Jisc, profile picture
Uploaded byJisc
PPTX, PDF2,051 views

DoH, DoT and ESNI

The document discusses DNS over HTTPS (DoH), DNS over TLS (DoT), and Encrypted Server Name Indication (ESNI). It explains that DoH and DoT encrypt DNS queries and responses for increased privacy and security compared to traditional DNS. However, ESNI is also discussed as a solution to further improve privacy by encrypting the server name in the TLS handshake. Concerns about the potential use of these protocols by malware for command and control are also raised.

Embed presentation

Downloaded 40 times
DoH, DoT, & ESNI Graham Stevens
DoH, DoT, & ESNI DNS over HTTPS DNS over TLS EncryptedServer NameIndication GrahamStevens–6th November2019
whoami • Graham Stevens • IncidentResponse Consultant • gstevens@nettitude.com ConfidentialInformation 3
DNS in 60 Seconds ConfidentialInformation 4 bbc.co.uk Root TLD NS
What this looks like on the wire ConfidentialInformation 5
What this looks like on the wire ConfidentialInformation 6
So what’s wrong with that? ConfidentialInformation 7 • RFC 1034 &RFC 1035 • Firstintroducedin1985. • Poorsecurity(no cryptographicsignaturesonthe responses,socould havebeen tamperedwith) • Poorprivacy(Everythingisincleartext)
So what’s wrong with that? ConfidentialInformation 8 DNSProvider DNS PlaintextoverUDP/TCP DNSQuery www.bbc.co.uk 151.101.0.81 server_name: www.bbc.co.uk CommonName: www.bbc.co.uk TLS1.2 Orlower bbc.co.uk TLS<= 1.2 HTTP Unencrypted Encrypted DNSResult
RFC8484: DNS over HTTPS (DoH) RFC8484 Confidential Information 9 RFC8484 defines a specific protocol, DNS over HTTPS (DoH), for sending DNS [RFC1035] queries and getting DNS responses over HTTP [RFC7540] using https [RFC2818] URIs (and therefore TLS [RFC8446] security for integrity and confidentiality). Each DNS query- response pair is mapped into an HTTP exchange.
That’s great but… so what? ConfidentialInformation 10 • NomoreUDPpackets. • HTTP– A protocolwe allknow and love. • GET &POST bothaccepted • DNSwire-formatorJSON • Enforcedend-to-end encryptionwiththe widelyadoptedTLS
So what does it look like? ConfidentialInformation 11 GET Request :method = GET :scheme = https :authority = dnsserver.example.net :path = /dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB accept = application/dns-message
So what does it look like? ConfidentialInformation 12 POSTRequest :method = POST :scheme = https :authority = dnsserver.example.net :path = /dns-query accept = application/dns-message content-type = application/dns-message content-length = 33 <33 bytes represented by the following hex encoding> 00 00 01 00 00 01 00 00 00 00 00 00 03 77 77 77 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00 01
So what does it look like? ConfidentialInformation 13 Response This is an example response for a query for the IN AAAA records for "www.example.com" with recursion turned on. The response bears one answer record with an address of 2001:db8:abcd:12:1:2:3:4 and a TTL of 3709 seconds. :status = 200 content-type = application/dns-message content-length = 61 cache-control = max-age=3709 00 00 81 80 00 01 00 01 00 00 00 00 03 77 77 77 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 1c 00 01 c0 0c 00 1c 00 01 00 00 0e 7d 00 10 20 01 0d b8 ab cd 00 12 00 01 00 02 00 03 00 04
So what does it look like? JSON ConfidentialInformation 14 Request curl -k -H "accept: application/dns-json" https://dns.google.com/resolve?name=example.com&type=AAAA Response {"Status": 0,"TC": false,"RD": true,"RA": true,"AD": true,"CD": false,"Question":[ {"name": "example.com.","type": 28}],"Answer":[ {"name": "example.com.","type": 28,"TTL": 6410,"data": "2606:2800:220:1:248:1893:25c8:1946"}]}
RFC7858: DNS over TLS (DoT) RFC7858 Confidential Information 15 RFC7858 defines a protocol, DNS over TLS (DoT), for sending DNS [RFC1035] queries and getting DNS responses using TLS [RFC8446] for integrity and confidentiality. Port 853 outbound is required for DoT, similar to how 53 is required for ‘classic’ DNS.
