Is it possible to block DoH and DoT, using SURICATA



  • I've been reading some articles about DoH, being abused to transfer malware and telemetry data, collected by Netflix and Samsung.

    Can suricata be used to simply block all DoH and DoT traffic?

    Currently, I use pfBlockerNG to achieve DNS and IP blocking, using this list, but it doesn't look like the list is well maintained and probably incomplete. It would be much easier to have suricata evaluate the traffic, and simply blocked it, regardless of the IP.



  • I did a quick Google search and found no rules purporting to detect this. I'm doubtful any can be written because the whole purpose of the DoH and DoT schemes is to hide the DNS traffic via encryption. Once data is encrypted, you can't tell a DNS lookup from an emoji GIF when examining the data packets.

    In my searching I did find a December 2017 blog post by a security researcher and he is predicting the end of useability for DPI (deep packet inspection) due to the increasing rise of encryption. I suspect he is correct.



  • DoT can be blocked on port 853 with a firewall rule. DoH exists to prevent just that.

    Edited to add: If you can show the activity you "heard" is happening, stop using those devices/services. I don't intend to be a smart a** by saying this, just that if you are sure some company is doing that, why would you keep using the service? I would never connect a smart TV to my network. Never. As to malware using DoH to do DNS to find CC servers, I'm not surprised. ZDNet article is more click-bate than news.


  • LAYER 8 Global Moderator

    If the dns traffic is truly in a normal https connection, how would you detect that inside that tunnel is dns? Unless say openvpn that runs over same 443 port.. But its not actually typical https, so yeah it can be detected..

    Off the top of the head, you would have to do some sophisticated analysis of the traffic flow, or destination etc.. The ability to pad the data is used to make sure the sizes are not reflective of your typical dns traffic.

    Not sure why anyone thinks this is anything new? Even before doh.. A client has always had the ability to hide stuff inside ssl/tls tunnel over 443.. Client doesn't have to be able to do dns through this tunnel to transfer data.. It could just grab a listing of ips from some control point, and then use those to create connections and then move data back and forth.

    While I wouldn't go as far as not connecting your TV to the network.. But there are clear reasons to isolate such devices away from the rest of your network... Its not always to stop the maker of the device from doing something on your network they shouldn't be, but more that their code is normally horrible ;) And some other bad actor could leverage that do do something ;) This is why you segment your network and run pfsense to easy firewall off those devices and what they can or can not do with the rest of your network, or even who they can talk to based on IP and or port, etc. And yeah you should prob keep an eye where they are talking - I would be pretty concerned if they were talking to say china IPs ;) for example..

    Only way to know for sure what is being transferred would be to do MITM attack.. And even then - they could put in code to prevent that, they could also just encrypt their traffic inside the ssl/tls tunnel so even if you can decrypt the outside tunnel you still can not decrypt what is being moved back and forth.

    Got to love how people get all upset about a TV they purchase doing telemetry.. But they carry a device around in their pocket that can listen to anything being said, knows exactly where they are 24/7 and can read all their emails and text, and phone conversations... But a TV can only really only report that you are watching reruns of xfiles or you streamed legally blonde off hulu ;)

    To be honest the only protection against this sort of thing happening is the legal protection, what if the company gets caught doing something they are not suppose to be doing they get the shit fined out of them, and exposed to the public which you would hope hurt them the most, ie their pocket book when consumers pick a different maker, etc. etc.

    You can take the extreme view and not connect the thing to the network.. But your not going to be able to watch streaming media then.. Or your going to have to do it via another device - ie just handing your trust over to the media player maker like roku or firestick, etc.

    Welcome to the age we all live in ;) Even if you could detect it and stop it - do you think the few users smart enough and willing enough to put in the systems to stop them from doing it would put a dent in the amount of info they can collect from the masses that don't have the skill set to do such a thing.. Legal action and shaming and notification is really the only thing that can stop such practices.. Since will hurt them financially.. Look at the VW things - they would still be doing the emissions nonsense if they wouldn't of gotten caught ;) And are we 100% they are still not doing it.. The only sure way for such actions to be stopped is to make the punishment so severe that getting caught makes the money they can make from doing it not worth the risk..

    If you have the means to actually detect what they are doing, and how - best course of action would be to expose it, not just block it.. Its quite possible even that some people have detected it, but they brought it to the company and got paid off not to report ;) How tight is your tin foil hat, how far do you think the conspiracy goes ;)

    Understand that most the info they collect, they prob told you in their EULA ;) But who actually reads those ;)



  • @johnpoz said in [You can take the extreme view and not connect the thing to the network.. But your not going to be able to watch streaming media then.. Or your going to have to do it via another device - ie just handing your trust over to the media player maker like roku or firestick, etc.

    Welcome to the age we all live in ;)

    Yup. Who do you trust...

    It's all a judgement call, is the value you get worth the cost you pay or the risk you take. For me I chose to trust my AppleTVs more than my Samsung, LG and TCL/Roku TVs. Maybe that's foolish, wouldn't be the first time ;)

    I'm not holding my breath for relevant updates to privacy legislation. Too much money in surveillance capitalism and politics.

    Some rules exist concerning Suricata JA3 SSL fingerprints: SSL Blacklist

    Sorry if saying that I would never connect my Smart TV to the network is FUD. I suppose I should know better.


  • LAYER 8 Global Moderator

    @jwj said in Is it possible to block DoH and DoT, using SURICATA:

    I'm not holding my breath for relevant updates to privacy legislation. Too much money in surveillance capitalism and politics.

    Very very true! Also the lawmakers don't understand any of it.. Kind of hard to pass legislation on tech that is all just magic to you..

    We are just doing what the users want! We are providing a service - they agreed to it, etc. etc. Oh by the way here is some $ for that thing you wanted to get done.. We are here to help! ;)

    Also problem is the tech "can" be used for good!!! What your watching on TV is minor shit in the big picture..

    Guns can save your life from that bear, they can be used to feed your family... But they can also be used by bad guy to kill you.. Same goes for some of this tech - its all double edge swords.. They can cut the stuff you want to cut, but they can also cut you bad!


Log in to reply