Skip to main content
Springer Nature Link
Log in

Large Scale Analysis of DoH Deployment on the Internet

  • Conference paper
  • First Online:
Computer Security – ESORICS 2022 (ESORICS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13556))

Included in the following conference series:

Abstract

DNS over HTTPS (DoH) is one of the standards to protect the security and privacy of users. The choice of DoH provider has controversial consequences, from monopolisation of surveillance to lost visibility by network administrators and security providers. More importantly, it is a novel security business. Software products and organisations depend on users choosing well-known and trusted DoH resolvers. However, there is no comprehensive study on the number of DoH resolvers on the Internet, its growth, and the trustworthiness of the organisations behind them. This paper studies the deployment of DoH resolvers by (i) scanning the whole Internet for DoH resolvers in 2021 and 2022; (ii) creating lists of well-known DoH resolvers by the community; (iii) characterising what those resolvers are, (iv) comparing the growth and differences. Results show that (i) the number of DoH resolvers increased 4.8 times in the period 2021–2022, (ii) the number of organisations providing DoH services has doubled, and (iii) the number of DoH resolvers in 2022 is 28 times larger than the number of well-known DoH resolvers by the community. Moreover, 94% of the public DoH resolvers on the Internet are unknown to the community, 77% use certificates from free services, and 57% belong to unknown organisations or personal servers. We conclude that the number of DoH resolvers is growing at a fast rate; also that at least 30% of them are not completely trustworthy and users should be very careful when choosing a DoH resolver.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Masscan command example: masscan -p 443 –range 20.0.0.0–29.0.0.0 –rate 2000 –retries 3.

  2. 2.

    DNS query endpoint example: https://1.1.1.1/dns-query?name=example.com.

References

  1. AdGuard software Limited: Adguard known DNS providers. https://kb.adguard.com/en/general/dns-providers. Accessed 25 May 2021

  2. AhaDNS: DNSover https (DoH). https://ahadns.com/dns-over-https/

  3. Baheux, K.: A safer and more private browsing experience with secure DNS (2020). https://blog.chromium.org/2020/05/a-safer-and-more-private-browsing-DoH.html. Accessed 17 Jan 2021

  4. Borgolte, K., et al.: How DNS over HTTPS is reshaping privacy, performance, and policy in the internet ecosystem. In: Proceedings of TPRC47: The 47th Research Conference on Communication, Information and Internet Policy 2019. Elsevier BV (2019). https://doi.org/10.2139/ssrn.3427563

  5. Callejo, P., Cuevas, R., Vallina-Rodriguez, N., Cuevas Rumin, A.: Measuring the global recursive DNS infrastructure: a view from the edge. IEEE Access 7, 168020–168028 (2019). https://doi.org/10.1109/ACCESS.2019.2950325

    Article  Google Scholar 

  6. Chandel, S., Jingji, Z., Yunnan, Y., Jingyao, S., Zhipeng, Z.: The golden shield project of china: A decade later-an in-depth study of the great firewall. In: 2019 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), pp. 111–119 (2019). https://doi.org/10.1109/CyberC.2019.00027

  7. Cloudflare Inc: DNS over https – using JSON. https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/make-api-requests/dns-json/

  8. Deccio, C., Davis, J.: DNS privacy in practice and preparation. In: Proceedings of the 15th International Conference on Emerging Networking Experiments And Technologies, pp. 138–143. CoNEXT 2019, Association for Computing Machinery (2019). https://doi.org/10.1145/3359989.3365435

  9. DNSFilter: DNSfilter AI-powered DNS security. https://www.dnsfilter.com/. Accessed 15 May 2022

  10. Doan, T.V., Tsareva, I., Bajpai, V.: Measuring DNS over TLS from the edge: adoption, reliability, and response times. In: Hohlfeld, O., Lutu, A., Levin, D. (eds.) Passive and Active Measurement, pp. 192–209. Springer International Publishing, Cham (2021)

    Chapter  Google Scholar 

  11. Fernando Gont: Introduction to DNS Privacy (2019). https://www.internetsociety.org/resources/deploy360/dns-privacy/intro/

  12. García, S., Čejka, T., Valeros, V.: Dataset of DNS over HTTPS (DoH) Internet Servers (2021). https://doi.org/10.17632/ny4m53g6bw.2

  13. Graham, R.: Masscan: the entire internet in 3 minutes (2013). https://blog.erratasec.com/2013/09/masscan-entire-internet-in-3-minutes.html

  14. Grothoff, C., Wachs, M., Ermert, M., Appelbaum, J.: Toward secure name resolution on the internet. Comput. Secur. 77, 694–708 (2018). https://doi.org/10.1016/j.cose.2018.01.018

    Article  Google Scholar 

  15. Guha, S., Francis, P.: Identity trail: covert surveillance using DNS. In: Borisov, N., Golle, P. (eds.) PET 2007. LNCS, vol. 4776, pp. 153–166. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-75551-7_10

