Post4VPS Forum | Free VPS Provider
DNS-over-HTTPS (DoH) can be easily detected and blocked - Printable Version

+- Post4VPS Forum | Free VPS Provider (https://post4vps.com)
+-- Forum: Web Technology & Internet (https://post4vps.com/Forum-Web-Technology-Internet)
+--- Forum: Internet Technology (https://post4vps.com/Forum-Internet-Technology)
+--- Thread: DNS-over-HTTPS (DoH) can be easily detected and blocked (/Thread-DNS-over-HTTPS-DoH-can-be-easily-detected-and-blocked)



DNS-over-HTTPS (DoH) can be easily detected and blocked - Mashiro - 12-25-2019

DNS-over-HTTPS (DoH) can be easily detected and blocked
Johannes B. Ullrich


The security researcher Johannes B. Ullrich has researched if and how DNS-over-HTTPS can be detected and broken or prevented from working WITHOUT the attempt to break the actual TLS connection.

He has managed to do so by analyzing the DoH packets. His research shows that it is possible to detect DoH by size of the payload inside the packets. He has created two forum posts #1 and #2 at the ISC SANS forums where he is sharing and discussing his findings.

In order to make it harder to detect DoH and solve this issue he suggests the use of EDNS padding. For this to work however all DoH servers have to be reconfigured to enable and support EDNS padding. In addition all clients need EDNS padding support, too. Mozilla has a discussion regarding this subject here already.

Another blow to the rollout of DoH. Hopefully a fix will be found and applied soon if all the pro DoH candidates really care about DoH as much as they say. Surely someone will be unhappy while another party will be very happy.