research-article

Open access

Insights into DoH: Traffic Classification for DNS over HTTPS in an Encrypted Network

Authors:

Fatema Bannat Wala,

Scott Campbell,

Mariam KiranAuthors Info & Claims

SNTA '23: Proceedings of the 2023 on Systems and Network Telemetry and Analytics

Pages 9 - 17

https://doi.org/10.1145/3589012.3594895

Published: 31 July 2023 Publication History

Abstract

In the past few years there has been a growing desire to provide more built in functionality to protect user communications from eavesdropping. An example of this is DNS over HTTPS (DoH) which can be used to protect user privacy, confidentiality and against spoofing attacks. Since its first popularity in 2018 as used in browsers, there is much further study to test the effectiveness of DoH in protection schemes and whether it is possible to detect the protocol over the web. Detecting DoH traffic among normal web traffic is also a major challenge for network admins to allow filtering of malicious traffic flows. In this paper, we investigate machine learning classification to study the detection of DoH traffic and further analyze the key feature characteristics in the protocol behavior to help researchers build credibility in the DoH protocol detection. Our study reveals key features and statistical relationships among DoH test runs on the Alexa-recommended 100 most-used websites using three different DoH servers, showing up to 98% test accuracy in our built classifier.

References

[1]

2019. Google to run DoH experiment in Chrome. https://www.zdnet.com/article/google-to-run-dns-over-https-doh-experiment-in-chrome/.

[2]

2019. New Godlua Backdoor Found Abusing DNS Over HTTPS (DoH) Protocol. https://www.trendmicro.com/vinfo/es/security/news/cybercrime-and-digital-threats/new-godlua-backdoor-found-abusing-dns-over-https-doh-protocol.

[3]

2020. Mozilla enables DoH by Default. https://www.zdnet.com/article/mozilla-enables-doh-by-default-for-all-firefox-users-in-the-us/.

[4]

Kamal Alieyan, Mohammed M Kadhum, Mohammed Anbar, Shafiq Ul Rehman, and Naser KA Alajmi. 2016. An overview of DDoS attacks based on DNS. In 2016 International Conference on Information and Communication Technology Convergence (ICTC). IEEE, 276--280.

[5]

R Arends, R Austein, M Larson, Daniel Massey, Scott W Rose, et al . 2005. DNS Security Introduction and Requirements, RFC 4033. (2005).

[6]

Giuseppe Ateniese and Stefan Mangard. 2001. A new approach to DNS security (DNSSEC). In Proceedings of the 8th ACM conference on Computer and Communications Security. 86--95.

Digital Library

[7]

Yaser M. Banadaki. 2020. Detecting Malicious DNS over HTTPS Traffic in Domain Name System using Machine Learning Classifiers. Journal of Computer Sciences and Applications, 2020, Vol. 8, No. 2, 46--55 (2020). https://doi.org/10.12691/jcsa-8--2--2

[8]

Jonas Bushart and Christian Rossow. 2020. Padding Ain't Enough: Assessing the Privacy Guarantees of Encrypted DNS. In 10th USENIX Workshop on Free and Open Communications on the Internet (FOCI 20). USENIX Association. https://www.usenix.org/conference/foci20/presentation/bushart

[9]

Nikolaos Chatzis. 2007. Motivation for behaviour-based DNS security: A taxonomy of DNS-related internet threats. In The International Conference on Emerging Security Information, Systems, and Technologies (SECUREWARE 2007). IEEE, 36--41.

[10]

Levente Csikor, Himanshu Singh, Min Suk Kang, and Dinil Mon Divakaran. 2021. Privacy of DNS-over-HTTPS: Requiem for a Dream?. In 2021 IEEE European Symposium on Security and Privacy (EuroSP). 252--271. https://doi.org/10.1109/EuroSP51992.2021.00026

[11]

Trinh Viet Doan, Irina Tsareva, and Vaibhav Bajpai. 2021. Measuring DNS over TLS from the edge: adoption, reliability, and response times. In International Conference on Passive and Active Network Measurement. Springer, 192--209.

Digital Library

[12]

Shuang Hao, Alex Kantchelian, Brad Miller, Vern Paxson, and Nick Feamster. 2016. PREDATOR: Proactive Recognition and Elimination of Domain Abuse at Time-Of-Registration. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (Vienna, Austria) (CCS '16). Association for Computing Machinery, New York, NY, USA, 1568--1579. https://doi.org/10.1145/2976749.2978317

Digital Library

[13]

Paul Hoffman and Patrick McManus. 2018. DNS queries over HTTPS (DoH). Technical Report.

[14]

Zi Hu, Liang Zhu, John Heidemann, Allison Mankin, Duane Wessels, and Paul Hoffman. 2016. Specification for DNS over transport layer security (TLS). Technical Report.

[15]

Georgios Kambourakis, Tassos Moschos, Dimitris Geneiatakis, and Stefanos Gritzalis. 2007. Detecting DNS amplification attacks. In International workshop on critical information infrastructures security. Springer, 185--196.

[16]

A Mankin, D Wessels, and P Hoffman. 2016. Internet Engineering Task Force (IETF) Z. Hu Request for Comments: 7858 L. Zhu Category: Standards Track J. Heidemann. (2016).

[17]

A. Mayrhofer. 2016. The EDNS(0) Padding Option. Internet Engineering Task Force [IETF] (2016).

[18]

A. Mayrhofer. 2018. Padding Policies for Extension Mechanisms for DNS (EDNS(0)). Internet Engineering Task Force [IETF] (2018).

[19]

D. Meyer. 2016. Networking Meets Artificial Intelligence: A Glimpse into the (Very) Near Future. CTO corner. Dated: 08- 19--2016.

[20]

Rikima Mitsuhashi, Yong Jin, Katsuyoshi Iida, Takahiro Shinagawa, and Yoshiaki Takai. 2022. Malicious DNS Tunnel Tool Recognition using Persistent DoH Traffic Analysis. IEEE Transactions on Network and Service Management (2022), 1--1. https://doi.org/10.1109/TNSM.2022.3215681

Digital Library

[21]

Marta Moure-Garrido, Celeste Campo, and Carlos Garcia-Rubio. 2022. Detecting Malicious Use of DoH Tunnels Using Statistical Traffic Analysis. In Proceedings of the 19th ACM International Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor, Ubiquitous Networks (Montreal, Quebec, Canada) (PE-WASUN '22). Association for Computing Machinery, New York, NY, USA, 25--32. https://doi.org/10.1145/3551663.3558605

Digital Library

[22]

Tuan Anh Nguyen and Minho Park. 2022. DoH Tunneling Detection System for Enterprise Network Using Deep Learning Technique. Applied Sciences 12, 5 (2022). https://doi.org/10.3390/app12052416

[23]

Amirreza Niakanlahiji, Soeren Orlowski, Alireza Vahid, and J. Haadi Jafarian. 2023. Toward practical defense against traffic analysis attacks on encrypted DNS traffic. Computers Security 124 (2023), 103001. https://doi.org/10.1016/j.cose.2022.103001

Digital Library

[24]

Jim Reid and Anton Holleman. 1998. Domain Name System: The Origin Solution. In Proceedings of the Annual Conference on USENIX Annual Technical Conference (New Orleans, Louisiana) (ATEC '98). USENIX Association, USA, 28.

[25]

Sandra Siby, Marc Juarez, Claudia Diaz, Narseo Vallina-Rodriguez, and Carmela Troncoso. 2020. Encrypted dns- privacy. A Traffic Analysis Perspective (Proc. of the NDSS) (2020).

[26]

Sunil Kumar Singh and Pradeep Kumar Roy. 2020. Detecting Malicious DNS over HTTPS Traffic Using Machine Learning. In 2020 International Conference on Innovation and Intelligence for Informatics, Computing and Technologies (3ICT). 1--6. https://doi.org/10.1109/3ICT51146.2020.9312004

[27]

David Stalder. 2021. Machine-learning based Detection of Malicious DNS-over- HTTPS (DoH) Traffic Based on Packet Captures. https://files.ifi.uzh.ch/CSG/staff/vonderassen/extern/theses/ba-stalder.pdf.

[28]

Dmitrii Vekshin, Karel Hynek, and Tomas Cejka. 2020. DoH Insight: Detecting DNS over HTTPS by Machine Learning. In Proceedings of the 15th International Conference on Availability, Reliability and Security (Virtual Event, Ireland) (ARES '20). Association for Computing Machinery, New York, NY, USA, Article 87, 8 pages. https://doi.org/10.1145/3407023.3409192

Digital Library

[29]

Fatema Bannat Wala and Chase Cotton. 2022. "Off-Label" use of DNS. Digital Threats: Research and Practice (2022).

Cited By

Niktabe SLashkari ARoudsari A(2023)Unveiling DoH tunnel: Toward generating a balanced DoH encrypted traffic dataset and profiling malicious behavior using inherently interpretable machine learningPeer-to-Peer Networking and Applications10.1007/s12083-023-01597-417:1(507-531)Online publication date: 23-Dec-2023
https://doi.org/10.1007/s12083-023-01597-4

Index Terms

Insights into DoH: Traffic Classification for DNS over HTTPS in an Encrypted Network
1. Security and privacy
  1. Software and application security
    1. Domain-specific security and privacy architectures

Recommendations

Detecting DNS over HTTPS based data exfiltration
Abstract
DNS is often used by attackers as a covert channel for data exfiltration, also known as DNS tunneling. Since the plaintext DNS lookup leads to privacy issues, DNS over HTTPS (DoH) has recently been standardized and deployed. DoH ...
Toward practical defense against traffic analysis attacks on encrypted DNS traffic
Abstract
The primary goal of the DNS-over-HTTPS (DoH) protocol is to address users’ privacy concerns regarding on-path adversaries, including local ISPs, who observe DNS traffic to learn web browsing activities even when the web traffic is not ...
Comparative analysis of DNS over HTTPS detectors
Abstract
DNS over HTTPS (DoH) is a protocol that encrypts DNS traffic to improve user privacy and security. However, its use also poses challenges for network operators and security analysts who need to detect and monitor network traffic for security ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SNTA '23: Proceedings of the 2023 on Systems and Network Telemetry and Analytics

July 2023

32 pages

ISBN:9798400701658

DOI:10.1145/3589012

General Chairs:
Massimo Cafaro
Università del Salento, Italy
,
Eric Chan-Tin
Loyola University, USA
,
Jerry Chou
National Tsing Hua University, Taiwan
,
Jinoh Kim
Texas A&M University, Commerce, USA

Copyright © 2023 ACM.

Publication rights licensed to ACM. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of the United States government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 31 July 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

HPDC '23

Sponsor:

HPDC '23: The 32nd International Symposium on High-Performance Parallel and Distributed Computing

June 20, 2023

FL, Orlando, USA

Acceptance Rates

Overall Acceptance Rate 22 of 106 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
362
Total Downloads

Downloads (Last 12 months)334
Downloads (Last 6 weeks)57

Reflects downloads up to 15 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Niktabe SLashkari ARoudsari A(2023)Unveiling DoH tunnel: Toward generating a balanced DoH encrypted traffic dataset and profiling malicious behavior using inherently interpretable machine learningPeer-to-Peer Networking and Applications10.1007/s12083-023-01597-417:1(507-531)Online publication date: 23-Dec-2023
https://doi.org/10.1007/s12083-023-01597-4

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents