Project

General

Profile

Actions
Copy link

Feature #5773

open

Support DNS over HTTPS (DoH)

Added by Brandon Murphy 9 months ago. Updated 4 months ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
8.0.0-beta1
Effort:
Difficulty:
Label:
Protocol

Description

Feature request is for Suricata, when presented with, likely decrypted, pcap/traffic that includes DoH traffic, it'd be parsed and included with DNS logs.

https://datatracker.ietf.org/doc/rfc8484/

Example pcap included.

A couple of quick notes I found when looking through the RFC:
  1. "HTTP/2 [RFC7540] is the minimum RECOMMENDED version of HTTP for use with DoH."
    I suppose this doesn't mean it can't use HTTP/1.1, just that it's not RECOMMENDED.
  2. "DoH client encodes a single DNS query into an HTTP request using either the HTTP GET or POST method..."
  3. "Reuses the format of DNS once base64 decoded

Ideally all normal "dns" support would work with data that occurs via DoH, datasets, dns keywords, logging, etc.

Files

dns_over_https.pcap (5.07 KB) dns_over_https.pcap Brandon Murphy, 01/03/2023 04:07 PM
Actions
Copy link
 #1

Updated by Victor Julien 4 months ago

  • Target version changed from TBD to 8.0.0-beta1
Actions
Copy link

Also available in: Atom PDF