Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: Blocking Firefox DoH with Bind - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Blocking Firefox DoH with Bind

For a few days, huge debates have started on forums and mailing lists regarding the announce of Mozilla to enable DoH (DNS over HTTPS[1]) by default in its Firefox browser. Since this announcement, Google also scheduled a move to this technology with the upcoming Chrome releases (this has been covered in today’s podcast episode). My goal is not here to start a new debate. DoH has definitively good points regarding privacy but the problem is always the way it is implemented. In corporate environments, security teams will for sure try to avoid the use of DoH for logging reasons (DNS logs are a gold mine in incident management and forensics).

Amongst the classic reconfiguration of the browser, Firefox implemented a technique to detect if DoH can or can't be used: by querying a specific domain: “use-application-dns.net”. Firefox will generate ‘A’ and ‘AAAA’ requests to this domain (using the DNS servers provided by the OS) and if ’NXDOMAIN’ is returned, it won’t use DoH.

This morning, a DNS request to resolve this domain returned the following data on my network:

$ dig use-application-dns.net a

; <<>> DiG 9.11.3-1ubuntu1.8-Ubuntu <<>> use-application-dns.net a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32217
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;use-application-dns.net.    IN    A

;; ANSWER SECTION:
use-application-dns.net. 3600    IN    A    185.199.110.153
use-application-dns.net. 3600    IN    A    185.199.111.153
use-application-dns.net. 3600    IN    A    185.199.108.153
use-application-dns.net. 3600    IN    A    185.199.109.153

;; AUTHORITY SECTION:
use-application-dns.net. 172800    IN    NS    ns-cloud-b2.googledomains.com.
use-application-dns.net. 172800    IN    NS    ns-cloud-b4.googledomains.com.
use-application-dns.net. 172800    IN    NS    ns-cloud-b1.googledomains.com.
use-application-dns.net. 172800    IN    NS    ns-cloud-b3.googledomains.com.

;; ADDITIONAL SECTION:
ns-cloud-b1.googledomains.com. 291436 IN A    216.239.32.107
ns-cloud-b2.googledomains.com. 291436 IN A    216.239.34.107
ns-cloud-b3.googledomains.com. 291436 IN A    216.239.36.107
ns-cloud-b4.googledomains.com. 291436 IN A    216.239.38.107

;; Query time: 1252 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Sep 12 07:26:47 CEST 2019
;; MSG SIZE  rcvd: 301

Now, let’s see how to configure a Bind resolver (which is a well-know DNS server) to return ’NXDOMAIN’ when this domain is attempted to be resolved. The idea is to use RPZ (Response Policy Zones)[2]. I already covered this technique in a previous diary[3]. Here is a simple config for Bind:

Step 1, create a small zone file that will contain the domain we don’t want to resolve:

$TTL 300
@               SOA localhost. root.localhost (2019091200 2h 30m 30d 1h)
                NS localhost.

; The following list of IP addresses will timeout.
use-application-dns.net         CNAME   .

Step 2, define this zone as a master one:

zone "doh.rpz" {
    type master;
    file "/etc/bind/doh.rpz";
};

Step 3, use the RPZ master zone and apply the policy:

response-policy {
    zone "doh.rpz" policy nxdomain;
};

Note: If more domains will be used for the same purpose in the future, we just have to add them in the zone.

Reload your bind and let’s test:

$ dig use-application-dns.net a

; <<>> DiG 9.11.3-1ubuntu1.8-Ubuntu <<>> use-application-dns.net a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64852
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 728a8c24b984dab8ba5bd2e25d79e8688e337db42aba470d (good)
;; QUESTION SECTION:
;use-application-dns.net.       IN      A

;; ADDITIONAL SECTION:
doh.rpz.                300     IN      SOA     localhost. root.localhost.doh.rpz. 2019091200 7200 1800 2592000 3600

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Sep 12 06:40:40 UTC 2019
;; MSG SIZE  rcvd: 147

Sounds good! Let’s confirm with a tcpdump:

06:41:52.817392 IP (tos 0x0, ttl 64, id 38080, offset 0, flags [none], proto UDP (17), length 175)
    localhost.domain > localhost.35517: [bad udp cksum 0xfeae -> 0x2dad!] 52578 NXDomain q: A? use-application-dns.net. 0/0/2 ar: doh.rpz. SOA localhost. root.localhost.doh.rpz. 2019091200 7200 1800 2592000 3600, . OPT UDPsize=4096 (147)

Bonus: By checking your resolver logs, you’ll be able to detect the users who are using Firefox with DoH enabled on your network.

[1] https://en.wikipedia.org/wiki/DNS_over_HTTPS
[2] https://dnsrpz.info/
[3] https://isc.sans.edu/forums/diary/DNS+Firewalling+with+MISP/24556

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Xme

484 Posts
ISC Handler
This will only "prevent" the automatic detection of the ability to use the feature, not prevent the use of the feature, correct? I have my Firefox *manually* configured with the instructions for Quad9 https://www.quad9.net/doh-quad9-dns-servers/ with the about:config setting "network.trr.bootstrapAddress" set to the necessary IP "9.9.9.9". I presume doing this will completely bypass any attempt at using DNS to attempt to determine what works, and thus will bypass your attempt at blocking it.
Anonymous
I would say "probably" but I can't test right now.
Xme

484 Posts
ISC Handler
The initial issue, ofcourse, is from a security logging standpoint. All of a sudden your browser DNS queries are not going through the filtering and logging which is a gold mind of information. That can be resolved by setting up a DoH proxy to your existing DNS infrastructure and pointing the browsers at it. If supporting a larger network, this is adding more policy work. Two questions, does Chrome have a similar mechanism as you describe for Firefox. And I wonder what the best practice/standards are/will be for discovery on the network. Perhaps using a standard SRV records that one can define in the zone(s) servicing the network that DoH enabled services might initially query to find any internal DoH servers, or will it try the system defined DNS server by default attempting to use port 443? If those two would make implementation and management easier.
jcrix

1 Posts
Will returning 0.0.0.0 (or ::) also work to block DOH?
R

36 Posts
Quoting R:Will returning 0.0.0.0 (or ::) also work to block DOH?

NXDOMAIN must be returned.
Xme

484 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!