What happens with the DNS-over-HTTPS protocol
A few years ago, we already discussed the opinions and risks to personal data associated with the widespread implementation of this protocol. Today we will see how the situation has changed since then.
Encryption is a double-edged sword
The DNS-over-HTTPS protocol encapsulates IP address requests in HTTPS traffic. Thus, they are hidden from ISPs and attackers listening to the network. IEEE specialists writethat the protocol successfully closes several vulnerabilities used by hackers – in particular, it resists attacks DNS Amplification. The attacker replaces his IP address with the address of the victim and sends short queries to the DNS server. It bombards the target computer with a lot of unnecessary packages until it paralyzes its work. It is problematic to carry out such an attack in the context of DoH, since the protocol requires a TCP connection.
But when one door closes, another opens. A few years ago, experts warned that attackers would start using DNS-over-HTTPS to hide malicious traffic from monitoring tools. And they really began to do it more often. In October 2022, a group of information security specialists published report on the work of the hacker group Black Basta Ransomware Gang. It controls the QUAKBOT botnet and uses DoH in its operations – malware commands are masked in encrypted traffic.
New methods are being developed to combat such cyberattacks. A group of researchers from the Czech Technical University in Prague presented a system based on decision trees enhanced by an algorithm adaboost. The AI system analyzes the duration of the connection, the number of packets sent and their size. Based on this data, it successfully identifies 99% of the traffic sent over the DNS-over-HTTPS protocol. Experts even managed to determine the differences between browser data. similar system developed engineers from Bahrain. They chose random forest and gradient boosting algorithms, k-nearest neighbors, and logistic regression.
Also in February last year, engineers from China developed a scheme that allows you to detect cases of tunneling through DNS-over-HTTPS and find potentially malicious connections. They used TLS fingerprinting technology and a machine learning algorithm to search for initialization packets when establishing a connection with a DoH server.
The “geography” of the protocol is expanding
DNS-over-HTTPS is becoming more and more common. In 2021 APNIC analysts identified almost a thousand DoH resolvers. And those are just the servers that don’t require SNI or an HTTP Host Header to process the request.
At the same time, the protocol is supported by developers of operating systems and browsers. The ability to work with DNS-over-HTTPS appeared in the first insider versions of Windows 10 back in May 2020. In July 2022 protocol support added in android.
It was also activated by the developers Chrome And Firefox. But approach this decision with caution. reacted some information security specialists. They are concerned about the fact that users are being asked to entrust encrypted DNS queries to a third party of choice by browser developers. Today, processing 93% of all DoH requests are engaged the five largest resolvers. A small number of providers promotes centralization and can compromise the confidentiality of transmitted data (if the resolver is compromised).
To block or not to block
The DoH protocol does not allow the ISP to track which resources the user visits. This feature worries some regulators, as it may interfere with the work of law enforcement agencies in the future.
For this reason, access to DoH resolvers and the protocol itself is blocked in Iran. At the same time, Europe is designing its own DNS resolver with state participation – it will have built-in content filters and analyze user requests.
On the other hand, telecoms and Internet providers call, on the contrary, to promote the introduction of DNS-over-HTTPS. For example, this approach will increase security in public networks of airports, train stations, restaurants and cafes. In addition, he able to optimize data transfer rate in countries with a developed network infrastructure.
Fresh content from our blog: