Defence against the DoH! Arts

Defence against the DoH arts I’m afraid it’s another post about DNS-over-HTTPS, but there’s a lot going on. Whilst the current crop of DoH servers don’t suffer from the same problems as normal open DNS resolvers, they do have issues of their own. Whilst fans of DoH are right when they that nothing stopped applications from doing their own DNS before and that the bad guys have always tunnelled data over other protocols. It is also true that DoH has massively lowered the bar for them both in terms of readily available libraries and in the provision of vast, highly resilient, free, tunnelling infrastructure provisioned by reputable companies. However I don’t want to get back into that again, instead lets review the latest happenings in the world of Doh. In the last month we’ve had : a DoH controlled spam campaign, the first malware to leverage DoH and Mozilla nominated for Internet villain of the year. I think that nomination is unfair but Mozilla’s response to it causes me concern. Now call me cynical but the statement from Mozilla that they “have no current plans to enable DoH by default in the UK,” – says to me that they do have plans to turn DoH on by default elsewhere. Again I’m not going to go back over the problems I have with this. Instead I want to address the question of what can be done to deal with DoH whilst we wait for security vendors to come up with a decent solution.

Now nothing is going to block DoH entirely, as with any other protocol tunnelling things will need to be blocked as they’re discovered. You can however start by blocking the low hanging fruit. The steps I’m taking on my home network to make sure that DoH is only used when I want it to be ( i.e. never) are as follows:

  1. All DoH providers I’ve identified have been added to my local RPZ feed.
  2. The addresses for those servers have also where possible been blocked at the firewall
  3. DoH has been disabled in the corporate preferences file (I’ll do other browsers as they add DoH support)

If you’re not running a RPZ at home and don’t want to run a full blown local DNS server I’d strongly suggest you look at Pi Hole or go old school and edit your local hosts file.

Some might argue that blocking things at both RPZ and firewall is over kill, except for that fact that last time I checked Google run their DoH on the same infrastructure as all their other services. So to block Googles DoH you have to block all of Google which isn’t entirely practical (though they have said they’ll fix this). This will in theory cover both my browser as well as any other applications or bits of malware using DoH servers I know about. The final step of locking down my browser is simply because of the statement about “current plans” I don’t want my settings changed unexpectedly (especially not to something I haven’t already blocked).

The same approaches can be used ( probably much more easily ) in the enterprise environment and if your in such an environment – do put pressure on your firewall and other suitable vendors to add DOH services/providers as another category of malware.

That should help keep you safe until the commercial security vendors can give us a better solution so as the cool kids say “Expelliarmus!”.

Bookmark the permalink.

Leave a Reply