## DNS over HTTPs分析和威胁检测
* 概述
* 特性
* 应用实现
* 公共DNS支持
* 利用DNS over HTTPS的恶意软件及活动
* 检测方法
* 情报提取
### 概述
DNS over HTTPS(缩写:DoH)是一个进行安全化的域名解析的方案。其意义在于以加密的HTTPS协议进行DNS解析请求,避免原始DNS协议中用户的DNS解析请求被窃听或者修改的问题(例如中间人攻击)来达到保护用户隐私的目的。Google及Mozilla旗下的Chrome、Firefox已支持该协议,作为其提高网络安全性的努力的一部分。当前,该方案由IETF支持,其规范文档以 RFC 8484 的名义发布。
### 特性
1. DNS over HTTPS利用HTTP协议的GET命令发出经由JSON等编码的DNS解析请求。较于传统的DNS协议,此处的HTTP协议通信处于具有加密作用的SSL/TLS协议(两者统称作HTTPS)的保护之下。但是,由于其基于HTTPS,而HTTPS本身需要经由多次数据来回传递才能完成协议初始化,其域名解析耗时较原DNS协议会显著增加。
2. 该方案由IETF支持,其规范文档以RFC 8484 的名义发布。 目前支持有限格式DNS响应数据,如现有UDP响应中所返回的,在具有MIME类型application /dns-message的HTTPS有效负载中。
3. 传统的DNS协议形成于互联网早期,直接基于UDP或TCP协议,且彼时未虑及现代安全性的需要,未利用密码学等手段进行加密或验证。因而,其无法抵御现代互联网常见的DNS投毒污染等攻击手段或监听。虽然后来的DNSSEC方案通过电子签名进行验证,强化了DNS的安全性,并能够抵御DNS投毒污染等篡改通信的手段,但其对于中间网络设备进行的监听仍然没有抵御能力(随后,监听者可以通过获取的通信数据知晓用户访问了哪一域名,而域名往往与具体的网站相关系)。此外,DNSSEC的起效要求现有的大量DNS解析服务的提供商(常为互联网服务提供商或第三方大型互联网机构)对已有的DNS服务器进行大范围修改等问题,其推进进程并不理想。而对于DNS over HTTPS,在正确部署服务端并妥善配置客户端的前提下,互联网服务提供商或其它中间网络设备无法解密(亦即无法获知请求的实际内容)或者篡改已经加密的HTTPS通信,故其能够有效保护互联网用户的安全及隐私;另一方面,其基于已经成熟并已广泛部署的HTTPS协议,客户端进行利用较为方便。
### 应用实现
使用DNS over https进行递归DNS解析,客户端DNS解析器必须能够访问托管查询端点的DoH服务器。基于HTTPS的DNS缺乏操作系统的本机支持。 因此,使用它的用户需要安装附加软件。 三种使用场景很常见:
1. 在应用程序中使用DoH实现:某些浏览器具有内置的DoH实现,因此可以绕过操作系统的DNS功能来执行查询。
2. 在本地网络中的名称服务器上安装DoH代理:在此方案中,客户端系统继续使用传统(端口53或853)DNS来查询本地网络中的名称服务器,然后通过到达来通过DoH收集必要的回复 互联网中的DoH服务器。 此方法对最终用户是透明的。
3. 在本地系统上安装DoH代理:在此方案中,操作系统配置为查询本地运行的DoH代理。 与前面提到的方法相反,需要在希望使用DoH的每个系统上安装代理。
### 公共DNS支持
| 运营商 | 网址 | 备注 |
|-------------|----------|---------|
| [AdGuard](https://adguard.com/en/adguard-dns/overview.html) | Default: https://dns.adguard.com/dns-query <br> Family protection: https://dns-family.adguard.com/dns-query <br> | Default provides ad blocking at DNS level, while Family protection adds adult site blocking.
| Google | https://dns.google.com/resolve | Full RFC 8484 support
| [Cloudflare](https://developers.cloudflare.com/1.1.1.1/) | https://cloudflare-dns.com/dns-query <br> also available via [Tor onion service](https://blog.cloudflare.com/welcome-hidden-resolver)| Supports both -04 and -13 content-types
| [Quad9](https://www.quad9.net/doh-quad9-dns-servers/) | Recommended: https://dns.quad9.net/dns-query <br> Secured: https://dns9.quad9.net/dns-query <br> Unsecured: https://dns10.quad9.net/dns-query <br> Secured w/ECS Support: https://dns11.quad9.net/dns-query| Secured provides: Security blocklist, DNSSEC, no EDNS Client-Subnet <br> Unsecured provides: No security blocklist, no DNSSEC, no EDNS Client-Subnet <br> Recommend is currently identical to secure.
| Cisco Umbrella/OpenDNS | https://doh.opendns.com/dns-query | Experimental, No DNSSEC
| CleanBrowsing | https://doh.cleanbrowsing.org/doh/family-filter/ | anycast DoH server with parental control (restricts access to adult content + enforces safe search)
| Comcast | https://doh.xfinity.com/dns-query/ | Experimental, DNSSEC
| [nextdns.io](https://nextdns.io) | https://dns.nextdns.io/<config_id><br>[Create a config ID](https://my.nextdns.io/start) | The first cloud-based private DNS service that gives you full control over what is allowed and what is blocked on the Internet.