So what does it look like? ConfidentialInformation 16 $ kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com example.com ;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP) ;; DEBUG: TLS, imported 170 system certificates ;; DEBUG: TLS, received certificate hierarchy: ;; DEBUG: #1, C=US,ST=CA,L=San Francisco,O=Cloudflare, Inc.,CN=*.cloudflare-dns.com ;; DEBUG: SHA-256 PIN: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc= ;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA ;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw= ;; DEBUG: TLS, skipping certificate PIN check ;; DEBUG: TLS, The certificate is trusted. ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GC ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 58548 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1 ;; EDNS PSEUDOSECTION: ;; Version: 0; flags: ; UDP size: 1536 B; ext-rcode: NOERROR ;; PADDING: 408 B ;; QUESTION SECTION: ;; example.com. IN A ;; ANSWER SECTION: example.com. 2347 IN A 93.184.216.34
So where does that leave us? • DNSis no longer is clear text • End-to-end encryptionwith HTTPS • But we still havea privacy leak: • ClientHello • server_name ConfidentialInformation 17
Wireshark TLS SNI ConfidentialInformation 18
Solution: ESNI ConfidentialInformation 19
So what’s wrong with that? ConfidentialInformation 20 DNSProvider DNS OverHTTPS/TLS DNSQuery 151.101.0.81 TLS1.3 WithencryptedSNI bbc.co.uk TLS1.3 HTTP Unencrypted Encrypted DNSResult
Usage as of Today ConfidentialInformation 21 DoH Firefox –Gradualrolloutduring2019/20 inUSasdefault. Chrome –Gradualrollout asofChrome78, basedoncurrentDNSprovider. cURL –Availablesince7.62.0. $ curl --doh-url https://dns-server.example.com https://www.example.com DoT Android –As ofAndroidPie (August 2018)
Scary Thoughts… ConfidentialInformation 22 What happenswhenmalware utilisesESNI &DoH? Open-sourceimplementationsarealreadyfreelyavailable: • DNSC2 by Sensepost(https://github.com/sensepost/goDoH) • DNSC2 for CobaltStrike (https://github.com/SpiderLabs/DoHC2) • Alreadyhappening: https://github.com/magisterquis/dnsbotnet • ImplementedDNSoverHTTPS/DomainFrontinginMay2018. • dnscat2:(https://github.com/iagox86/dnscat2)
Scary Thoughts… Today! ConfidentialInformation 23 DoHisactivelybeingusedby malwaretoday. • April2019 –Godlua Backdoor usesDoHforC21 • June 2019 – ReportsofNecursusingDoH2 • September2019 – PsiXBotabusesGoogle’s DoHServiceforC23 • October2019 – mimikatz.exe overDoH(TXTrecords)4 1 https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/ 2 https://myonlinesecurity.co.uk/it-looks-like-another-dns-compromise-hack-happening/ 3 https://www.proofpoint.com/us/threat-insight/post/psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module 4 https://twitter.com/DidierStevens/status/1152971745428738049
What can we do about it? ConfidentialInformation 24 • Blockormoreaggressivelymonitortrafficto DNSoverHTTPS(DoH)endpoints.If youwishtobenefitfromsomeofthe security benefitsthat DoHoffers,rollout internalDoH,DNSoverTLS(DoT) resolversand/orcarryout secureDNSresolutiononthe outermostDNSserversofthe organisation. • WherepossibleinspectunderlyingHTTP exchangesforindicatorsof DoHusewhereTLSisstrippedforinspectionwithinan organisation.i.e. 'application/dns-json','application/dns-message'contenttypes. • Apply heuristicbasedoranomaly-baseddetectionsofpacket sizes,frequencyand volume,timebased,patternoflifetooutgoing traffic. • NCSC Factsheet • https://english.ncsc.nl/publications/factsheets/2019/oktober/2/factsheet-dns-monitoring-will-get-harder
What can we do about it? ConfidentialInformation 25 • Apply heuristicbasedoranomaly-baseddetectionsofpacketsizes,frequencyandvolume,timebased,patternoflifeto outgoing traffic. • Possibletoutilise Saleforce’sJA3 (https://github.com/salesforce/ja3) CourtesyofJustinWarner(@sixdub)
Further Reading ConfidentialInformation 26 • EncryptedSNI • https://datatracker.ietf.org/doc/draft-ietf-tls-esni/?include_text=1 • DNSoverHTTPS • https://tools.ietf.org/html/rfc8484 • DNSoverTLS • https://tools.ietf.org/html/rfc7858 • DNSwrittenbyhand • https://routley.io/tech/2017/12/28/hand-writing-dns-messages.html
Thank you Graham Stevens gstevens@nettitude.com Confidential Information 27
Thank you customerservices@jisc.ac.uk jisc.ac.uk Graham Stevens Incident Response Consultant gstevens@nettitude.com

