nuclei-templates/http/miscellaneous/detect-dns-over-https.yaml

41 lines
1.3 KiB
YAML
Raw Normal View History

id: detect-dns-over-https
info:
name: Detect DNS over HTTPS
author: geeknik
severity: info
2023-05-30 10:04:03 +00:00
description: |
With DNS over HTTPS (DoH), DNS queries and responses are encrypted and sent via the HTTP or HTTP/2 protocols. DoH ensures that attackers cannot forge or alter DNS traffic. DoH uses port 443, which is the standard HTTPS traffic port, to wrap the DNS query in an HTTPS request. DNS queries and responses are camouflaged within other HTTPS traffic, since it all comes and goes from the same port.
reference:
- https://developers.google.com/speed/public-dns/docs/doh/
- https://developers.cloudflare.com/1.1.1.1/dns-over-https/wireformat
metadata:
max-request: 1
2023-10-14 11:27:55 +00:00
tags: dns,doh,misc
http:
- method: GET
path:
- "{{BaseURL}}/dns-query?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB"
2023-10-14 11:27:55 +00:00
headers:
Accept: application/dns-message
matchers-condition: and
matchers:
- type: status
status:
- 200
2021-11-03 10:11:08 +00:00
- type: word
2021-11-03 10:11:08 +00:00
part: header
words:
- "application/dns-message"
2021-11-03 10:11:08 +00:00
- type: regex
2021-11-03 10:11:08 +00:00
part: header
regex:
- "(C|c)ontent-(L|l)ength: 49"
# digest: 490a0046304402207195d648ce176a7848cdcc55a2b83fa36294ce45dc12c4c82caac17d9b7f91360220305b6b979ffa0c0299474ff1ed78c478c9d4a7c06a5a0295098301e352ab2502:922c64590222798bb761d5b6d8e72950