| @chantra | https://dns.dnsoverhttps.net/dns-query | "toy server" which runs [doh-proxy](https://github.com/facebookexperimental/doh-proxy) |
| @jedisct1 | https://doh.crypto.sx/dns-query | a server which runs another project called [doh-proxy](https://github.com/jedisct1/rust-doh), written in Rust.
| PowerDNS | https://doh.powerdns.org | Based on [dnsdist-doh](https://github.com/ahupowerdns/pdns/tree/dnsdist-doh) branch
| blahdns.com | Switzerland: https://doh-ch.blahdns.com/dns-query (IPv6 ONLY) <br> Japan: https://doh-jp.blahdns.com/dns-query <br> Germany: https://doh-de.blahdns.com/dns-query | Based on [Go implementation](https://github.com/m13253/dns-over-https), knot-resolver, Unbound with DNSSEC, No ECS, No logs, Adsblock
| NekomimiRouter.com | https://dns.dns-over-https.com/dns-query | Runs [Go implementation](https://github.com/m13253/dns-over-https). Does recursion itself with no upstream servers. Toy server may fail, please report if fails |
| SecureDNS.eu | https://doh.securedns.eu/dns-query | No Logging & DNSSEC |
| Rubyfish.cn | https://dns.rubyfish.cn/dns-query | East China Zone, Based on https://github.com/m13253/dns-over-https |
| ContainerPI | Unfiltered by CloudFlare:<br>https://dns.containerpi.com/dns-query <br>Filtered by CleanBrowsing, blocks adult content:<br>https://dns.containerpi.com/doh/family-filter/ <br>Filtered, blocks malicious domains only:<br>https://dns.containerpi.com/doh/secure-filter/ | Based on [m13253/DNS-over-HTTPS](https://github.com/m13253/dns-over-https), no logging, EDNS Client Subnet enabled. Multiple nodes in China Mainland, Japan and Germany. |
| @publicarray [dns.seby.io](https://dns.seby.io) | https://doh-2.seby.io/dns-query https://doh.seby.io:8443/dns-query | Australian server that runs [@m13253's Go implementation](https://github.com/m13253/dns-over-https), Unbound with DNSSEC, No ECS and No logs
| Commons Host | https://commons.host | ~20 PoPs worldwide, Node.js/[playdoh](https://github.com/qoelet/playdoh) over [Knot Resolver](https://www.knot-resolver.cz). |
| [DnsWarden](https://dnswarden.com) | Adblocking DNS: https://doh.dnswarden.com/adblock <br> Uncensored DNS: https://doh.dnswarden.com/uncensored | No query/IP logging with DNSSEC enabled. <br> Blocks ads and trackers in Adblocking DNS.<br> No filtering in Uncensored DNS. |
|[aaflalo.me](https://www.aaflalo.me/2019/01/dns-over-https-server-aaflalo-me/) | Server US: https://dns-nyc.aaflalo.me/dns-query <br> Server EU: https://dns.aaflalo.me/dns-query | Runs on Star Brilliant's [dns-over-https](https://github.com/m13253/dns-over-https) <br> Both servers check for DNSSEC and block advertising|
| [Foundation for Applied Privacy](https://appliedprivacy.net) | https://doh.appliedprivacy.net/query | No query/IP logging, no filtering, QNAME minimization, no EDNS client subnet, TLS 1.3, DNSSEC, RFC7706, RFC8198; https://appliedprivacy.net/services/dns/ |
| [captnemo.in](https://captnemo.in) | https://doh.captnemo.in/dns-query | Runs [dnss](https://blitiri.com.ar/git/r/dnss/) with local unbound resolver running [DNSCrypt](https://captnemo.in/dnscrypt/) with DNSSEC support as the upstream. [Privacy Policy](https://captnemo.in/dns/privacy/). More details at <https://captnemo.in/doh/>. No logging or filtering. Runs in Bangalore, India |
| [Tiarap](https://doh.tiar.app) | https://doh.tiar.app/dns-query <br> https://doh.tiarap.org/dns-query | Based in Singapore, No logging, block Ad/Ad-tracking/Malware, No ECS, DNSSEC |
| [DNS.SB](https://dns.sb/doh/) | https://doh.dns.sb/dns-query | DNSSEC enabled |
| [FAELIX](https://faelix.net/) | https://rdns.faelix.net/ | No logging, based on dnsdist-doh RC querying our powerdns-recursor resolvers, multiple nodes in UK and CH, [more info](https://faelix.net/ref/dns/#resolving-nameservers) |
| [doh.li](https://doh.li)| https://doh.li/dns-query | Runs on [dns-over-https](https://github.com/m13253/dns-over-https), no logging, EDNS Client Subnet enabled, based in DigitalOcean London. DNSSEC and adblock not currently enabled. |
| [armadillodns.net](https://www.armadillodns.net/) | https://doh.armadillodns.net/dns-query | No source IP logging. |
| [NetWeaver](https://www.netweaver.uk/) | https://doh.netweaver.uk/dns-query | UK servers, no logging, DNSSEC enabled |
| [jp.tiar.app](https://jp.tiar.app/) | https://jp.tiar.app/dns-query <br> https://jp.tiarap.org/dns-query| No Censorship, No Logging, No ECS, support DNSSEC in Japan |
|[Association 42l](https://42l.fr) | https://doh.42l.fr/dns-query | DNSSEC, not logging queries' content, uses [doh-proxy](https://github.com/jedisct1/rust-doh) and [edgedns](https://github.com/jedisct1/edgedns) for caching. Queries proxied to the French ISP [FDN](https://www.fdn.fr/actions/dns/)'s open DNS resolver, commiting for net neutrality.