More Related Content

PDF
Cruise Control: Effortless management of Kafka clusters
byPrateek Maheshwari
 
PDF
【TECH×GAME COLLEGE#32】ゼロからリアルタイムサーバーを作るまで
bytechgamecollege
 
PDF
マイクロサービスバックエンドAPIのためのRESTとgRPC
bydisc99_
 
PDF
TLS 1.3 と 0-RTT のこわ〜い話
byKazuho Oku
 
PDF
A Deep Dive into Kafka Controller
byconfluent
 
PPTX
OVN 設定サンプル | OVN config example 2015/12/27
byKentaro Ebisawa
 
PDF
TLS, HTTP/2演習
byshigeki_ohtsu
 
PPTX
ライブストリーミング低遅延化の取り組み @ DeNA
byakirahiguchi
 
Cruise Control: Effortless management of Kafka clusters
byPrateek Maheshwari
 
【TECH×GAME COLLEGE#32】ゼロからリアルタイムサーバーを作るまで
bytechgamecollege
 
マイクロサービスバックエンドAPIのためのRESTとgRPC
bydisc99_
 
TLS 1.3 と 0-RTT のこわ〜い話
byKazuho Oku
 
A Deep Dive into Kafka Controller
byconfluent
 
OVN 設定サンプル | OVN config example 2015/12/27
byKentaro Ebisawa
 
TLS, HTTP/2演習
byshigeki_ohtsu
 
ライブストリーミング低遅延化の取り組み @ DeNA
byakirahiguchi
 

What's hot

PDF
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
byThomas Graf
 
PDF
End-To-End Performance Testing, Profiling, and Analysis at Redis
byScyllaDB
 
PDF
Grafana LokiではじめるKubernetesロギングハンズオン(NTT Tech Conference #4 ハンズオン資料)
byNTT DATA Technology & Innovation
 
PDF
IPv6 を始めてみた
bymiki koganei
 
PDF
OSMC 2022 | The Power of Metrics, Logs & Traces with Open Source by Emil-Andr...
byNETWAYS
 
PPT
PCD - Process control daemon
byhaish
 
PPTX
Nmap 9つの真実
byabend_cve_9999_0001
 
PDF
Using GTP on Linux with libgtpnl
byKentaro Ebisawa
 
PDF
카프카, 산전수전 노하우
byif kakao
 
PDF
"SRv6の現状と展望" ENOG53@上越
byKentaro Ebisawa
 
PPT
State of Security: Apache Spark & Apache Zeppelin
byDataWorks Summit/Hadoop Summit
 
PPT
Distributed File Systems
byawesomesos
 
PDF
DNS再入門
byTakashi Takizawa
 
PDF
Linux Profiling at Netflix
byBrendan Gregg
 
PDF
Ethernetの受信処理
byTakuya ASADA
 
PDF
HTTP/2 入門
byYahoo!デベロッパーネットワーク
 
PDF
Kvm performance optimization for ubuntu
bySim Janghoon
 
PDF
cLoki: Like Loki but for ClickHouse
byAltinity Ltd
 
ODP
Iocage
byYuichiro Naito
 
PDF
WebブラウザでP2Pを実現する、WebRTCのAPIと周辺技術
byYoshiaki Sugimoto
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
byThomas Graf
 
End-To-End Performance Testing, Profiling, and Analysis at Redis
byScyllaDB
 
Grafana LokiではじめるKubernetesロギングハンズオン(NTT Tech Conference #4 ハンズオン資料)
byNTT DATA Technology & Innovation
 
IPv6 を始めてみた
bymiki koganei
 
OSMC 2022 | The Power of Metrics, Logs & Traces with Open Source by Emil-Andr...
byNETWAYS
 
PCD - Process control daemon
byhaish
 
Nmap 9つの真実
byabend_cve_9999_0001
 
Using GTP on Linux with libgtpnl
byKentaro Ebisawa
 
카프카, 산전수전 노하우
byif kakao
 
"SRv6の現状と展望" ENOG53@上越
byKentaro Ebisawa
 
State of Security: Apache Spark & Apache Zeppelin
byDataWorks Summit/Hadoop Summit
 
Distributed File Systems
byawesomesos
 
DNS再入門
byTakashi Takizawa
 
Linux Profiling at Netflix
byBrendan Gregg
 
Ethernetの受信処理
byTakuya ASADA
 
HTTP/2 入門
byYahoo!デベロッパーネットワーク
 
Kvm performance optimization for ubuntu
bySim Janghoon
 
cLoki: Like Loki but for ClickHouse
byAltinity Ltd
 
Iocage
byYuichiro Naito
 
WebブラウザでP2Pを実現する、WebRTCのAPIと周辺技術
byYoshiaki Sugimoto
 

Similar to DoH, DoT and ESNI

PDF
NZNOG 2020: DOH
byAPNIC
 
PDF
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
byAPNIC
 
PDF
DNS over HTTPS
byDaniel Stenberg
 
PDF
IoT Secure Bootsrapping : ideas
byJean-Baptiste Trystram
 
PDF
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
byMITRE - ATT&CKcon
 
PDF
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
byDTM Security
 
PPTX
ION Sri Lanka - DANE: The Future of TLS
byDeploy360 Programme (Internet Society)
 
PDF
An Introduction to DANE - Securing TLS using DNSSEC
byCarlos Martinez Cagnazzo
 
PDF
Computer network (4)
byNYversity
 
PDF
DANE and Application Uses of DNSSEC
byShumon Huque
 
PDF
Encrypted DNS - DNS over TLS / DNS over HTTPS
byAlex Mayrhofer
 
PPTX
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
byDeploy360 Programme (Internet Society)
 
PDF
How to send DNS over anything encrypted
byMen and Mice
 
PDF
DNS Over HTTPS by Michael Casadevall
byGlenn McKnight
 
PDF
getdns PyCon presentation
byMelinda Shore
 
PDF
TLS
byDaniel Stenberg
 
PDF
Evolving HTTP and making things QUIC
byNatasha Rooney
 
PPTX
Understanding DNS Security
byNihal Pasham, CISSP
 
PPTX
IGF 2023: DNS Privacy
byAPNIC
 
PPTX
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
byDeploy360 Programme (Internet Society)
 
NZNOG 2020: DOH
byAPNIC
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
byAPNIC
 
DNS over HTTPS
byDaniel Stenberg
 
IoT Secure Bootsrapping : ideas
byJean-Baptiste Trystram
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
byMITRE - ATT&CKcon
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
byDTM Security
 
ION Sri Lanka - DANE: The Future of TLS
byDeploy360 Programme (Internet Society)
 
An Introduction to DANE - Securing TLS using DNSSEC
byCarlos Martinez Cagnazzo
 
Computer network (4)
byNYversity
 
DANE and Application Uses of DNSSEC
byShumon Huque
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
byAlex Mayrhofer
 
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
byDeploy360 Programme (Internet Society)
 
How to send DNS over anything encrypted
byMen and Mice
 
DNS Over HTTPS by Michael Casadevall
byGlenn McKnight
 
getdns PyCon presentation
byMelinda Shore
 
TLS
byDaniel Stenberg
 
Evolving HTTP and making things QUIC
byNatasha Rooney
 
Understanding DNS Security
byNihal Pasham, CISSP
 
IGF 2023: DNS Privacy
byAPNIC
 
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
byDeploy360 Programme (Internet Society)
 

More from Jisc

PPTX
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
PPTX
Understanding the digital experience of FE teaching staff in 2024/25
byJisc
 
PPTX
Osmosis webinar presentation Nov 2025:Empowering UK Nursing Education
byJisc
 
PPTX
Strengthening open access through collaboration: building connections with OP...
byJisc
 
PPTX
Andrew-Brown-JUSP-showcase-20240730.pptx
byJisc
 
PPTX
JUSP Showcase - Rebuilding Data presentation
byJisc
 
PPTX
Adobe Express Engagement Webinar (Delegate).pptx
byJisc
 
PPTX
FE Accessibility training matrix partnership - information session
byJisc
 
PPTX
Procuring a research management system: why is it so hard?
byJisc
 
PPTX
Adobe Express Engagement Webinar (Delegate).pptx
byJisc
 
PPTX
How libraries can support authors with open access requirements for UKRI fund...
byJisc
 
PPTX
Supporting (UKRI) OA monographs at Salford.pptx
byJisc
 
PPTX
The approach at University of Liverpool.pptx
byJisc
 
PPTX
Jisc's value to HE: the University of Sheffield
byJisc
 
PPTX
Towards a code of practice for AI in AT.pptx
byJisc
 
PPTX
Jamworks pilot and AI at Jisc (20/03/2024)
byJisc
 
PPTX
Wellbeing inclusion and digital dystopias.pptx
byJisc
 
PPTX
Accessible Digital Futures project (20/03/2024)
byJisc
 
PPTX
Procuring digital preservation CAN be quick and painless with our new dynamic...
byJisc
 
PPTX
International students’ digital experience: understanding and mitigating the ...
byJisc
 
Jisc Equipment Data Service Update Workshop 3 December 2025
byJisc
 
Understanding the digital experience of FE teaching staff in 2024/25
byJisc
 
Osmosis webinar presentation Nov 2025:Empowering UK Nursing Education
byJisc
 
Strengthening open access through collaboration: building connections with OP...
byJisc
 
Andrew-Brown-JUSP-showcase-20240730.pptx
byJisc
 
JUSP Showcase - Rebuilding Data presentation
byJisc
 
Adobe Express Engagement Webinar (Delegate).pptx
byJisc
 
FE Accessibility training matrix partnership - information session
byJisc
 
Procuring a research management system: why is it so hard?
byJisc
 
Adobe Express Engagement Webinar (Delegate).pptx
byJisc
 
How libraries can support authors with open access requirements for UKRI fund...
byJisc
 
