Feature #5773
closeddoh: support DNS over HTTPS (DoH)
Description
Feature request is for Suricata, when presented with, likely decrypted, pcap/traffic that includes DoH traffic, it'd be parsed and included with DNS logs.
https://datatracker.ietf.org/doc/rfc8484/
Example pcap included.
A couple of quick notes I found when looking through the RFC:- "HTTP/2 [RFC7540] is the minimum RECOMMENDED version of HTTP for use with DoH."
I suppose this doesn't mean it can't use HTTP/1.1, just that it's not RECOMMENDED. - "DoH client encodes a single DNS query into an HTTP request using either the HTTP GET or POST method..."
- "Reuses the format of DNS once base64 decoded
Ideally all normal "dns" support would work with data that occurs via DoH, datasets, dns keywords, logging, etc.
Files
VJ Updated by Victor Julien almost 3 years ago
- Target version changed from TBD to 8.0.0-beta1
PA Updated by Philippe Antoine over 2 years ago
- Related to Task #6443: Suricon 2023 brainstorm added
PA Updated by Philippe Antoine over 2 years ago
Also DNS over TLS (port 5353 ?) as plain DNS...?
PA Updated by Philippe Antoine over 2 years ago
DNS over HTTPS seems to be HTTP2 with base64 payload in URL
BM Updated by Brandon Murphy over 2 years ago
Philippe Antoine wrote in #note-4:
DNS over HTTPS seems to be HTTP2 with base64 payload in URL
the way the RFC is written, HTTP/1 is not RECOMMENDED. it does NOT say it MUST be HTTP/2.
PA Updated by Philippe Antoine over 2 years ago
- Related to Feature #6453: Support DNS over TLS added
PA Updated by Philippe Antoine over 2 years ago
- Related to Feature #5674: Support layered protocols added
PA Updated by Philippe Antoine over 2 years ago
- Assignee changed from OISF Dev to Philippe Antoine
PA Updated by Philippe Antoine over 2 years ago
Hack could be to :
- hook into HTTP2 parsing : if headers look like DNS request : the HTTP2 state creates and owns a DNS state + we call some new function with arguments the flow and the payload (and the protocol DNS) kind of StreamTcpDetectLogFlush
- We kind of dequeue a pseudo-packet with DNS payload and run the flow worker on it. This begins by switching the DNS state into Flow's alstate and ends by reputing the HTTP2 state
VJ Updated by Victor Julien over 2 years ago
- Status changed from New to Assigned
VJ Updated by Victor Julien over 2 years ago
- Related to Feature #3952: protocols: implement mDNS added
PA Updated by Philippe Antoine over 2 years ago
- Status changed from Assigned to In Progress
PA Updated by Philippe Antoine over 2 years ago
- Blocked by Bug #6281: dns: structure of query differs between "alert" and "dns" event types added
PA Updated by Philippe Antoine over 2 years ago
- Status changed from In Progress to In Review
PA Updated by Philippe Antoine about 2 years ago
- Blocked by Optimization #3827: output: clean up logging initialization code added
BM Updated by Brandon Murphy about 2 years ago
I apologize for not tracking this issue very closely.
Does this also handle DoH queries are within the request body via a POST? I believe it's a different format when this happens.
https://datatracker.ietf.org/doc/html/rfc8484#section-4.1.1 has examples.
PA Updated by Philippe Antoine about 2 years ago
Thanks Brandon, the current draft PR does not recognize this indeed. Would you have a pcap to share ?
For info, this whole feature is waiting on #6281 to have get past the draft PR...
BM Updated by Brandon Murphy about 2 years ago
- File dns_over_https_POST.pcap dns_over_https_POST.pcap added
Attached is a pcap from a post on netresec. It contains a single TCP session with multiple DoH via POST over HTTP/2 that has been decrypted.
PA Updated by Philippe Antoine about 2 years ago
Thank you @zoomequipd
The PR https://github.com/OISF/suricata/pull/10733 has a last commit to handle this case, and your pcap is tested in the SV PR https://github.com/OISF/suricata-verify/pull/1734
VJ Updated by Victor Julien almost 2 years ago
- Blocks Task #7118: tracking: add support for new protocols added
VJ Updated by Victor Julien almost 2 years ago
- Blocks Story #7119: protocols: protocol additions added
PA Updated by Philippe Antoine over 1 year ago
- Status changed from In Review to Closed
VJ Updated by Victor Julien 12 months ago
- Subject changed from Support DNS over HTTPS (DoH) to doh: support DNS over HTTPS (DoH)