Support DNS over HTTPS (DoH)
Feature request is for Suricata, when presented with, likely decrypted, pcap/traffic that includes DoH traffic, it'd be parsed and included with DNS logs.
Example pcap included.A couple of quick notes I found when looking through the RFC:
- "HTTP/2 [RFC7540] is the minimum RECOMMENDED version of HTTP for use with DoH."
I suppose this doesn't mean it can't use HTTP/1.1, just that it's not RECOMMENDED.
- "DoH client encodes a single DNS query into an HTTP request using either the HTTP GET or POST method..."
- "Reuses the format of DNS once base64 decoded
Ideally all normal "dns" support would work with data that occurs via DoH, datasets, dns keywords, logging, etc.