Supporting (UKRI) OA monographs at Salford.pptx
byJisc
 
The approach at University of Liverpool.pptx
byJisc
 
Jisc's value to HE: the University of Sheffield
byJisc
 
Towards a code of practice for AI in AT.pptx
byJisc
 
Jamworks pilot and AI at Jisc (20/03/2024)
byJisc
 
Wellbeing inclusion and digital dystopias.pptx
byJisc
 
Accessible Digital Futures project (20/03/2024)
byJisc
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
byJisc
 
International students’ digital experience: understanding and mitigating the ...
byJisc
 

Recently uploaded

PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
AI in DevOps: Transforming the Developer Experience and Expanding the Securit...
byEnterprise Management Associates
 
PDF
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PPTX
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PPTX
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
PDF
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
PDF
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
PDF
Self-Correction Failure Diagnostic: Detecting Drift in Complex Systems
bySystems Research Group
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
PPTX
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
AI in DevOps: Transforming the Developer Experience and Expanding the Securit...
byEnterprise Management Associates
 
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
Mount File Systems using UUID and Label - RHCSA (RH134).pdf
byLinuxCert Guru
 
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
Self-Correction Failure Diagnostic: Detecting Drift in Complex Systems
bySystems Research Group
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 

DoH, DoT and ESNI

  • 1.
    DoH, DoT, &ESNI Graham Stevens
  • 2.
    DoH, DoT, &ESNI DNS over HTTPS DNS over TLS EncryptedServer NameIndication GrahamStevens–6th November2019
  • 3.
    whoami • Graham Stevens •IncidentResponse Consultant • gstevens@nettitude.com ConfidentialInformation 3
  • 4.
    DNS in 60Seconds ConfidentialInformation 4 bbc.co.uk Root TLD NS
  • 5.
    What this lookslike on the wire ConfidentialInformation 5
  • 6.
    What this lookslike on the wire ConfidentialInformation 6
  • 7.
    So what’s wrongwith that? ConfidentialInformation 7 • RFC 1034 &RFC 1035 • Firstintroducedin1985. • Poorsecurity(no cryptographicsignaturesonthe responses,socould havebeen tamperedwith) • Poorprivacy(Everythingisincleartext)
  • 8.
    So what’s wrongwith that? ConfidentialInformation 8 DNSProvider DNS PlaintextoverUDP/TCP DNSQuery www.bbc.co.uk 151.101.0.81 server_name: www.bbc.co.uk CommonName: www.bbc.co.uk TLS1.2 Orlower bbc.co.uk TLS<= 1.2 HTTP Unencrypted Encrypted DNSResult
  • 9.
    RFC8484: DNS overHTTPS (DoH) RFC8484 Confidential Information 9 RFC8484 defines a specific protocol, DNS over HTTPS (DoH), for sending DNS [RFC1035] queries and getting DNS responses over HTTP [RFC7540] using https [RFC2818] URIs (and therefore TLS [RFC8446] security for integrity and confidentiality). Each DNS query- response pair is mapped into an HTTP exchange.
  • 10.
    That’s great but…so what? ConfidentialInformation 10 • NomoreUDPpackets. • HTTP– A protocolwe allknow and love. • GET &POST bothaccepted • DNSwire-formatorJSON • Enforcedend-to-end encryptionwiththe widelyadoptedTLS
  • 11.
    So what doesit look like? ConfidentialInformation 11 GET Request :method = GET :scheme = https :authority = dnsserver.example.net :path = /dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB accept = application/dns-message
  • 12.
    So what doesit look like? ConfidentialInformation 12 POSTRequest :method = POST :scheme = https :authority = dnsserver.example.net :path = /dns-query accept = application/dns-message content-type = application/dns-message content-length = 33 <33 bytes represented by the following hex encoding> 00 00 01 00 00 01 00 00 00 00 00 00 03 77 77 77 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 01 00 01
  • 13.
    So what doesit look like? ConfidentialInformation 13 Response This is an example response for a query for the IN AAAA records for "www.example.com" with recursion turned on. The response bears one answer record with an address of 2001:db8:abcd:12:1:2:3:4 and a TTL of 3709 seconds. :status = 200 content-type = application/dns-message content-length = 61 cache-control = max-age=3709 00 00 81 80 00 01 00 01 00 00 00 00 03 77 77 77 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 1c 00 01 c0 0c 00 1c 00 01 00 00 0e 7d 00 10 20 01 0d b8 ab cd 00 12 00 01 00 02 00 03 00 04
  • 14.
    So what doesit look like? JSON ConfidentialInformation 14 Request curl -k -H "accept: application/dns-json" https://dns.google.com/resolve?name=example.com&type=AAAA Response {"Status": 0,"TC": false,"RD": true,"RA": true,"AD": true,"CD": false,"Question":[ {"name": "example.com.","type": 28}],"Answer":[ {"name": "example.com.","type": 28,"TTL": 6410,"data": "2606:2800:220:1:248:1893:25c8:1946"}]}
  • 15.
    RFC7858: DNS overTLS (DoT) RFC7858 Confidential Information 15 RFC7858 defines a protocol, DNS over TLS (DoT), for sending DNS [RFC1035] queries and getting DNS responses using TLS [RFC8446] for integrity and confidentiality. Port 853 outbound is required for DoT, similar to how 53 is required for ‘classic’ DNS.
  • 16.
    So what doesit look like? ConfidentialInformation 16 $ kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com example.com ;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP) ;; DEBUG: TLS, imported 170 system certificates ;; DEBUG: TLS, received certificate hierarchy: ;; DEBUG: #1, C=US,ST=CA,L=San Francisco,O=Cloudflare, Inc.,CN=*.cloudflare-dns.com ;; DEBUG: SHA-256 PIN: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc= ;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA ;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw= ;; DEBUG: TLS, skipping certificate PIN check ;; DEBUG: TLS, The certificate is trusted. ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GC ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 58548 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1 ;; EDNS PSEUDOSECTION: ;; Version: 0; flags: ; UDP size: 1536 B; ext-rcode: NOERROR ;; PADDING: 408 B ;; QUESTION SECTION: ;; example.com. IN A ;; ANSWER SECTION: example.com. 2347 IN A 93.184.216.34
  • 17.
    So where doesthat leave us? • DNSis no longer is clear text • End-to-end encryptionwith HTTPS • But we still havea privacy leak: • ClientHello • server_name ConfidentialInformation 17
  • 18.
  • 19.
  • 20.
    So what’s wrongwith that? ConfidentialInformation 20 DNSProvider DNS OverHTTPS/TLS DNSQuery 151.101.0.81 TLS1.3 WithencryptedSNI bbc.co.uk TLS1.3 HTTP Unencrypted Encrypted DNSResult
  • 21.
    Usage as ofToday ConfidentialInformation 21 DoH Firefox –Gradualrolloutduring2019/20 inUSasdefault. Chrome –Gradualrollout asofChrome78, basedoncurrentDNSprovider. cURL –Availablesince7.62.0. $ curl --doh-url https://dns-server.example.com https://www.example.com DoT Android –As ofAndroidPie (August 2018)
  • 22.
    Scary Thoughts… ConfidentialInformation 22 Whathappenswhenmalware utilisesESNI &DoH? Open-sourceimplementationsarealreadyfreelyavailable: • DNSC2 by Sensepost(https://github.com/sensepost/goDoH) • DNSC2 for CobaltStrike (https://github.com/SpiderLabs/DoHC2) • Alreadyhappening: https://github.com/magisterquis/dnsbotnet • ImplementedDNSoverHTTPS/DomainFrontinginMay2018. • dnscat2:(https://github.com/iagox86/dnscat2)
  • 23.
    Scary Thoughts… Today! ConfidentialInformation23 DoHisactivelybeingusedby malwaretoday. • April2019 –Godlua Backdoor usesDoHforC21 • June 2019 – ReportsofNecursusingDoH2 • September2019 – PsiXBotabusesGoogle’s DoHServiceforC23 • October2019 – mimikatz.exe overDoH(TXTrecords)4 1 https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/ 2 https://myonlinesecurity.co.uk/it-looks-like-another-dns-compromise-hack-happening/ 3 https://www.proofpoint.com/us/threat-insight/post/psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module 4 https://twitter.com/DidierStevens/status/1152971745428738049
  • 24.
    What can wedo about it? ConfidentialInformation 24 • Blockormoreaggressivelymonitortrafficto DNSoverHTTPS(DoH)endpoints.If youwishtobenefitfromsomeofthe security benefitsthat DoHoffers,rollout internalDoH,DNSoverTLS(DoT) resolversand/orcarryout secureDNSresolutiononthe outermostDNSserversofthe organisation. • WherepossibleinspectunderlyingHTTP exchangesforindicatorsof DoHusewhereTLSisstrippedforinspectionwithinan organisation.i.e. 'application/dns-json','application/dns-message'contenttypes. • Apply heuristicbasedoranomaly-baseddetectionsofpacket sizes,frequencyand volume,timebased,patternoflifetooutgoing traffic. • NCSC Factsheet • https://english.ncsc.nl/publications/factsheets/2019/oktober/2/factsheet-dns-monitoring-will-get-harder
  • 25.
    What can wedo about it? ConfidentialInformation 25 • Apply heuristicbasedoranomaly-baseddetectionsofpacketsizes,frequencyandvolume,timebased,patternoflifeto outgoing traffic. • Possibletoutilise Saleforce’sJA3 (https://github.com/salesforce/ja3) CourtesyofJustinWarner(@sixdub)
  • 26.
    Further Reading ConfidentialInformation 26 •EncryptedSNI • https://datatracker.ietf.org/doc/draft-ietf-tls-esni/?include_text=1 • DNSoverHTTPS • https://tools.ietf.org/html/rfc8484 • DNSoverTLS • https://tools.ietf.org/html/rfc7858 • DNSwrittenbyhand • https://routley.io/tech/2017/12/28/hand-writing-dns-messages.html
  • 27.
  • 28.

