Decoding DNS over HTTP(s) Requests
Last Updated: 2023-01-30 16:51:54 UTC
by Johannes Ullrich (Version: 1)
I have written before about scans for DNS over HTTP(s) (DoH) servers. DoH is now widely supported in different browsers and recursive resolvers. It has been an important piece in the puzzle to evade various censorship regimes, in particular, the "Big Chinese Firewall". Malware has at times used DoH, but often uses its own HTTP(s) based resolvers that do not necessarily comply with the official DoH standard.
Just today, one of our honeypots received the following requests from various IPs:
GET /?dns=DUIBAAABAAAAAAAABWJhaWR1A2NvbQAAAQAB HTTP/1.1
GET /dns-query?dns=DUIBAAABAAAAAAAABWJhaWR1A2NvbQAAAQAB HTTP/1.1
GET /doh?dns=DUIBAAABAAAAAAAABWJhaWR1A2NvbQAAAQAB HTTP/1.1
GET /doh/family-filter?dns=DUIBAAABAAAAAAAABWJhaWR1A2NvbQAAAQAB HTTP/1.1
GET /doh/secure-filter?dns=DUIBAAABAAAAAAAABWJhaWR1A2NvbQAAAQAB HTTP/1.1
GET /query?dns=DUIBAAABAAAAAAAABWJhaWR1A2NvbQAAAQAB HTTP/1.1
GET /resolve?dns=DUIBAAABAAAAAAAABWJhaWR1A2NvbQAAAQAB HTTP/1.1
The different URLs correspond to various common implementations of DoH. The most common default appears to be "/dns-query" (BIND and Unbound). This is also the endpoint used by the RFC. Some DNS servers (for example, Power DNS) use "/" as the default.
The payload is a Base64 encoded DNS message:
00000000: 0d42 0100 0001 0000 0000 0000 0562 6169 .B...........bai
00000010: 6475 0363 6f6d 0000 0100 01 du.com.....
0d42 - Query ID
0100 - Recursion desired flag set
0001 - One Query
0000 - No Answers
0000 - No Authority Records
0000 - No Additional Records
0562 6169 6475 0363 6f6d 00 baidu.com
0001 - Internet Zone
0001 - A Records
So in short: An "A" records query for baidu.com. If you see any requests like this in your logs: Don't worry about it too much. I wouldn't consider it some simple recognizance. They are unlikely to "attack" your server even if you have a DNS over HTTPS resolver running. However, they may use it to anonymize their requests which may also trigger some alerts if they are attempting to look up suspect hostnames. This traffic may also lead to resource issues if you have a smaller server.
I did earlier today add DoH responses to some of my honeypots, so we will see if anything changes.
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Jan 31st 2023
1 month ago