DNS over HTTPS rules

jpgpi250 · December 1, 2022, 11:36am

After successfully registering a sid allocation, my DOH rules are now available, here, more info here.
The rules reject DNS requests for known (o)DoH domains, extracted from various lists.

A lot of DoH servers need to be contacted, using <domain>/dns-query, so to ensure some of the new domains, not appearing in any list yet, could be captured by a rule, rejecting URLs, ending with /dns-query appears to be a partial solution.

I tried various suggestions, found on duckduckgo, but I can’t get any of them to work.
Simplest example (doesn’t work):

alert tcp any any → any any (msg:"(o)DoH Query”; content:"/dns-query"; http_uri; rev:1; sid:1000002;)

any ideas on how to reject requests, ending with /dns-query?

bmurphy · December 1, 2022, 1:52pm

Something like this should work. assuming that $HOME_NET is defined correctly.

alert http $HOME_NET any → any any (msg:"(o)DoH Query”; flow:established,to_server; http.uri; content:"/dns-query"; endswith; rev:1; sid:1000002;)

But keep in mind, as we’re talking about DoH, this traffic is likely encrypted. So unless you’re getting the traffic decrypted before sending it to Suricata, it’s likely to be missed.

Topic		Replies	Views
Sid allocation for ruleset I wish to share Rules	10	1122	January 8, 2023
Filter dns query by wildcard rather then by ip address Help rules	5	621	May 8, 2023
Suricata allow domain URI Help rules	1	722	September 12, 2023
ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain - filter out known FQDN? Help suricata	4	1160	August 31, 2022
Rules with http.host keyword and DNS resolution? Rules	2	386	March 21, 2023

DNS over HTTPS rules

Related Topics