For a few days, huge debates have started on forums and mailing lists regarding the announce of Mozilla to enable DoH (DNS over HTTPS[1]) by default in its Firefox browser. Since this announcement, Google also scheduled a move to this technology with the upcoming Chrome releases (this has been covered in today’s podcast episode). My goal is not here to start a new debate. DoH has definitively good points regarding privacy but the problem is always the way it is implemented. In corporate environments, security teams will for sure try to avoid the use of DoH for logging reasons (DNS logs are a gold mine in incident management and forensics).

Amongst the classic reconfiguration of the browser, Firefox implemented a technique to detect if DoH can or can't be used: by querying a specific domain: “use-application-dns.net”. Firefox will generate ‘A’ and ‘AAAA’ requests to this domain (using the DNS servers provided by the OS) and if ’NXDOMAIN’ is returned, it won’t use DoH.

This morning, a DNS request to resolve this domain returned the following data on my network:

$ dig use-application-dns.net a ; <<>> DiG 9.11.3-1ubuntu1.8-Ubuntu <<>> use-application-dns.net a ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32217 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;use-application-dns.net. IN A ;; ANSWER SECTION: use-application-dns.net. 3600 IN A 185.199.110.153 use-application-dns.net. 3600 IN A 185.199.111.153 use-application-dns.net. 3600 IN A 185.199.108.153 use-application-dns.net. 3600 IN A 185.199.109.153 ;; AUTHORITY SECTION: use-application-dns.net. 172800 IN NS ns-cloud-b2.googledomains.com. use-application-dns.net. 172800 IN NS ns-cloud-b4.googledomains.com. use-application-dns.net. 172800 IN NS ns-cloud-b1.googledomains.com. use-application-dns.net. 172800 IN NS ns-cloud-b3.googledomains.com. ;; ADDITIONAL SECTION: ns-cloud-b1.googledomains.com. 291436 IN A 216.239.32.107 ns-cloud-b2.googledomains.com. 291436 IN A 216.239.34.107 ns-cloud-b3.googledomains.com. 291436 IN A 216.239.36.107 ns-cloud-b4.googledomains.com. 291436 IN A 216.239.38.107 ;; Query time: 1252 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Sep 12 07:26:47 CEST 2019 ;; MSG SIZE rcvd: 301

Now, let’s see how to configure a Bind resolver (which is a well-know DNS server) to return ’NXDOMAIN’ when this domain is attempted to be resolved. The idea is to use RPZ (Response Policy Zones)[2]. I already covered this technique in a previous diary[3]. Here is a simple config for Bind:

Step 1, create a small zone file that will contain the domain we don’t want to resolve:

$TTL 300 @ SOA localhost. root.localhost (2019091200 2h 30m 30d 1h) NS localhost. ; The following list of IP addresses will timeout. use-application-dns.net CNAME .

Step 2, define this zone as a master one:

zone "doh.rpz" { type master; file "/etc/bind/doh.rpz"; };

Step 3, use the RPZ master zone and apply the policy:

response-policy { zone "doh.rpz" policy nxdomain; };

Note: If more domains will be used for the same purpose in the future, we just have to add them in the zone.

Reload your bind and let’s test:

$ dig use-application-dns.net a ; <<>> DiG 9.11.3-1ubuntu1.8-Ubuntu <<>> use-application-dns.net a ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64852 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 728a8c24b984dab8ba5bd2e25d79e8688e337db42aba470d (good) ;; QUESTION SECTION: ;use-application-dns.net. IN A ;; ADDITIONAL SECTION: doh.rpz. 300 IN SOA localhost. root.localhost.doh.rpz. 2019091200 7200 1800 2592000 3600 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Sep 12 06:40:40 UTC 2019 ;; MSG SIZE rcvd: 147

Sounds good! Let’s confirm with a tcpdump:

06:41:52.817392 IP (tos 0x0, ttl 64, id 38080, offset 0, flags [none], proto UDP (17), length 175) localhost.domain > localhost.35517: [bad udp cksum 0xfeae -> 0x2dad!] 52578 NXDomain q: A? use-application-dns.net. 0/0/2 ar: doh.rpz. SOA localhost. root.localhost.doh.rpz. 2019091200 7200 1800 2592000 3600, . OPT UDPsize=4096 (147)

Bonus: By checking your resolver logs, you’ll be able to detect the users who are using Firefox with DoH enabled on your network.

[1] https://en.wikipedia.org/wiki/DNS_over_HTTPS

[2] https://dnsrpz.info/

[3] https://isc.sans.edu/forums/diary/DNS+Firewalling+with+MISP/24556

Xavier Mertens (@xme)

Senior ISC Handler - Freelance Cyber Security Consultant

PGP Key

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Amsterdam October 2020