da_667@da_667@infosec.exchange
Time for me to reiterate why I think DOH is fucking garbage. This is the cliffnotes version:
-If you read the RFC, never once is privacy listed as a goal for the protocol
-Ostensibly, you get some privacy on the first hop, but from there, you have zero guarantees on literally anything. You have promises from various companies, but that doesn't mean jack shit.
-I'd like you to consider that cloudflare doesn't have a good track record of policing abuse of their platforms, they tacitly support white supremecists and terrorists, they've been known to forward abuse requests containing personal information of those who have submitted them to their abusers, and they have zero financial incentive to stop the flow of traffic. THIS INCLUDES MALWARE, THERE IS SO MUCH FUCKING MALWARE USING CLOUDFLARE. They are a default DoH provider choice in the major browsers that support it.
-Transaction ID is always set to zero for DoH requests to improve caching. This is actually written into the protocol. Y'all know why the transaction ID/DNS ID exists, right? This opens up attack paths for man in the middle attacks. Think QUANTUM and PRISM-type bullshit, where the answer to your DNS query is changed but you'll never know.
-The only goal of the protocol was to move DNS resolution to the browser, so that the browser is cognizant of how domains are being resolved. Its anti-adblocking tech.
-Think about who the major players are behind DoH - It was driven by Cloudflare, Mozilla, and Google. and while I like Firefox, they all have financial incentive to see how domain resolution is occuring and ensure ads are delivered to clients. Y'all are aware of google's Web Integrity web DRM shit, right? How much you wanna bet that if it becomes a standard, there will be websites popping up whereby resolution via DoH is required for viewing the content? I wonder why that would be?
-Flow analysis easily reveals which HTTPS traffic is likely to be DoH traffic. You can't hide connection metadata.
-Several tools have been developed to used DoH as C2, and even file storage, if you're brave enough.
da_667@da_667@infosec.exchange
I would also like to note that all of these points apply to the "privacy minded individual", and not necessarily to "Enterprise Ops/Security".
When I first started talking shit about DoH being bad, I got told that I'm not cypherpunk. Sounds pretty fuckin' cypherpunk, giving corporate entities who have proven they give zero fucks about you even more of your data.
But I digress. From the point of view of systems administration and support, its also a fucking nightmare for enforcing policy, and troubleshooting connectivity problems, because the web browser now believes it has the right to be handling DNS resolutions independent of your operating system settings.
On top of that, you have no idea what domains are being resolved, how they're being resolved, or where to even start to troubleshooting the problem.
From a network security perspective, its pretty much the same can of worms. DoH providers are allowed to have your DNS queries, but you aren't allowed to have that for trying to figure out if any of your hosts are infected, and calling back to a C2 somewhere in the middle of Russia.
DNS logs have always been a troubleshooting tool. The fact is, you're making them opaque, and given them to an external entity. "Its always DNS" is a joke until it isn't and you have to figure out whats wrong. Only the DNS queries are opaque now, making this shit much more difficult than it needs to be.