International Journal of Networking and Computing

DNS over HTTPS (DoH) enhances user privacy by encrypting DNS communications over HTTPS instead of plaintext. When all DNS messages are sent in plaintext, DNS queries can be examined and domain filtering applied if the queried domain name is identified as a phishing site or other such undesirable site.  However, if DNS messages are encrypted over HTTPS, it can create many problems for network administrators. This paper proposes a method for detecting DoH communications from only non-encrypted information on a middlebox between user and resolvers by exploiting the fact that users always send a DNS query before they access a new domain.  The middlebox can also identify the destination of the detected DoH traffic so that network administrators can recommend users to send DNS messages to a local DoH resolver with domain filtering instead of sending them to an open DoH resolver. In experiments to detect DoH communications during real communication from a web browser we achieved detection accuracy rates reaching 100\% under certain parameters when the number of access IP addresses exceeded 350.  To confirm the accuracy and generalizability of our experiments, the proposed method was also  applied to captured HTTPS traffic data involving different web browsers and different DoH resolvers with an almost identical level of detection accuracy.

DoH Detection Method; Non-Encrypted Information; DNS over HTTPS; DNS; HTTPS