DoH no!

As was entirely predictable DNS-over-HTTPS has now been implicated in a spam campaign. Google DoH instance was used to access TXT records to control the spam campaign via a bit of javascript on web pages. This isn’t a weakness in DNS or for that matter in DoH, it’s just using Googles DoH as a side channel. They could have achieved the same thing by accessing a specific web page, but that would be more easily blocked or shut down. There are also mobile application, both IOS and android, that are using DoH by default without giving the user a choice in the matter*. At this point if you use DNS as part of your security posture – either via RPZ, pi-hole or some other mechanism ( and if you aren’t you really should ) then you need to be blocking DoH. At present there are over 70 advertised public DoH servers. this is based on the lists at:

Which represents a reasonable number of side channels the bad guys have to choose from ( though obviously most of them will use Google or Cloudflare ). Until the commercial feeds and firewall providers start listing them as a category you probably want to add them to your DNS RPZ (or equivalent) to break the initial lookup of the DoH server. Obviously there’s nothing to stop applications/scripts using IP address rather than names at which point as ever it’s play whack-a-mole and block the IPs at the firewall if possible ( Google currently make this tricky ).

If you’re feeling lazy I’ve collated the DoH addresses from the above lists into a RPZ feed to provide an NXDomain response. Though obviously you should verify this and not trust me but like I say if you’re feeling lazy then the feed is “doh-no” via ““. I’m using it myself so I’ll make fairly regular updates to it, serial is in normal YYYYMMDD## format.

Update Have added servers from the lists given here
If you know of any that I’m missing please let me know.

* I’m fairly sure that Mozilla claimed that DoH was meant to give users more choice and trust but what do I know.

Bookmark the permalink.

Leave a Reply