Project

General

Profile

Actions

Feature #5773

open

Support DNS over HTTPS (DoH)

Added by Brandon Murphy over 1 year ago. Updated 28 days ago.

Status:
In Review
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:
Protocol

Description

Feature request is for Suricata, when presented with, likely decrypted, pcap/traffic that includes DoH traffic, it'd be parsed and included with DNS logs.

https://datatracker.ietf.org/doc/rfc8484/

Example pcap included.

A couple of quick notes I found when looking through the RFC:
  1. "HTTP/2 [RFC7540] is the minimum RECOMMENDED version of HTTP for use with DoH."
    I suppose this doesn't mean it can't use HTTP/1.1, just that it's not RECOMMENDED.
  2. "DoH client encodes a single DNS query into an HTTP request using either the HTTP GET or POST method..."
  3. "Reuses the format of DNS once base64 decoded

Ideally all normal "dns" support would work with data that occurs via DoH, datasets, dns keywords, logging, etc.


Files

dns_over_https.pcap (5.07 KB) dns_over_https.pcap Brandon Murphy, 01/03/2023 04:07 PM
dns_over_https_POST.pcap (20.6 KB) dns_over_https_POST.pcap Brandon Murphy, 03/24/2024 08:50 PM

Related issues 6 (5 open1 closed)

Related to Suricata - Task #6443: Suricon 2023 brainstormAssignedVictor JulienActions
Related to Suricata - Feature #6453: Support DNS over TLSNewOISF DevActions
Related to Suricata - Feature #5674: Support layered protocolsNewOISF DevActions
Related to Suricata - Feature #3952: mDNS protocol implementationAssignedJason IshActions
Blocked by Suricata - Bug #6281: dns: structure of query differs between "alert" and "dns" event typesIn ProgressJason IshActions
Blocked by Suricata - Optimization #3827: clean up logging initialization codeClosedPhilippe AntoineActions
Actions #1

Updated by Victor Julien 11 months ago

  • Target version changed from TBD to 8.0.0-beta1
Actions #2

Updated by Philippe Antoine 6 months ago

  • Related to Task #6443: Suricon 2023 brainstorm added
Actions #3

Updated by Philippe Antoine 6 months ago

Also DNS over TLS (port 5353 ?) as plain DNS...?

Actions #4

Updated by Philippe Antoine 6 months ago

DNS over HTTPS seems to be HTTP2 with base64 payload in URL

Actions #5

Updated by Brandon Murphy 6 months ago

Philippe Antoine wrote in #note-4:

DNS over HTTPS seems to be HTTP2 with base64 payload in URL

the way the RFC is written, HTTP/1 is not RECOMMENDED. it does NOT say it MUST be HTTP/2.

Actions #6

Updated by Philippe Antoine 6 months ago

Actions #7

Updated by Philippe Antoine 6 months ago

Actions #8

Updated by Philippe Antoine 5 months ago

  • Assignee changed from OISF Dev to Philippe Antoine
Actions #9

Updated by Philippe Antoine 5 months ago

Hack could be to :
- hook into HTTP2 parsing : if headers look like DNS request : the HTTP2 state creates and owns a DNS state + we call some new function with arguments the flow and the payload (and the protocol DNS) kind of StreamTcpDetectLogFlush
- We kind of dequeue a pseudo-packet with DNS payload and run the flow worker on it. This begins by switching the DNS state into Flow's alstate and ends by reputing the HTTP2 state

Actions #10

Updated by Victor Julien 5 months ago

  • Status changed from New to Assigned
Actions #11

Updated by Victor Julien 5 months ago

Actions #12

Updated by Philippe Antoine 5 months ago

  • Status changed from Assigned to In Progress
Actions #13

Updated by Philippe Antoine 4 months ago

  • Blocked by Bug #6281: dns: structure of query differs between "alert" and "dns" event types added
Actions #14

Updated by Philippe Antoine 4 months ago

  • Status changed from In Progress to In Review
Actions #15

Updated by Philippe Antoine 3 months ago

Actions #16

Updated by Brandon Murphy about 1 month ago

I apologize for not tracking this issue very closely.

Does this also handle DoH queries are within the request body via a POST? I believe it's a different format when this happens.

https://datatracker.ietf.org/doc/html/rfc8484#section-4.1.1 has examples.

Actions #17

Updated by Philippe Antoine about 1 month ago

Thanks Brandon, the current draft PR does not recognize this indeed. Would you have a pcap to share ?

For info, this whole feature is waiting on #6281 to have get past the draft PR...

Actions #18

Updated by Brandon Murphy about 1 month ago

Attached is a pcap from a post on netresec. It contains a single TCP session with multiple DoH via POST over HTTP/2 that has been decrypted.

Actions #19

Updated by Philippe Antoine 28 days ago

Thank you @Brandon Murphy

The PR https://github.com/OISF/suricata/pull/10733 has a last commit to handle this case, and your pcap is tested in the SV PR https://github.com/OISF/suricata-verify/pull/1734

Actions

Also available in: Atom PDF