Feature #5773
closedSupport DNS over HTTPS (DoH)
Description
Feature request is for Suricata, when presented with, likely decrypted, pcap/traffic that includes DoH traffic, it'd be parsed and included with DNS logs.
https://datatracker.ietf.org/doc/rfc8484/
Example pcap included.
A couple of quick notes I found when looking through the RFC:- "HTTP/2 [RFC7540] is the minimum RECOMMENDED version of HTTP for use with DoH."
I suppose this doesn't mean it can't use HTTP/1.1, just that it's not RECOMMENDED. - "DoH client encodes a single DNS query into an HTTP request using either the HTTP GET or POST method..."
- "Reuses the format of DNS once base64 decoded
Ideally all normal "dns" support would work with data that occurs via DoH, datasets, dns keywords, logging, etc.
Files
Updated by Victor Julien over 1 year ago
- Target version changed from TBD to 8.0.0-beta1
Updated by Philippe Antoine about 1 year ago
- Related to Task #6443: Suricon 2023 brainstorm added
Updated by Philippe Antoine about 1 year ago
Also DNS over TLS (port 5353 ?) as plain DNS...?
Updated by Philippe Antoine about 1 year ago
DNS over HTTPS seems to be HTTP2 with base64 payload in URL
Updated by Brandon Murphy about 1 year ago
Philippe Antoine wrote in #note-4:
DNS over HTTPS seems to be HTTP2 with base64 payload in URL
the way the RFC is written, HTTP/1 is not RECOMMENDED. it does NOT say it MUST be HTTP/2.
Updated by Philippe Antoine about 1 year ago
- Related to Feature #6453: Support DNS over TLS added
Updated by Philippe Antoine about 1 year ago
- Related to Feature #5674: Support layered protocols added
Updated by Philippe Antoine about 1 year ago
- Assignee changed from OISF Dev to Philippe Antoine
Updated by Philippe Antoine about 1 year ago
Hack could be to :
- hook into HTTP2 parsing : if headers look like DNS request : the HTTP2 state creates and owns a DNS state + we call some new function with arguments the flow and the payload (and the protocol DNS) kind of StreamTcpDetectLogFlush
- We kind of dequeue a pseudo-packet with DNS payload and run the flow worker on it. This begins by switching the DNS state into Flow's alstate and ends by reputing the HTTP2 state
Updated by Victor Julien about 1 year ago
- Related to Feature #3952: mDNS protocol implementation added
Updated by Philippe Antoine about 1 year ago
- Status changed from Assigned to In Progress
Updated by Philippe Antoine about 1 year ago
- Blocked by Bug #6281: dns: structure of query differs between "alert" and "dns" event types added
Updated by Philippe Antoine almost 1 year ago
- Status changed from In Progress to In Review
Updated by Philippe Antoine 11 months ago
- Blocked by Optimization #3827: clean up logging initialization code added
Updated by Brandon Murphy 9 months ago
I apologize for not tracking this issue very closely.
Does this also handle DoH queries are within the request body via a POST? I believe it's a different format when this happens.
https://datatracker.ietf.org/doc/html/rfc8484#section-4.1.1 has examples.
Updated by Philippe Antoine 9 months ago
Thanks Brandon, the current draft PR does not recognize this indeed. Would you have a pcap to share ?
For info, this whole feature is waiting on #6281 to have get past the draft PR...
Updated by Brandon Murphy 9 months ago
- File dns_over_https_POST.pcap dns_over_https_POST.pcap added
Attached is a pcap from a post on netresec. It contains a single TCP session with multiple DoH via POST over HTTP/2 that has been decrypted.
Updated by Philippe Antoine 9 months ago
Thank you @Brandon Murphy
The PR https://github.com/OISF/suricata/pull/10733 has a last commit to handle this case, and your pcap is tested in the SV PR https://github.com/OISF/suricata-verify/pull/1734
Updated by Victor Julien 6 months ago
- Blocks Task #7118: tracking: add support for new protocols added
Updated by Victor Julien 6 months ago
- Blocks Story #7119: protocols: protocol additions added
Updated by Philippe Antoine 5 months ago
- Status changed from In Review to Closed