|[Andrews & Arnold](https://aa.net.uk/dns) | https://dns.aa.net.uk/dns-query | no logging (see [DNS Disclaimer](https://www.aa.net.uk/legal/dohdot-disclaimer/))
|[@matthewgall - mydns.network](https://twitter.com/matthewgall) | https://adblock.mydns.network/dns-query (adblock, using PiHole) | no logging, DNSSEC enforcing, DDoS protected (using Spectrum by Cloudflare), anycast)
| [ibksturm.synology.me](https://ibksturm.synology.me)| https://ibksturm.synology.me/dns-query | doh-server (nginx - dnsproxy - unbound), DNSSEC / Non-Logged / Uncensored, OpenNIC and Root DNS-Zone Copy Hosted in Switzerland by ibksturm, aka Andreas Ziegler. |
| [jcdns.fun](https://jcdns.fun)| https://jcdns.fun/dns-query | secure nginx, Non-Logged / Uncensored, hosted on Digital Ocean VPS by [jamesacampbell](https://github.com/jamesacampbell) AKA James Campbell. |
| [@null31](http://ibuki.cgnat.net)| https://ibuki.cgnat.net/dns-query | Brazilian server that runs [dnsdist](https://dnsdist.org/), [Unbound](https://nlnetlabs.nl/projects/unbound/about/) with DNSSEC doing recursion with no upstream servers, QNAME minimization, TLS 1.3, DoT, uncensored, no logging, no ECS, hosted on Google Cloud VPS by [null31](https://github.com/null31). Toy server, may fail. |
| [TWNIC](https://www.twnic.net.tw/) | https://dns.twnic.tw/dns-query | No source IP logging. Operated by [Quad101](https://101.101.101.101/index_en.html) project, according to this [announcement](https://blog.twnic.net.tw/2018/12/28/1803/) |
### 利用DNS over HTTPS的恶意软件及活动
2019年的两篇恶意软件及活动分析报告表明攻击者正在尝试使用DoH来规避域名监控。
1. 恶意软件Godlua滥用DOH,来躲避passive DNS监测
(报告发布日期:2019-07-05)
相关链接:https://www.zdnet.com/article/first-ever-malware-strain-spotted-abusing-new-doh-dns-over-https-protocol/
2. 恶意软件PsiXBot滥用DOH
(报告发布日期:2019-09-10)
相关链接:https://www.zdnet.com/article/psixbot-malware-upgraded-with-google-dns-over-https-sexploitation-kit/
3. S平台上相关恶意样本
https://s.threatbook.cn/report/file/c7eb9342802b5896c1c99507682d46d3f653afddb2b07f3bfc0db85eb0a00e41/?sign=history&env=win7_sp1_enx86_office2013
4. 用 DoH(DNS over HTTPS) 向 CloudFlare 的 DoH 服务器请求相应的 DNS TXT 记录https://www.anquanke.com/post/id/193116#h2-8
### 检测方法
DNS over HTTPS(缩写:DoH)是一个进行安全化的域名解析的方案。其意义在于以加密的HTTPS协议进行DNS解析请求,避免原始DNS协议中用户的DNS解析请求被窃听或者修改的问题(例如中间人攻击)来达到保护用户隐私的目的。根据以上特点,提出以下检测使用DOH的方法:
| 检测目标 | 方法 | 实现难度 | 备注|
| ---- | --- | --- | --- |
| DoH流量旁路检测 | 收集的DoH服务器域名作为情报,用于DoH流量发现。 | 低 |
| 在网络中检测DoH流量并分析参数-域名 | 劫持DoH流量,分析请求参数。劫持流量有两种方式:1.中间人证书替换 2.将DNS服务域名替换为本地提供DoH的服务器域名/IP | 中等 |
| 在端点中检测DOH流量并分析参数-域名 | 劫持DoH流量,分析请求参数。劫持流量有两种方式:1.中间人证书替换 2.将DNS服务域名替换为本地提供DoH的服务器域名/IP | 中等 |
### 情报收集和提取
1. 收集DNS over HTTPS运营商域名作为情报
2. 沙箱中增加相关行为签名,输入是收集的运营商域名或特征路径,输出是URL和参数。
2. 收集相关IP类情报
