>web-browsing</parent-app>
        <description>Signature to detect the DoH implementation in firefox, the methods that cloudflare DoH DNS supports and the IETF draft for DoH</description>
      </entry>
    </application>
1 REPLY 1

L7 Applicator

and another App-ID for https DNS Requests goint to dns.google.com. This could also be done easily with URL filtering, but just in case (needs to be a seperate App-ID because the parent App needs to be another one to detect google traffic):

    <application>
      <entry name="dns-over-google">
        <default>
          <port>
            <member>tcp/443</member>
          </port>
        </default>
        <signature>
          <entry name="Google DNS">
            <and-condition>
              <entry name="And Condition 1">
                <or-condition>
                  <entry name="Or Condition 2">
                    <operator>
                      <pattern-match>
                        <qualifier>
                          <entry name="http-method">
                            <value>GET</value>
                          </entry>
                        </qualifier>
                        <pattern>/resolve\?</pattern>
                        <context>http-req-uri-path</context>
                      </pattern-match>
                    </operator>
                  </entry>
                </or-condition>
              </entry>
              <entry name="And Condition 2">
                <or-condition>
                  <entry name="Or Condition 1">
                    <operator>
                      <pattern-match>
                        <pattern>dns\.google\.com</pattern>
                        <context>http-req-host-header</context>
                      </pattern-match>
                    </operator>
                  </entry>
                </or-condition>
              </entry>
            </and-condition>
            <scope>protocol-data-unit</scope>
            <order-free>no</order-free>
          </entry>
        </signature>
        <subcategory>infrastructure</subcategory>
        <category>networking</category>
        <technology>network-protocol</technology>
        <risk>2</risk>
        <parent-app>google-base</parent-app>
        <description>Detection for https DNS Queries to dns.google.com</description>
      </entry>
    </application>
  • 12033 Views
  • 1 replies
  • 7 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!