    Chapter  Google Scholar 

  16. Herrmann, D., Banse, C., Federrath, H.: Behavior-based tracking: exploiting characteristic patterns in DNS traffic. Comput. Secur. 39, 17–33 (2013). https://doi.org/10.1016/j.cose.2013.03.012

    Article  Google Scholar 

  17. Hoffman, P.E.: Representing DNS Messages in JSON. RFC 8427 (2018). https://doi.org/10.17487/RFC8427. Accessed 25 May 2021

  18. Hoffman, P.E., McManus, P.: DNS Queries over HTTPS (DoH). RFC 8484 (Oct 2018). https://doi.org/10.17487/RFC8484

  19. curl DNS over HTTPS. https://github.com/curl/curl/wiki/DNS-over-HTTPS, Accessed 25 May 2021

  20. Hynek, K., Cejka, T.: Privacy illusion: Beware of unpadded DoH. In: 2020 11th IEEE Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON), pp. 621–628 (2020). https://doi.org/10.1109/IEMCON51383.2020.9284864

  21. Hynek, K., García, S., Bogado, J., Cejka, T., Vekshin, D., Wasicek, A.: Dataset of DNS over https (DoH) internet servers (2022). https://doi.org/10.5281/zenodo.6517360

  22. Hynek, K., Vekshin, D., Luxemburk, J., Cejka, T., Wasicek, A.: Summary of DNS over https abuse. IEEE Access 10, 54668–54680 (2022). https://doi.org/10.1109/ACCESS.2022.3175497

    Article  Google Scholar 

  23. Jamieson, S.: The ethics and legality of port scanning. Tech. rep., SANS Institute (2001). https://www.sans.org/white-papers/71/

  24. Jerabek, K., Rysavy, O., Burgetova, I.: Measurement and characterization of DNS over HTTPS traffic (2022). https://doi.org/10.48550/ARXIV.2204.03975

  25. Klein, A., Pinkas, B.: DNS cache-based user tracking. In: Proceedings 2019 Network and Distributed System Security Symposium. Internet Society (2019). https://doi.org/10.14722/ndss.2019.23186

  26. Lioy, A., Maino, F., Marian, M., Mazzocchi, D.: DNS security. In: Proceedings of the TERENA Networking Conference, pp. 22–25 (2000)

    Google Scholar 

  27. Lu, C., et al.: An end-to-end, large-scale measurement of DNS-over-encryption: How far have we come? In: Proceedings of the Internet Measurement Conference, pp. 22–35. IMC 2019, Association for Computing Machinery, New York, NY, USA (2019). https://doi.org/10.1145/3355369.3355580

  28. Lyon, G.F.: Nmap network scanning: The official Nmap project guide to network discovery and security scanning. Insecure, Com LLC (US) (2008)

    Google Scholar 

  29. Mockapetris, P.: Domain names - implementation and specification. RFC 1035 (1987). https://doi.org/10.17487/RFC1035. Accessed 25 May 2021

  30. MontazeriShatoori, M., Davidson, L., Kaur, G., Habibi Lashkari, A.: Detection of doh tunnels using time-series classification of encrypted traffic. In: 2020 IEEE Intl Conference DASC/PiCom/CBDCom/CyberSciTech, pp. 63–70 (2020). https://doi.org/10.1109/DASC-PICom-CBDCom-CyberSciTech49142.2020.00026

  31. NetSTAR Inc.: Netstar url/ip lookup. https://incompass-branch.netstar-inc.com/urlsearch. Accessed 15 May 2022

  32. Quad9 Foundation: DoH with quad9 DNS servers. https://www.quad9.net/news/blog/doh-with-quad9-dns-servers/

  33. Rescorla, E., Oku, K., Sullivan, N., Wood, C.A.: TLS Encrypted Client Hello. Internet-Draft draft-ietf-tls-esni-13, Internet Engineering Task Force (2021). https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-13

  34. Sebastian, G., Hynek, K., Vekshin, D., Cejka, T., Wasicek, A.: DoH research scripts for cvut/cesnet/avast doh project (2022). https://github.com/stratosphereips/DoH-Research. Accessed 25 Jan 2022

  35. Siby, S., Juarez, M., Diaz, C., Vallina-Rodriguez, N., Troncoso, C.: Encrypted DNS privacy? a traffic analysis perspective. In: Proceedings 2020 Network and Distributed System Security Symposium. Internet Society, Reston, VA (2020). https://doi.org/10.14722/ndss.2020.24301

  36. Sophos Ltd: DNS over https (DoH) for web security. https://support.sophos.com/support/s/article/KB-000039056?language=en_US

  37. Sophos Ltd: DNS over https (DoH) for web security. https://support.sophos.com/support/s/article/KB-000039056?language=en_US. Accessed 15 May 2022

  38. The SciPy community: Scipy two sample t-test (2022). https://docs.scipy.org/doc/scipy/reference/generated/scipy.stats.ttest_ind.html. Accessed 15 May 2022

  39. Vekshin, D., Hynek, K., Cejka, T.: DoH Insight: Detecting DNS over HTTPS by Machine Learning. In: Proceedings of 15th International Conference on Availability, Reliability and Security. ARES 2020, ACM, New York, NY, USA (2020). https://doi.org/10.1145/3407023.3409192

Download references

Acknowledgment

This work was partially supported by Avast Software, the Ministry of Interior of the Czech Republic—project No. VJ02010024: “Flow-Based Encrypted Traffic Analysis,” and also by the Grant Agency of the CTU in Prague—grant No. SGS20/210/OHK3/3T/18 funded by the MEYS of the Czech Republic.

