Hello, welcome to the Wednesday, August 2, 2023 edition of the Sansonet Stormer's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Today I wrote up some of the queries that we are seeing against our web application Honeypot.

These queries are looking for

DNS over HTTP resolvers. DNS over HTTP has become quite popular given that all the browsers

are supporting it and is of course one of the features that not just attackers are looking for,

but also people who pretty much

just want some privacy.

Now, many networks are blocking well-known DNS over HTTP resolvers, which leaves these

individuals then up to essentially hunting for open resolvers.

They may find the setup and configured by third parties

that are not necessarily sort of well-known in databases.

And that's, I believe, what we are seeing here in some of the data.

Now, some of it may also be companies that are probably assembling blocklists

to block these DNS over HTTP resolvers. Sadly, I think our data here is still a little bit

limited. I configured a couple of honeypots to actually implement DNS over HTTP and to resolve

these queries,

but haven't really seen anything in these honeypots

beyond just simple sort of fingerprinting,

like we see against the random web server honeypots too,

which don't actually implement the DNS over HDPS protocol.

Kasperski published a report with details regarding a tool that they found deployed in

...