DNS over Https (DoH)

Files
CHOI-UNDERGRADUATERESEARCHOPTIONTHESIS-2021.pdf (446.37 KB)
Author(s)
Choi, John Sang
Advisor(s)
Mueller, Milton
Editor(s)
Associated Organization(s)
Organizational Unit
Organizational Unit
School of Computer Science
School established in 2007
Organizational Unit
Series
Series
Collections
Undergraduate Scholarship
Supplementary to:
Permanent Link
http://hdl.handle.net/1853/64895
Abstract
DNS over HTTPS (DoH) is a new form of DNS encryption where DNS requests are no longer in plaintext but are sent over Port 443, which is the port meant for HTTPS. The focus of this paper is mainly on determining if fingerprinting can decrypt DoH queries because DoH is built to protect and allow for DNS queries to be confidential and secure meaning not be left in plaintext. If fingerprinting methods can decrypt DoH queries, the whole premise would be invalid since an adversary could easily use fingerprinting to extract the DoH query data and make it just as weak as the current role of DNS queries now. The use of Fingerprinting methods such as ja3 and ja3s allows for the testing of fingerprinting techniques. Determining whether there are clear signs to differentiate web pages hosted on the same server is essential. Under DoH, there is enough obfuscation that differentiating web pages should not be possible. Leading to protecting the confidentiality of the specific web page a client is trying to reach. We are using the fingerprinting methods of ja3 and ja3s because all DoH requests require a TLS handshake, and even under the new TLS standard TLS 1.3, the initial handshake is in plaintext meaning the initial handshake is readable while the other handshakes after are not. The analysis will see if the specific content and web pages are readable rather than just the generic server information detailed during the initial handshake. The study will see how easy or difficult it is to identify each set of requests and compare it to other requests that are made. Using ja3 and ja3s and the results will help determine if minimal fingerprinting methods are valid in identifying and differentiating between certain web pages hosted on the same server. From the analysis, though the connected server information is public, there is no definite way to identify precisely which web page on the server a client is visiting using the MD5 hash. Since DoH only connects the web browser to the server, no specific information regarding the web page and its contents will be available to view.
Sponsor
Date
2021-05
Extent
Resource Type
Text
Resource Subtype
Undergraduate Thesis
Rights Statement
Rights URI