Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: TikTok app possibly using DNS over HTTPS directly SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
TikTok app possibly using DNS over HTTPS directly
I manage a number of networks with a heterogeneity of devices, including phones, laptops, IoT gear, consumer gear, etc.

I have security settings in place to audit the DNS traffic by configuring a local, logging DNS server through DHCP and flagging traffic to other DNS servers.

I have a number of traces of different phones accessing Google's DNS servers (8.8.8.8 and 8.8.4.4) over port 443 (not 53 or 853). I am not aware of any reason for accessing Google's DNS servers over 443 other than for DNS over HTTPS. Of course, I can't examine the traffic directly.

Through gradual process of elimination by looking at the DNS traces and the apps on the phones, the point of commonality is the TikTok app. The accesses to Google DNS over 443 happen very shortly after resolving TikTok domains and hosts.

Has anyone else noticed unexpected DoH traffic, or tried to isolate TikTok app traffic?
jauntysankey

7 Posts

Sign Up for Free or Log In to start participating in the conversation!