DoH
DoH is a newer DNS protocol; as the name implies, it is carried over HTTPS, and in fact, the DNS queries and responses are similar in form to an application programming interface (API). This new protocol was supported first in many browsers rather than natively in mainstream operating systems. It is, however, now available on most mainstream operating systems, just not enabled by default.
In order to verify a DoH server remotely, the curl (a pun on "see url") tool can do the job nicely. In the following example, we're querying against Cloudflare's name server:
$ curl -s -H 'accept: application/dns-json' 'https://1.1.1.1/dns-query?name=www.coherentsecurity.com&type=A'
{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"www.coherentsecurity.com","type":1}],"Answer":[{"name":"www.coherentsecurity.com","type":5,"TTL":1693,"data":"robvandenbrink.github.io."},{"name":"robvandenbrink.github.io","type":1,"TTL":3493,"data":"185.199.108.153"},{"name":"robvandenbrink.github.io","type":1,"TTL":3493,"data":"185.199.109.153"},
{"name":"robvandenbrink.github.io","type":1,"TTL":3493,"data":"185.199.110.153"},{"name":"robvandenbrink.github.io","type":1,"TTL":3493,"data":"185.199.111.153"}]}
Note that the query is simply an https request formed as follows:
https://<the dns server ip>/dns-query?name=<the dns query target>&type=<the dns request type>
The HTTP header in the request is accept: application/dns-json. Notice that this query is using standard HTTPS, so it's listening on port tcp/443, not on the regular udp/53 and tcp/53 DNS ports.
We can make the command output much more readable by piping it through jq. This simple query shows the flags—the DNS question, answer, and authority stanzas—in the output. Note in the following code snippet that the RD flag (which stands for Recursion Desired) is set by the client, and the RA flag (which stands for Recursion Available) is set by the server:
curl -s -H 'accept: application/dns-json' 'https://1.1.1.1/dns-query?name=www.coherentsecurity.com&type=A' | jq
{
"Status": 0,
"TC": false,
"RD": true,
"RA": true,
"AD": false,
"CD": false,
"Question": [
{
"name": "www.coherentsecurity.com",
"type": 1
}
],
"Answer": [
{
"name": "www.coherentsecurity.com",
"type": 5,
"TTL": 1792,
"data": "robvandenbrink.github.io."
},
….
{
"name": "robvandenbrink.github.io",
"type": 1,
"TTL": 3592,
"data": "185.199.111.153"
}
]
}
Network Mapper (Nmap) can also be used to verify the certificate on a remote DoH server, as illustrated in the following code snippet:
nmap -p443 1.1.1.1 --script ssl-cert.nse Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-25 11:28 Eastern Standard Time Nmap scan report for one.one.one.one (1.1.1.1) Host is up (0.029s latency). PORT STATE SERVICE 443/tcp open https | ssl-cert: Subject: commonName=cloudflare-dns.com/organizationName=Cloudflare, Inc./stateOrProvinceName=California/countryName=US | Subject Alternative Name: DNS:cloudflare-dns.com, DNS:*.cloudflare-dns.com, DNS:one.one.one.one, IP Address:1.1.1.1, IP Address:1.0.0.1, IP Address:162.159.36.1, IP Address:162.159.46.1, IP Address:2606:4700:4700:0:0:0:0:1111, IP Address:2606:4700:4700:0:0:0:0:1001, IP Address:2606:4700:4700:0:0:0:0:64, IP Address:2606:4700:4700:0:0:0:0:6400 | Issuer: commonName=DigiCert TLS Hybrid ECC SHA384 2020 CA1/organizationName=DigiCert Inc/countryName=US | Public Key type: unknown | Public Key bits: 256 | Signature Algorithm: ecdsa-with-SHA384 | Not valid before: 2021-01-11T00:00:00 | Not valid after: 2022-01-18T23:59:59 | MD5: fef6 c18c 02d0 1a14 ab75 1275 dd6a bc29 |_SHA-1: f1b3 8143 b992 6454 97cf 452f 8c1a c842 4979 4282 Nmap done: 1 IP address (1 host up) scanned in 7.41 seconds
However, Nmap does not currently come with a script that will verify DoH itself by making an actual DoH query. To fill that gap, you can download such a script here: https://github.com/robvandenbrink/dns-doh.nse.
This script verifies that the port is servicing HTTP requests using the Lua http.shortport operator, then constructs the query string, and then makes the HTTPS request using the correct header. A full write-up of this tool is available here: https://isc.sans.edu/forums/diary/Fun+with+NMAP+NSE+Scripts+and+DOH+DNS+over+HTTPS/27026/.
With DoH thoroughly explored, which other protocols do we have available to validate and encrypt our DNS requests and responses?
