Hello, welcome to the Friday, December 20th, 2019 edition of the Sansonet Storm Center's

Stormcast.

My name is Johannes Ulrich Entertainment recording from Jacksonville, Florida.

Well, as I mentioned yesterday, today I made the blog post live with additional details about DNS over HTPS and how to possibly

decode some of the content.

The basic principle is pretty straightforward.

The actual content of the DNS query, so the DNS data that would usually go over UDP is, well, sent over

HTTP 2, but the actual DNS content is sent in a packet by itself, and the size of this

packet directly correlates with the size of the host name you're looking up. Now, not a huge vulnerability in that sense, but certainly something that should probably

be fixed and Firefox already indicated that they're working on this.

There is a DNS option that they can take advantage of, which will allow them to add padding to each DNS query

to obscure the actual length of the query.

Now, I did some testing today with different DNS over HGPS providers.

Most of them will actually not support this option.

Cloudflare, for example, in my testing at least, didn't respond at all.

Others responded with errors.

There are only a couple that really support the option.

Also interesting with Cloudflare, Cloudflare actually pads the responses that are coming back.

So that's a little bit odd even if you're not sending this option. Cloudflare actually pads the responses that are coming back.

So that's a little bit odd.

Even if you're not sending this option, it will still respond with that option, which is actually not quite sort of RFC compliant.

Well, I'll certainly keep playing with this.

...