Hello, welcome to the Wednesday, December 18th, 2019 edition of the Sands and the Storm Center's

Stormcast. My name is Johannes Ulrich. And I'm recording from Jacksonville, Florida.

I took a closer look today at the DNS over HDPS implementation between Firefox and Cloudflare and publish some sort of initial

results of some experiments here.

First of all about identifying these connections.

Now the idea here is of course that if you don't necessarily know the IP address, the user is connecting to,

for example, they're using their own DNS over HDPS endpoint.

Well, yes, you can sort of profile the connections and figure out that they're probably

doing DNS over HTPS.

One sort of giveaway is that the payload sizes for the TCP packets with DNS

or HTTP are a lot smaller on average than the ones for regular HTTP traffic. Regular

HTTP traffic, if you're downloading files and such, you're typically downloading

more data for a particular request, which means that pretty much the segment size, so the

amount of data being sent in each packets fills the entire MTO. So it's around 1,400 plus

bytes of payload length. For DNS over HTPS, you typically

deal with shorter transactions. So what you will see is shorter packets, typically less than

500 bytes in length. And an interesting sort of three spike pattern here that I found

when I looked at the size frequency will probably have more about this on

Thursday including how to decode some possible queries and the like that may be

sent over HTTP.

Right now I'm focusing a little bit on the Firefox to Cloudflare connection because

that's sort of the most common and most mature implementation at this point probably, but

...