id: detect-dns-over-https

info:
  name: Detect DNS over HTTPS
  author: geeknik
  severity: info
  description: |
    With DNS over HTTPS (DoH), DNS queries and responses are encrypted and sent via the HTTP or HTTP/2 protocols. DoH ensures that attackers cannot forge or alter DNS traffic. DoH uses port 443, which is the standard HTTPS traffic port, to wrap the DNS query in an HTTPS request. DNS queries and responses are camouflaged within other HTTPS traffic, since it all comes and goes from the same port.
  reference:
    - https://developers.google.com/speed/public-dns/docs/doh/
    - https://developers.cloudflare.com/1.1.1.1/dns-over-https/wireformat
  metadata:
    max-request: 1
  tags: miscellaneous,dns,doh,misc

http:
  - method: GET
    path:
      - "{{BaseURL}}/dns-query?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB"

    headers:
      Accept: application/dns-message

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        part: header
        words:
          - "application/dns-message"

      - type: regex
        part: header
        regex:
          - "(C|c)ontent-(L|l)ength: 49"

# digest: 490a0046304402207195d648ce176a7848cdcc55a2b83fa36294ce45dc12c4c82caac17d9b7f91360220305b6b979ffa0c0299474ff1ed78c478c9d4a7c06a5a0295098301e352ab2502:922c64590222798bb761d5b6d8e72950