Very High
DNS over HTTPS
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Very High
(1 user assessed)Unknown
(1 user assessed)Unknown
Unknown
Unknown
DNS over HTTPS
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks[1] by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. Encryption by itself does not protect privacy, encryption is simply a method to obfuscate the data. As of March 2018, Google and the Mozilla Foundation started testing versions of DNS over HTTPS. – Wikipedia
Add Assessment
Ratings
-
Attacker ValueVery High
Technical Analysis
DNS over HTTPS is good for individual network privacy: it circumvents filters, nobody can see what you’re browsing passively. If I was in a hotel or public wifi, it’s definitely what I would expect my browser to use! But, it’s bad for aggregate user privacy as browsers are rolling it out by default with their own DNS providers. Now Cloudflare, Google, or one of a few big resolvers see what you’re browsing actively (since there are few local recursive resolvers). On the other hand, the privacy ship with respect to the big providers has probably sailed anyway.
DoH provides more security guarantees than other DNS security solutions, e.g. DNSSec ensures authentication and integrity but not confidentiality. But it has similar limitations that prevent it from being usable as a system-wide resolver. Verifying certificates requires accurate time, so you have to fall back to regular DNS when setting time via NTP, for instance. There’s no ‘just encrypt’ option with for DNS-over-HTTPS/TLS. So you have to accept sometimes it’s still going to fail-open if other properties can’t be met.
DoH is probably great for not standing out in network traffic: I can lookup domains without being noticed, and malware is beginning to use it as well, Since it’s not easily distinguished in network traffic, adversaries can also avoid standing out. Wannacry was initially stopped by blackholing a domain over DNS. Identifying and sinkholing C2 domains now becomes harder. DNS has been a useful exfiltration and C2 technique for a while, since it exploits obscurity. DNS-over-HTTPS is even better, since it adds confidentiality over common infrastructure. There are some reference tools on this topic showing how this is accomplished.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportGeneral Information
References
Miscellaneous
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: