Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DoH, DoT and ESNI

230 views

Published on

A presentation by at the Jisc security conference 2019 by Graham Stevens.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

DoH, DoT and ESNI

  1. 1. DoH, DoT, & ESNI Graham Stevens
  2. 2. DoH, DoT, & ESNI DNS over HTTPS DNS over TLS EncryptedServer NameIndication GrahamStevens–6th November2019
  3. 3. whoami • Graham Stevens • IncidentResponse Consultant • gstevens@nettitude.com ConfidentialInformation 3
  4. 4. DNS in 60 Seconds ConfidentialInformation 4 bbc.co.uk Root TLD NS
  5. 5. What this looks like on the wire ConfidentialInformation 5
  6. 6. What this looks like on the wire ConfidentialInformation 6
  7. 7. So what’s wrong with that? ConfidentialInformation 7 • RFC 1034 &RFC 1035 • Firstintroducedin1985. • Poorsecurity(no cryptographicsignaturesonthe responses,socould havebeen tamperedwith) • Poorprivacy(Everythingisincleartext)
  8. 8. So what’s wrong with that? ConfidentialInformation 8 DNSProvider DNS PlaintextoverUDP/TCP DNSQuery www.bbc.co.uk 151.101.0.81 server_name: www.bbc.co.uk CommonName: www.bbc.co.uk TLS1.2 Orlower bbc.co.uk TLS<= 1.2 HTTP Unencrypted Encrypted DNSResult
  9. 9. RFC8484: DNS over HTTPS (DoH) RFC8484 Confidential Information 9 RFC8484 defines a specific protocol, DNS over HTTPS (DoH), for sending DNS [RFC1035] queries and getting DNS responses over HTTP [RFC7540] using https [RFC2818] URIs (and therefore TLS [RFC8446] security for integrity and confidentiality). Each DNS query- response pair is mapped into an HTTP exchange.
  10. 10. That’s great but… so what? ConfidentialInformation 10 • NomoreUDPpackets. • HTTP– A protocolwe allknow and love. • GET &POST bothaccepted • DNSwire-formatorJSON • Enforcedend-to-end encryptionwiththe widelyadoptedTLS
  11. 11. So what does it look like? ConfidentialInformation 11 GET Request :method = GET :scheme = https :authority = dnsserver.example.net :path = /dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB accept = application/dns-message
  12. 12. So what does it look like? ConfidentialInformation 12 POSTRequest :method = POST :scheme = https :authority = dnsserver.example.net :path = /dns-query accept = application/dns-message content-type = application/dns-message content-length = 33 <33 bytes represented by the following hex encoding> 00 00 01 00 00 01 00 00 00 00 00 00 03 77 77 77 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00 01
  13. 13. So what does it look like? ConfidentialInformation 13 Response This is an example response for a query for the IN AAAA records for "www.example.com" with recursion turned on. The response bears one answer record with an address of 2001:db8:abcd:12:1:2:3:4 and a TTL of 3709 seconds. :status = 200 content-type = application/dns-message content-length = 61 cache-control = max-age=3709 00 00 81 80 00 01 00 01 00 00 00 00 03 77 77 77 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 1c 00 01 c0 0c 00 1c 00 01 00 00 0e 7d 00 10 20 01 0d b8 ab cd 00 12 00 01 00 02 00 03 00 04
  14. 14. So what does it look like? JSON ConfidentialInformation 14 Request curl -k -H "accept: application/dns-json" https://dns.google.com/resolve?name=example.com&type=AAAA Response {"Status": 0,"TC": false,"RD": true,"RA": true,"AD": true,"CD": false,"Question":[ {"name": "example.com.","type": 28}],"Answer":[ {"name": "example.com.","type": 28,"TTL": 6410,"data": "2606:2800:220:1:248:1893:25c8:1946"}]}
  15. 15. RFC7858: DNS over TLS (DoT) RFC7858 Confidential Information 15 RFC7858 defines a protocol, DNS over TLS (DoT), for sending DNS [RFC1035] queries and getting DNS responses using TLS [RFC8446] for integrity and confidentiality. Port 853 outbound is required for DoT, similar to how 53 is required for ‘classic’ DNS.
  16. 16. So what does it look like? ConfidentialInformation 16 $ kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com example.com ;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP) ;; DEBUG: TLS, imported 170 system certificates ;; DEBUG: TLS, received certificate hierarchy: ;; DEBUG: #1, C=US,ST=CA,L=San Francisco,O=Cloudflare, Inc.,CN=*.cloudflare-dns.com ;; DEBUG: SHA-256 PIN: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc= ;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA ;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw= ;; DEBUG: TLS, skipping certificate PIN check ;; DEBUG: TLS, The certificate is trusted. ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GC ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 58548 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1 ;; EDNS PSEUDOSECTION: ;; Version: 0; flags: ; UDP size: 1536 B; ext-rcode: NOERROR ;; PADDING: 408 B ;; QUESTION SECTION: ;; example.com. IN A ;; ANSWER SECTION: example.com. 2347 IN A 93.184.216.34
  17. 17. So where does that leave us? • DNSis no longer is clear text • End-to-end encryptionwith HTTPS • But we still havea privacy leak: • ClientHello • server_name ConfidentialInformation 17
  18. 18. Wireshark TLS SNI ConfidentialInformation 18
  19. 19. Solution: ESNI ConfidentialInformation 19
  20. 20. So what’s wrong with that? ConfidentialInformation 20 DNSProvider DNS OverHTTPS/TLS DNSQuery 151.101.0.81 TLS1.3 WithencryptedSNI bbc.co.uk TLS1.3 HTTP Unencrypted Encrypted DNSResult
  21. 21. Usage as of Today ConfidentialInformation 21 DoH Firefox –Gradualrolloutduring2019/20 inUSasdefault. Chrome –Gradualrollout asofChrome78, basedoncurrentDNSprovider. cURL –Availablesince7.62.0. $ curl --doh-url https://dns-server.example.com https://www.example.com DoT Android –As ofAndroidPie (August 2018)
  22. 22. Scary Thoughts… ConfidentialInformation 22 What happenswhenmalware utilisesESNI &DoH? Open-sourceimplementationsarealreadyfreelyavailable: • DNSC2 by Sensepost(https://github.com/sensepost/goDoH) • DNSC2 for CobaltStrike (https://github.com/SpiderLabs/DoHC2) • Alreadyhappening: https://github.com/magisterquis/dnsbotnet • ImplementedDNSoverHTTPS/DomainFrontinginMay2018. • dnscat2:(https://github.com/iagox86/dnscat2)
  23. 23. Scary Thoughts… Today! ConfidentialInformation 23 DoHisactivelybeingusedby malwaretoday. • April2019 –Godlua Backdoor usesDoHforC21 • June 2019 – ReportsofNecursusingDoH2 • September2019 – PsiXBotabusesGoogle’s DoHServiceforC23 • October2019 – mimikatz.exe overDoH(TXTrecords)4 1 https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/ 2 https://myonlinesecurity.co.uk/it-looks-like-another-dns-compromise-hack-happening/ 3 https://www.proofpoint.com/us/threat-insight/post/psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module 4 https://twitter.com/DidierStevens/status/1152971745428738049
  24. 24. What can we do about it? ConfidentialInformation 24 • Blockormoreaggressivelymonitortrafficto DNSoverHTTPS(DoH)endpoints.If youwishtobenefitfromsomeofthe security benefitsthat DoHoffers,rollout internalDoH,DNSoverTLS(DoT) resolversand/orcarryout secureDNSresolutiononthe outermostDNSserversofthe organisation. • WherepossibleinspectunderlyingHTTP exchangesforindicatorsof DoHusewhereTLSisstrippedforinspectionwithinan organisation.i.e. 'application/dns-json','application/dns-message'contenttypes. • Apply heuristicbasedoranomaly-baseddetectionsofpacket sizes,frequencyand volume,timebased,patternoflifetooutgoing traffic. • NCSC Factsheet • https://english.ncsc.nl/publications/factsheets/2019/oktober/2/factsheet-dns-monitoring-will-get-harder
  25. 25. What can we do about it? ConfidentialInformation 25 • Apply heuristicbasedoranomaly-baseddetectionsofpacketsizes,frequencyandvolume,timebased,patternoflifeto outgoing traffic. • Possibletoutilise Saleforce’sJA3 (https://github.com/salesforce/ja3) CourtesyofJustinWarner(@sixdub)
  26. 26. Further Reading ConfidentialInformation 26 • EncryptedSNI • https://datatracker.ietf.org/doc/draft-ietf-tls-esni/?include_text=1 • DNSoverHTTPS • https://tools.ietf.org/html/rfc8484 • DNSoverTLS • https://tools.ietf.org/html/rfc7858 • DNSwrittenbyhand • https://routley.io/tech/2017/12/28/hand-writing-dns-messages.html
  27. 27. Thank you Graham Stevens gstevens@nettitude.com Confidential Information 27
  28. 28. Thank you customerservices@jisc.ac.uk jisc.ac.uk Graham Stevens Incident Response Consultant gstevens@nettitude.com

×