Jump to content
OpenSecurity.global
  • Recently Browsing   0 members

    No registered users viewing this page.

Kevin Beaumont

Blocking DNS-over-HTTPS

Recommended Posts

To explain this one, DNS-over-HTTPS is a new-ish standard which allows DNS requests to transverse the internet encrypted, which is great for privacy as it means network owners cannot intercept, change or log the traffic.

It can be less good for some traditional security controls, as it breaks them.  For example, it means PCs and servers can make DNS requests without any inspection - DNS requests can carry malware C2 requests, TCP over DNS (backdoor tunnels) etc.

So until those tools catch up, some organisations may need to block DoH until there is greater insight into how to deal with this.

 

IPs and hostnames to block for DNS-over-HTTP.  Port 443.  Incomplete!

Name:    mozilla.cloudflare-dns.com
Addresses:  2606:4700::6810:f9f9
          2606:4700::6810:f8f9
          104.16.248.249
          104.16.249.249

Cloudflare:

 1.1.1.1 and 1.0.0.1 

 

Need moar!

Edited by Kevin Beaumont
Updated topic to make it clearer
  • Thanks 1

Share this post


Link to post

I can follow the reasoning of not wanting DNS lookups that can't be traced, but I'm struggling with the other reasons, as for those there is no difference to allowing/disallowing other direct TLS traffic. Also anyone (for sufficiently tech savvy values of) can run a DoH resolver, so the aim of the list should be to document well known and generally available DoH nodes.

Share this post


Link to post

At our org we use OpenDNS for all DNS lookups and this protocol circumvents this along with other controls, so we're looking into disabling it. Right now, after a search yesterday, we are trying to figure out what is currently using it on our network, because we're seeing traffic from proxy to the Mozilla Cloudflare IP addresses listed above. 

Share this post


Link to post

For any you find providing DoH you may also want to block port 853 to prevent DoT (cloudflare addresses are a definite for this).

 

Share this post


Link to post
3 minutes ago, John Kelly said:

For any you find providing DoH you may also want to block port 853 to prevent DoT (cloudflare addresses are a definite for this).

 

Will add this to the list, thanks

Share this post


Link to post
1 hour ago, Mike James said:

At our org we use OpenDNS for all DNS lookups and this protocol circumvents this along with other controls, so we're looking into disabling it. Right now, after a search yesterday, we are trying to figure out what is currently using it on our network, because we're seeing traffic from proxy to the Mozilla Cloudflare IP addresses listed above. 

This is most likely gonna be Firefox, for info. 

Share this post


Link to post
1 minute ago, Kevin Beaumont said:

This is most likely gonna be Firefox, for info. 

Yep, think it's ver 63 that "enabled" it by default. 

Share this post


Link to post

For added fun Chrome have announced their intention to enable DoH by default in a future version, too. 

Share this post


Link to post
18 hours ago, Kevin Beaumont said:

For added fun Chrome have announced their intention to enable DoH by default in a future version, too. 

Well, we plan on blocking it at the "app" level in the firewall, but will probably block related ports as well.

Still investigating on our end, but will update as I learn more...

Share this post


Link to post
6 hours ago, Mike James said:

Well, we plan on blocking it at the "app" level in the firewall, but will probably block related ports as well.

Still investigating on our end, but will update as I learn more...

Have you got "category" filtering capability on your firewalls? some solutions are now including this sort of thing into the Proxy Avoidance/Anonymiser categories (with varying levels of success).

Share this post


Link to post

If it’s Palo-Alto, assuming you have SSL decryption set up (set it up) you can just block the application dns-over-https - Palo Alto use application classification where they look at the traffic and decided what it is, and they have definitions for the RFC standard for this. 

Also keep your Palo-Alto upgraded 😅

Share this post


Link to post

Yep, we have PA's and we might block there. Traffic is coming from a proxy though, so still trying to understand what is sending it.

Share this post


Link to post
1 hour ago, Mike James said:

Yep, we have PA's and we might block there. Traffic is coming from a proxy though, so still trying to understand what is sending it.

Cut it off and see who screams 😂

Share this post


Link to post

Eventually you need to run a scream test anyway. Go for it. Tell them we said you could!

😎

  • Haha 1

Share this post


Link to post
15 hours ago, james mckinlay said:

add this to your redteam arsenal - https://github.com/SpiderLabs/DoHC2

haha, this has done what I've been working on in my spare time - I have been working on a TCP-over-DoH tunnel, which does TCP tunnels within DNS-over-HTTPS, so basically you get an encrypted tunnel through Google's servers.  Mine was shite though, I'll have to try this.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy