DNS over HTTPS traffic analysis and detection

The Domain Name Service (DNS) is a prevalent protocol used in computer communications, used to translate domain names to addresses that can be routed to via de Internet Protocol (IP). One of the main characteristics of DNS is the use of plaintext requests and responses, leaking information even in t...

ver descrição completa

Detalhes bibliográficos
Autor: López Romera, Carlos
Formato: tesis de maestría
Fecha de publicación:2020
País:España
Recursos:Universitat Oberta de Catalunya (UOC)
Repositorio:O2, repositorio institucional de la UOC
OAI Identifier:oai:openaccess.uoc.edu:10609/119946
Acesso em linha:http://hdl.handle.net/10609/119946
Access Level:acceso abierto
Palavra-chave:DNS
machine learning
traffic analysis
HTTPS
aprendizaje automático
análisis del tráfico
aprenentatge automàtic
anàlisi del trànsit
Computer security -- TFM
Seguretat informàtica -- TFM
Seguridad informática -- TFM
Descrição
Resumo:The Domain Name Service (DNS) is a prevalent protocol used in computer communications, used to translate domain names to addresses that can be routed to via de Internet Protocol (IP). One of the main characteristics of DNS is the use of plaintext requests and responses, leaking information even in traditional secure communications; a client might resolve a server's IP address using plaintext messages, and then cryptographically protect its exchange with the server itself. DNS over HTTPS (DoH) is a protocol specification introduced in the IETF RFC 8484 (2018), which provides a mapping of regular DNS requests and responses over TLS-encapsulated HTTP messages. TLS (Transport Layer Protocol) and HTTP (HyperText Transfer Protocol), known in conjunction as HTTPS, are the two most common methods of communication with web servers, each providing security and structure respectively. DoH, then, provides not only the cryptographic benefits of TLS, but also the masquerading of DoH communications as regular web traffic. Although recent work has aimed to identify the content of DoH communications by using different fingerprinting techniques, distinguishing regular TLS-encapsulated HTTP traffic from DoH remains an unsolved challenge. In this thesis, passive analysis of DoH traffic is presented, as well as a method and implementation for its detection.