After successfully registering a sid allocation, my DOH rules are now available, here, more info here.
The rules reject DNS requests for known (o)DoH domains, extracted from various lists.
A lot of DoH servers need to be contacted, using <domain>/dns-query, so to ensure some of the new domains, not appearing in any list yet, could be captured by a rule, rejecting URLs, ending with /dns-query appears to be a partial solution.
I tried various suggestions, found on duckduckgo, but I can’t get any of them to work.
Simplest example (doesn’t work):
alert tcp any any → any any (msg:"(o)DoH Query”; content:"/dns-query"; http_uri; rev:1; sid:1000002;)
any ideas on how to reject requests, ending with /dns-query?
Something like this should work. assuming that $HOME_NET is defined correctly.
alert http $HOME_NET any → any any (msg:"(o)DoH Query”; flow:established,to_server; http.uri; content:"/dns-query"; endswith; rev:1; sid:1000002;)
But keep in mind, as we’re talking about DoH, this traffic is likely encrypted. So unless you’re getting the traffic decrypted before sending it to Suricata, it’s likely to be missed.