2021-03-27 19:26:56 +00:00
id : detect-dns-over-https
info :
name : Detect DNS over HTTPS
author : geeknik
2022-04-22 10:38:41 +00:00
severity : info
2023-05-30 10:04:03 +00:00
description : |
With DNS over HTTPS (DoH), DNS queries and responses are encrypted and sent via the HTTP or HTTP/2 protocols. DoH ensures that attackers cannot forge or alter DNS traffic. DoH uses port 443, which is the standard HTTPS traffic port, to wrap the DNS query in an HTTPS request. DNS queries and responses are camouflaged within other HTTPS traffic, since it all comes and goes from the same port.
2021-03-27 19:26:56 +00:00
reference :
- https://developers.google.com/speed/public-dns/docs/doh/
- https://developers.cloudflare.com/1.1.1.1/dns-over-https/wireformat
2023-04-28 08:11:21 +00:00
metadata :
max-request : 1
2023-10-14 11:27:55 +00:00
tags : dns,doh,misc
2021-03-27 19:26:56 +00:00
2023-04-27 04:28:59 +00:00
http :
2021-03-27 19:26:56 +00:00
- method : GET
path :
- "{{BaseURL}}/dns-query?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB"
2023-10-14 11:27:55 +00:00
2021-03-27 19:26:56 +00:00
headers :
Accept : application/dns-message
matchers-condition : and
matchers :
- type : status
status :
- 200
2021-11-03 10:11:08 +00:00
2021-03-27 19:26:56 +00:00
- type : word
2021-11-03 10:11:08 +00:00
part : header
2021-03-27 19:26:56 +00:00
words :
- "application/dns-message"
2021-11-03 10:11:08 +00:00
2021-03-27 21:29:35 +00:00
- type : regex
2021-11-03 10:11:08 +00:00
part : header
2021-03-27 21:29:35 +00:00
regex :
- "(C|c)ontent-(L|l)ength: 49"
2023-10-20 11:41:13 +00:00
# digest: 490a0046304402207195d648ce176a7848cdcc55a2b83fa36294ce45dc12c4c82caac17d9b7f91360220305b6b979ffa0c0299474ff1ed78c478c9d4a7c06a5a0295098301e352ab2502:922c64590222798bb761d5b6d8e72950