Author information

Authors and Affiliations

  1. Faculty of Electrical Engineering, Czech Technical University in Prague, Prague, Czech Republic

    Sebastián García & Joaquín Bogado

  2. Faculty of Information Technology, Czech Technical University in Prague, Prague, Czech Republic

    Karel Hynek & Tomáš Čejka

  3. CESNET, z. s. p. o., Prague, Czech Republic

    Karel Hynek & Tomáš Čejka

  4. Avast Software s.r.o., Prague, Czech Republic

    Dmitrii Vekshin & Armin Wasicek

Authors
  1. Sebastián García
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Joaquín Bogado
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Karel Hynek
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Dmitrii Vekshin
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Tomáš Čejka
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Armin Wasicek
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Joaquín Bogado .

Editor information

Editors and Affiliations

  1. Rutgers University, Newark, NJ, USA

    Vijayalakshmi Atluri

  2. Hamad Bin Khalifa University, Doha, Qatar

    Roberto Di Pietro

  3. Technical University of Denmark, Kongens Lyngby, Denmark

    Christian D. Jensen

  4. Technical University of Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

A 8 Appendix

A 8 Appendix

1.1 A.1 8.1 Ethical Considerations

Part of our research involved technical actions that require an ethical explanation and support.

Horizontal Port Scanning. of the Internet has many implications. Although in general considered an ethical practice [23], we analyse the implications of our actions. First, our horizontal port scan sent 3 packets per port to each IP address with a rate limit. This amount of packets is not enough to consume the bandwidth of any device, nor to force errors in the services, especially since our scan did not close the TCP handshake. Therefore, the technical risk of errors or problems in devices due to our scan is negligible. Higher rates of scanning or frequency of the scans, i.e. weekly scans can pose some threat to some services availability, and thus we limited the methodology accordingly. Some honeypot devices on the Internet detected our scan and report the source IP as an attacker; however, since the IP address was not really attacking, there was an impact of having the IP in block lists for some days.

The action of verifying the DoH protocol required us to connect to all ports 443/TCP and try to find out if they spoke DoH or not. It required the request for the TLS protocol handshake and then the DoH protocol. We measure the technical impact by testing our Nmap script against our own servers, and no server was impacted by our script, was taken down, or slowed in any way. We consider the script safe and with very low impact. The script made 6 connections in total to each server.

The action of analysing DoH resolvers implied a more thorough analysis of the responses and information found about this server on the Internet. We only performed this action with the few (order of thousands) found DoH resolvers and we continually verified that they were not affected by our DNS requests.

We consider our techniques to have very low impact on the servers scanned and without reason to suspect that our actions affected the servers contacted in any way.

Publishing the List of DoH Resolvers. can significantly impact the citizens of oppressive countries that use DoH to avoid surveillance or access censored websites from the free world. The oppressive government can misuse two outcomes of our research: 1) the list of DoH resolvers can be used for DoH blocking to enforce DNS surveillance and censorship, and 2) the methodology for creation and updates of such a list.

Nevertheless, as shown in our research, the IP addresses of DoH resolvers constantly change, making the efficiency of IP-based filtering limited as discussed in the Sect. 7. Regardless of the described methodology, we argue that the methodology presented in this work is not novel nor technically complex, and uses of the freely available tools. An oppressive regime interested in DoH blocking already could have its own DoH scanning and detection infrastructure.

Besides, DoH does not entirely bypass mass censorship or surveillance. For example, domain names transferred in TLS SNI are still visible and used by large censorship systems [6]. Therefore citizens living under an oppressive regime still need to use other privacy-preserving technologies such as Virtual Private Networks to avoid censorship.

Given that, we do not consider our research would contribute to oppression by authoritarian countries or decrease the Internet privacy. Instead, our study provides essential findings about DoH resolvers worldwide and points out security concerns arising from anonymous DoH resolvers.

1.2 B.2 8.2 Nmap Configuration

The Scan2021 used Nmap insane timing template and 1 maximum number of retries, to minimise scanning time.

figure b

The Scan2022 used Nmap normal timing template to minimise the number of packets lost.

figure c

See Nmap timing templates for detailed timeout information of each mode.

https://nmap.org/book/performance-timing-templates.html.

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

García, S., Bogado, J., Hynek, K., Vekshin, D., Čejka, T., Wasicek, A. (2022). Large Scale Analysis of DoH Deployment on the Internet. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. ESORICS 2022. Lecture Notes in Computer Science, vol 13556. Springer, Cham. https://doi.org/10.1007/978-3-031-17143-7_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-17143-7_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-17142-0

  • Online ISBN: 978-3-031-17143-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics