Publication Details
DNS over HTTPS Detection Using Standard Flow Telemetry
Hynek Karel, Ing. (FIT CTU)
Ryšavý Ondřej, doc. Ing., Ph.D. (DIFS FIT BUT)
Burgetová Ivana, Ing., Ph.D. (DIFS FIT BUT)
DNS over HTTPS,DoH,Machine Learning,Detection,Classification,Network Monitoring,Network Flows
DNS over HTTPS (DoH) is one of the encrypted DNS approaches that aim to improve users' privacy. However, it simultaneously enables users and adversaries to bypass the existing security mechanisms that rely strongly on inspecting unencrypted DNS. Compared to other DNS over Encryption protocols, DoH is designed to blend into regular HTTPS traffic, making its usage detection challenging. None of the existing proposals provide a satisfactory solution for reliable DoH detection in the real environment. In particular, relying on specialized flow monitoring software capable of extracting very complex features that cannot be computed on the running sequence in combination with Machine Learning methods produces unacceptable false positive rates. Therefore, in this work, we propose a novel DoH detector that combines IP-based, machine learning, and active probing approaches to detect DoH effectively. Contrary to previous proposals, our detector is designed to work with standard flow monitoring data making it deployable into any network infrastructure with flow monitoring appliances such as intelligent switches, firewalls, or routers.
@ARTICLE{FITPUB12910,
author = "Kamil Je\v{r}\'{a}bek and Karel Hynek and Ond\v{r}ej Ry\v{s}av\'{y} and Ivana Burgetov\'{a}",
title = "DNS over HTTPS Detection Using Standard Flow Telemetry",
pages = "50000--50012",
journal = "IEEE Access",
volume = 2023,
number = 11,
year = 2023,
ISSN = "2169-3536",
doi = "10.1109/ACCESS.2023.3275744",
language = "english",
url = "https://www.fit.vut.cz/research/publication/12910"
}