Editor's Notes

  • #4 Incident Response Consultant for Nettitude, a security consultancy firm here in the UK. Previously I was with BT for two years in their 3rd Line CERT, where some of you may recognize me from. I was fairly active in the TF-CSIRT/FIRST scene, with a few presentations: Scanning for vulnerable Amazon AWS S3 buckets, & Google cloud (and a little bit of Azure) Tracking APT28 with their OPSEC fails with just OSINT tools and data SMB Honeypot activity, detailing how prolific EternalBlue is on the Internet. Today however, I’d like to talk to you all about DNS. Specifically, DoH, DoT and the future of eSNI.
  • #5 Browser checks its local cache for bbc.co.uk and its resulting IP address. Checked the local OS cache for bbc.co.uk Goes off to the next DNS Resolver (normally your ISP. Your network knows about this thanks to your ISP supplied router/modem). If our DNS Resolver doesn’t know, it goes off to the root DNS server to ask, where it is told about the nameserver for the TLD (in this instance, .co.uk). This info is cached by the DNS resolver, so that we don’t have to pester the 13 root servers again. If the TLD nameserver doesn’t know (i.e isn’t cached), it will provide the authoritative nameservers for the domain (ns3.bbc.co.uk, n3.bbc.net.uk). Again, this info is cached by the DNS resolver. Glue records are passed with the ns record, so that the resolver knows what IPs to talk to. The authoritative nameserver will hand out the IP address for bbc.co.uk, which is again cached by the DNS resolver. The record returned is likely to be an A record, simply a way of turning a domain into an IP address. Other records exist like MX for mail servers etc. DNS Resolver hands it back to our machine, and away we go.
  • #6 Our DNS request packet, from the local machine to my next resolver (in this case, 192.168.1.1).
  • #7 And the response back from 192.168.1.1, with a CNAME record, and 2 A records.
  • #9 Here is a visual representation of that, where we can see all those comms in red are unencrypted and leak information about our behaviour. As we learned previously, DNS is all plaintext over UDP or TCP on port 53, so anyone can grab that off of the wire. We can also see the initial TLS handshake for the HTTPS connection is also unencrypted, leaking the SNI (server name indication) on the ClientHello, and CommonName in the ServerHello response. Very interesting information, which I’m sure many of us have used in the past to aid investigations where TLS interception isn’t being utilised or isn’t viable in the environment.
  • #10 DNS over HTTPS (DoH) is one proposal on the table for solving some of the pitfalls of the traditional DNS resolution that underpins the Internet. The key issues being addressed in current DNS are the end user privacy implications and the possibility of Man-in-the-Middle (MitM) attacks which mean that a malicious party within the data path of resolution could interfere with the messaging. The DoH solution, described in RFC8484 ( https://tools.ietf.org/html/rfc8484), sees the sending of DNS queries and retrieval of DNS responses take place over HTTPS which provides security for integrity and confidentiality. In this DNS ecosystem DoH providers host a URI endpoint on the Internet that facilitates DNS resolution. An alternate approach to DoH is DNS over TLS (DoT), described in RFC7858 ( https://tools.ietf.org/html/rfc7858), but this approach requires direct outbound connectivity to port TCP 853.
  • #11 DNS over HTTPS (DoH) is one proposal on the table for solving some of the pitfalls of the traditional DNS resolution that underpins the Internet. The key issues being addressed in current DNS are the end user privacy implications and the possibility of Man-in-the-Middle (MitM) attacks which mean that a malicious party within the data path of resolution could interfere with the messaging. The DoH solution, described in RFC8484 ( https://tools.ietf.org/html/rfc8484), sees the sending of DNS queries and retrieval of DNS responses take place over HTTPS which provides security for integrity and confidentiality. In this DNS ecosystem DoH providers host a URI endpoint on the Internet that facilitates DNS resolution. An alternate approach to DoH is DNS over TLS (DoT), described in RFC7858 ( https://tools.ietf.org/html/rfc7858), but this approach requires direct outbound connectivity to port TCP 853.
  • #12 Important thing to note, is that the DNS query (dns wire-format) is base64url encoded, not base64 encoded. That is an important thing to note, as it means certain base64 characters aren’t included (/, +). Padding (=) must not be included.
  • #13 In this example, the 33 bytes are the DNS message in DNS wire format [RFC1035], starting with the DNS header. https://routley.io/tech/2017/12/28/hand-writing-dns-messages.html
