Detecting Malicious Use of DoH Tunnels Using Statistical Traffic Analysis

Abstract

DNS plays a fundamental role in the operation of ubiquitous networks. All devices connected to these networks need DNS to work, both for traditional domain name to IP address translation, and for more advanced services such as resource discovery. At first, the DNS communication protocol presented certain security problems: integrity, authenticity and confidentiality. DNSSEC provides security but still does not guarantee confidentiality. To solve this problem, DNS over TLS (DoT) and DNS over HTTPS (DoH) were defined. In recent years, DNS tunneling, a covert form of encapsulating data transmission, has been used to encapsulate malicious traffic in a DNS connection. DoT and DoH versions complicate the detection of these tunnels because the encrypted data prevents performing an analysis of the content of the DNS traffic. Previous work has used machine learning techniques to identify DoH tunnels, but these have limitations. In this study, we identify the most significant features that singularize malicious traffic from benign traffic by statistical analysis. Based on the selected features, we obtain satisfactory results in the classification between benign and malicious DoH traffic. The study reveals that it is possible to differentiate traffic based on certain statistical parameters.