Privacy of DNS-over-HTTPS: Requiem for a Dream?

Abstract

The recently proposed DNS-over-HTTPS (DoH) protocol is becoming increasingly popular in addressing the privacy concerns of exchanging plain-text DNS messages over potentially malicious transit networks (e.g., mass surveillance at ISPs). By employing HTTPS to encrypt DNS communications, DoH traffic inherently becomes indistinguishable from regular encrypted Web traffic, rendering active disruption (e.g., downgrading to the plain-text DNS) by transit networks extremely hard. In this work, we investigate whether DoH traffic is indeed indistinguishable from encrypted Web traffic. To this end, we collect several DoH traffic traces corresponding to 25 resolvers (including major ones, e.g., Google and Cloudftare) by visiting thousands of domains in Alexa's list of top-ranked websites at different geographical locations and environments. Based on the collected traffic, we train a machine learning model to classify HTTPS traffic as either Web or DoH. With our DoH identification model in place, we show that an authoritarian ISP can identify ∼97.4% (∼90%) of the DoH packets correctly in a closed-world (open-world) setting while only misclassifying 1 in 10,000 Web packets. To counter this DoH identification model, we propose an effective mitigation technique, making the identification model impractical for ISPs to filter and consequently downgrade DoH to plain-text DNS communications.