Feature #5773
closed
Support DNS over HTTPS (DoH)
Added by Brandon Murphy almost 2 years ago.
Updated 5 months ago.
Description
Feature request is for Suricata, when presented with, likely decrypted, pcap/traffic that includes DoH traffic, it'd be parsed and included with DNS logs.
https://datatracker.ietf.org/doc/rfc8484/
Example pcap included.
A couple of quick notes I found when looking through the RFC:
- "HTTP/2 [RFC7540] is the minimum RECOMMENDED version of HTTP for use with DoH."
I suppose this doesn't mean it can't use HTTP/1.1, just that it's not RECOMMENDED.
- "DoH client encodes a single DNS query into an HTTP request using either the HTTP GET or POST method..."
- "Reuses the format of DNS once base64 decoded
Ideally all normal "dns" support would work with data that occurs via DoH, datasets, dns keywords, logging, etc.
Files
- Target version changed from TBD to 8.0.0-beta1
- Related to Task #6443: Suricon 2023 brainstorm added
Also DNS over TLS (port 5353 ?) as plain DNS...?
DNS over HTTPS seems to be HTTP2 with base64 payload in URL
Philippe Antoine wrote in #note-4:
DNS over HTTPS seems to be HTTP2 with base64 payload in URL
the way the RFC is written, HTTP/1 is not RECOMMENDED. it does NOT say it MUST be HTTP/2.
- Assignee changed from OISF Dev to Philippe Antoine
Hack could be to :
- hook into HTTP2 parsing : if headers look like DNS request : the HTTP2 state creates and owns a DNS state + we call some new function with arguments the flow and the payload (and the protocol DNS) kind of StreamTcpDetectLogFlush
- We kind of dequeue a pseudo-packet with DNS payload and run the flow worker on it. This begins by switching the DNS state into Flow's alstate and ends by reputing the HTTP2 state
- Status changed from New to Assigned
- Status changed from Assigned to In Progress
- Blocked by Bug #6281: dns: structure of query differs between "alert" and "dns" event types added
- Status changed from In Progress to In Review
Thanks Brandon, the current draft PR does not recognize this indeed. Would you have a pcap to share ?
For info, this whole feature is waiting on #6281 to have get past the draft PR...
Attached is a pcap from a post on netresec. It contains a single TCP session with multiple DoH via POST over HTTP/2 that has been decrypted.
- Blocks Task #7118: tracking: add support for new protocols added
- Blocks Story #7119: protocols: protocol additions added
- Status changed from In Review to Closed
Also available in: Atom
PDF