  • #14 Response back is once again in the DNS wire-format.
  • #15 Response back this time in JSON!
  • #16 How It Works: A stub resolver (the DNS client on a device that talks to the DNS resolver) connects to the resolver over a TLS connection: Before the connection the DNS stub resolver has stored a base64 encoded SHA256 hash of cloudflare-dns.com’s TLS certificate (called SPKI) DNS stub resolver establishes a TCP connection with cloudflare-dns.com:853 DNS stub resolver initiates a TLS handshake In the TLS handshake, cloudflare-dns.com presents its TLS certificate. Once the TLS connection is established, the DNS stub resolver can send DNS over an encrypted connection, preventing eavesdropping and tampering. All DNS queries sent over the TLS connection must comply with specifications of sending DNS over TCP.
  • #17 Response back.
  • #20 Left: Current day – Everything is encrypted from the ServerHello onwards… but ClientHello as we saw in the previous slide is sent in the clear. This is what we see in the ACP proxy logs, where TCP CONNECT manages to give us the SNI (i.e. the subdomain and domain, but not the URL query etc.) Right: Potential future, where everything is encrypted end to end. Our best bet is to look at IP addresses and netflow (but the issue here is that the internet is no longer 1 IP = 1 website, we have shared hosting and services like Cloudflare and CDNs which means we never really see the end destination). If the chicken must come before the egg, where do you put the chicken? As with many other Internet features the answer is simply “DNS”. The server publishes a public key on a well-known DNS record, which can be fetched by the client before connecting (as it already does for A, AAAA and other records). The client then replaces the SNI extension in the ClientHello with an “encrypted SNI” extension, which is none other than the original SNI extension, but encrypted using a symmetric encryption key derived using the server’s public key, as described below. The server, which owns the private key and can derive the symmetric encryption key as well, can then decrypt the extension and therefore terminate the connection (or forward it to a backend server). Since only the client, and the server it’s connecting to, can derive the encryption key, the encrypted SNI cannot be decrypted and accessed by third parties.
  • #21 The future. What will we see? A connection to 1.1.1.1 or 8.8.8.8 etc. over HTTPS, and a connection to another IP address – that’s it.
  • #22 Response back this time in JSON!
  • #23 Response back this time in JSON!
  • #24 Today? No idea, but its probably very hidden and be a pain to go and spot. goDoH is a C2 framework written in Golang, utilising DNS over HTTPS as a transport medium. Every redteamers favorite toy also now has C2 channel out via DNS over HTTPS Ngrok is currently doing DNS over HTTPS, which has been spotted a couple of times on VT by various researchers.
  • #25 Monitoring for traffic to the DoH endpoints will provide you a view of whether or not it is happening on your estate, but obviously won’t provide you with the DNS logs we are used to, to see what people have been looking up. Inspecting the headers would work if you’re MITM/TLS Stripping all of your internal traffic, which some corps ofcourse do. Our best bet, like with most encrypted communications, is to use the metadata and heuristics to try and interpret what is going on. NCSC EU have produced a very useful factsheet on monitoring DNS with DoH and DoT on the horizon.
  • #26 JA3 - A method for profiling SSL/TLS Clients JA3 is a method for creating SSL/TLS client fingerprints that should be easy to produce on any platform and can be easily shared for threat intelligence. We can see Justin Warner here has already put two separate PCAPs through JA3, for both Google DNS and Cloudflare, and successfully fingerprinted the browser client. The issue here however, is this will vary greatly depending on OS and browser version, which leads to the classic problem of large amount of data for an analyst to work through, or attempting to maintain a lengthy whitelist/fingerprint list.
  • #27 JA3 - A method for profiling SSL/TLS Clients JA3 is a method for creating SSL/TLS client fingerprints that should be easy to produce on any platform and can be easily shared for threat intelligence. We can see Justin Warner here has already put two separate PCAPs through JA3, for both Google DNS and Cloudflare, and successfully fingerprinted the browser client. The issue here however, is this will vary greatly depending on OS and browser version, which leads to the classic problem of large amount of data for an analyst to work through, or attempting to maintain a lengthy whitelist/fingerprint list.