Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

DOH! DNS Over HTTPS Poses Possible Risks to Enterprises


David Middlehurst of Trustwave SpiderLabs presented at the first ever conference dedicated to the Mitre ATT&CK framework earlier this week, on October 23, 2018. Mitre hosted the event ATT&CKcon at their offices in McLean, VA. The event saw some of leading security professionals in defensive and offensive realms come together. Mitre's ATT&CK has become a de facto standard used to make sense of adversary Tactics, Techniques and Procedures (TTPs). SpiderLabs leverages ATT&CK within its Red Team and Purple Team offerings.

The importance of a community driven response to some of the most advanced threats was a reoccurring theme at the conference. In this spirit, David who prides himself as one of our red teamers and penetration testers on the offensive side shared some of his research. That research covers a cutting-edge technique whereby trusted endpoints that correspond to a secure Domain Name System (DNS) alternative may be used for malicious purposes for delivery of payloads and command and control.

What is DNS over HTTPS (DoH)?

DNS over HTTPS (DoH) is one proposal on the table for solving some of the pitfalls of the traditional DNS resolution that underpins the Internet. The key issues being addressed in current DNS are the end user privacy implications and the possibility of Man-in-the-Middle (MitM) attacks which mean that a malicious party within the data path of resolution could interfere with the messaging. The DoH solution, described in RFC8484 (, sees the sending of DNS queries and retrieval of DNS responses take place over HTTPS which provides security for integrity and confidentiality. In this DNS ecosystem DoH providers host a URI endpoint on the Internet that facilitates DNS resolution. An alternate approach to DoH is DNS over TLS (DoT), described in RFC7858 (, but this approach requires direct outbound connectivity to port TCP 853.

Abuse of DoH

There has been a long history of the abuse of traditional DNS for the purposes of tunneling data out of a network, for example abusing A and TXT record lookups. DoH brings its own new challenges to the enterprise. Firstly, improving the privacy of underlying DNS queries conducted over this channel could impact security monitoring. Secondly, the DoH providers host HTTPS endpoints which when accessed could look benign when observing outgoing connections.

The SpiderLabs Red Team implemented a Proof of Concept (PoC) command and control mechanism within the popular Adversary Simulation and Red Team Operations Software Cobalt Strike for the purposes of raising awareness of this as a technique as well as help defenders better understand the threat and protect their networks. The PoC which leverages DoH providers, called DoHC2, was shared with the community during David's presentation "Playing Devil's Advocate to Security Initiatives with ATT&CK" at Mitre's ATT&CKcon. The presentation also talked about potential ways in which ATT&CK can help in using knowledge from real-world attacks to improve the resilience of security initiatives by pre-empting ways in which they could be circumvented or abused.

You can watch David's presentation here: and access the proof of concept code and slides from the presentation here:

The diagram below shows the path of command and control implemented by this PoC. This means that outgoing command and control traffic would only be observable as a series of connections to the DoH provider on the Internet rather than directly to attacker infrastructure.

    Command and Control via DNS over HTTPS (DoH)     
Command and Control via DNS over HTTPS (DoH)

To exacerbate the issue, the research also highlighted that at least one DoH provider ran their resolver endpoint on an IPV4 address that is shared with other services. This means that this technique can also be coupled with another known as "Domain Fronting" whereby a TLS connection is opened to one service but by leveraging the "Host" header in the underlying HTTP traffic (which is encrypted) actually routes the request to the DoH resolver. This can again make life more difficult for defenders.

Other Security Research

Since the presentation given by SpiderLabs at ATT&CKcon there has been an overwhelming response from the Information Security Community. So much so, that two other security consultancies, SensePost and Outflank have now also shared their research in this area in the days that followed. The research which ranges from other implementations of DoH for exfiltration and command and control to payload delivery techniques. On the defensive side, Nick Carr, FireEye has already highlighted in a  tweet some potential historic use of this technique and others such as Steve Miller have been working on possible detections. This community response only demonstrates the importance of the technique and that defenders should consider the risks it poses.


  • Block or more aggressively monitor traffic to DNS over HTTPS (DoH) endpoints. If wishing to benefit from some of the security benefits that DoH offers, roll out internal DoH, DNS over TLS (DoT) resolvers and/or carry out secure DNS resolution on the outermost DNS servers of the organisation.
  • Where possible inspect underlying HTTP exchanges for indicators of DoH use where TLS is stripped for inspection within an organisation. i.e. 'application/dns-json', 'application/dns-message' content types.
  • In the same manner, look for potential indicators of "Domain Fronting" whereby the outgoing TLS connection hostname does not match the underlying HTTP host header.
  • Apply heuristic based or anomaly-based detections of packet sizes, frequency and volume, time based, pattern of life to outgoing traffic.
  • Potential other detections being considered by defenders, where TLS stripping is not possible, involve fingerprinting any observable traits in the SSL client behavior using a tool such as JA3.

Latest SpiderLabs Blogs

Trustwave Rapid Response: CrowdStrike Falcon Outage Update

Trustwave is proactively assessing and monitoring our clients who may have been impacted by CrowdStrike’s recently rolled-out update for its Windows users. The critical issue identified with...

Read More

Using AWS Secrets Manager and Lambda Function to Store, Rotate and Secure Keys

When working with Amazon Web Services (AWS), we often find that various AWS services need to store and manage secrets. AWS Secrets Manager is the go-to solution for this. It's a centralized service...

Read More

Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01

The Trustwave SpiderLabs Threat Intelligence team's ongoing study into how threat actors use Facebook for malicious activity has uncovered a new version of the SYS01 stealer. This stealer is designed...

Read More