39 lines
1.3 KiB
YAML
39 lines
1.3 KiB
YAML
id: detect-dns-over-https
|
|
|
|
info:
|
|
name: Detect DNS over HTTPS
|
|
author: geeknik
|
|
severity: info
|
|
description: |
|
|
With DNS over HTTPS (DoH), DNS queries and responses are encrypted and sent via the HTTP or HTTP/2 protocols. DoH ensures that attackers cannot forge or alter DNS traffic. DoH uses port 443, which is the standard HTTPS traffic port, to wrap the DNS query in an HTTPS request. DNS queries and responses are camouflaged within other HTTPS traffic, since it all comes and goes from the same port.
|
|
reference:
|
|
- https://developers.google.com/speed/public-dns/docs/doh/
|
|
- https://developers.cloudflare.com/1.1.1.1/dns-over-https/wireformat
|
|
metadata:
|
|
max-request: 1
|
|
tags: miscellaneous,dns,doh,misc
|
|
|
|
http:
|
|
- method: GET
|
|
path:
|
|
- "{{BaseURL}}/dns-query?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB"
|
|
|
|
headers:
|
|
Accept: application/dns-message
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
- type: word
|
|
part: header
|
|
words:
|
|
- "application/dns-message"
|
|
|
|
- type: regex
|
|
part: header
|
|
regex:
|
|
- "(C|c)ontent-(L|l)ength: 49"
|
|
# digest: 4b0a00483046022100b6a282d177b5248871f599737511d414a8c812457fa48d20a44e993e267bd511022100ba5be0d06107ebdc7179bde4fde7325298c6770b43911259ece0521d0b762032:922c64590222798bb761d5b6d8e72950 |