I manage a number of networks with a heterogeneity of devices, including phones, laptops, IoT gear, consumer gear, etc.
I have security settings in place to audit the DNS traffic by configuring a local, logging DNS server through DHCP and flagging traffic to other DNS servers.
I have a number of traces of different phones accessing Google's DNS servers (220.127.116.11 and 18.104.22.168) over port 443 (not 53 or 853). I am not aware of any reason for accessing Google's DNS servers over 443 other than for DNS over HTTPS. Of course, I can't examine the traffic directly.
Through gradual process of elimination by looking at the DNS traces and the apps on the phones, the point of commonality is the TikTok app. The accesses to Google DNS over 443 happen very shortly after resolving TikTok domains and hosts.
Has anyone else noticed unexpected DoH traffic, or tried to isolate TikTok app traffic?
Feb 15th 2020
3 months ago