Project

General

Profile

Actions
Copy link

Feature #5773

open

Support DNS over HTTPS (DoH)

Added by Brandon Murphy over 1 year ago. Updated about 1 month ago.

Status:
In Review
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
8.0.0-beta1
Effort:
Difficulty:
Label:
Protocol

Description

Feature request is for Suricata, when presented with, likely decrypted, pcap/traffic that includes DoH traffic, it'd be parsed and included with DNS logs.

https://datatracker.ietf.org/doc/rfc8484/

Example pcap included.

A couple of quick notes I found when looking through the RFC:
  1. "HTTP/2 [RFC7540] is the minimum RECOMMENDED version of HTTP for use with DoH."
    I suppose this doesn't mean it can't use HTTP/1.1, just that it's not RECOMMENDED.
  2. "DoH client encodes a single DNS query into an HTTP request using either the HTTP GET or POST method..."
  3. "Reuses the format of DNS once base64 decoded

Ideally all normal "dns" support would work with data that occurs via DoH, datasets, dns keywords, logging, etc.

Files

Download all files
dns_over_https.pcap (5.07 KB) dns_over_https.pcap Brandon Murphy, 01/03/2023 04:07 PM
dns_over_https_POST.pcap (20.6 KB) dns_over_https_POST.pcap Brandon Murphy, 03/24/2024 08:50 PM

Related issues 6 (5 open1 closed)

Related to Suricata - Task #6443: Suricon 2023 brainstormAssignedVictor JulienActions
Related to Suricata - Feature #6453: Support DNS over TLSNewOISF DevActions
Related to Suricata - Feature #5674: Support layered protocolsNewOISF DevActions
Related to Suricata - Feature #3952: mDNS protocol implementationAssignedJason IshActions
Blocked by Suricata - Bug #6281: dns: structure of query differs between "alert" and "dns" event typesIn ProgressJason IshActions
Blocked by Suricata - Optimization #3827: clean up logging initialization codeClosedPhilippe AntoineActions
Actions
Copy link

Also available in: Atom PDF