Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

E-DoH: Elegantly Detecting the Depths of Open DoH Service on the Internet

Cong Dong, Jiahai Yang, Yun Li, Yue Wu, Yufan Chen, Chenglong Li, Haoran Jiao, Xia Yin, Yuling Liu

TL;DR

This work tackles the challenge of efficiently discovering public DNS over HTTPS (DoH) services amidst port multiplexing on 443. It introduces E-DoH, a measurement framework that uses wildcard-domain mapping and dynamic protocol negotiation, implemented in Go to achieve significant speedups and reduced traffic. The method yields an ~80% time-efficiency improvement and only 4-20% of the traffic compared with baselines, uncovering about 46k DoH services in the wild and revealing a DoH ecosystem with high-quality responses (≈98% correct) and a predominantly forwarding resolver role (≈92%). By exposing the dependency structure and clustering of resolvers, E-DoH provides actionable insights into DoH service deployment and potential resilience risks, while remaining mindful of ethical considerations and limitations in discovering non-public DoH configurations.

Abstract

In recent years, DNS over Encrypted (DoE) methods have been regarded as a novel trend within the realm of the DNS ecosystem. In these DoE methods, DNS over HTTPS (DoH) provides encryption to protect data confidentiality while providing better obfuscation to avoid censorship by multiplexing port 443 with web services. This development introduced certain inconveniences in discovering publicly available DoH services. In this paper, we propose the E-DoH method for elegant and efficient DoH service detection. First, we optimized the probing mechanism to enable a single DoH connection to accomplish multiple tasks including service discovery, correctness validation and dependency construction. Second, we propose an efficient DoH detection tool. This tool can enhance probing efficiency while significantly reduce the required traffic volume. Third, based on the above optimization methods, we conducted an exploration of the IPv4 space and performed an in-depth analysis of DoH based on the collected information. Through experiments, our approach demonstrates a remarkable 80% improvement in time efficiency, and only requires 4%-20% traffic volume to complete the detection task. In wild detection, our approach discovered 46k DoH services, which nearly doubles the number discovered by the state-of-the-art. Based on the collected data, we present several intriguing conclusions about the current DoH service ecosystem.

E-DoH: Elegantly Detecting the Depths of Open DoH Service on the Internet

TL;DR

This work tackles the challenge of efficiently discovering public DNS over HTTPS (DoH) services amidst port multiplexing on 443. It introduces E-DoH, a measurement framework that uses wildcard-domain mapping and dynamic protocol negotiation, implemented in Go to achieve significant speedups and reduced traffic. The method yields an ~80% time-efficiency improvement and only 4-20% of the traffic compared with baselines, uncovering about 46k DoH services in the wild and revealing a DoH ecosystem with high-quality responses (≈98% correct) and a predominantly forwarding resolver role (≈92%). By exposing the dependency structure and clustering of resolvers, E-DoH provides actionable insights into DoH service deployment and potential resilience risks, while remaining mindful of ethical considerations and limitations in discovering non-public DoH configurations.

Abstract

In recent years, DNS over Encrypted (DoE) methods have been regarded as a novel trend within the realm of the DNS ecosystem. In these DoE methods, DNS over HTTPS (DoH) provides encryption to protect data confidentiality while providing better obfuscation to avoid censorship by multiplexing port 443 with web services. This development introduced certain inconveniences in discovering publicly available DoH services. In this paper, we propose the E-DoH method for elegant and efficient DoH service detection. First, we optimized the probing mechanism to enable a single DoH connection to accomplish multiple tasks including service discovery, correctness validation and dependency construction. Second, we propose an efficient DoH detection tool. This tool can enhance probing efficiency while significantly reduce the required traffic volume. Third, based on the above optimization methods, we conducted an exploration of the IPv4 space and performed an in-depth analysis of DoH based on the collected information. Through experiments, our approach demonstrates a remarkable 80% improvement in time efficiency, and only requires 4%-20% traffic volume to complete the detection task. In wild detection, our approach discovered 46k DoH services, which nearly doubles the number discovered by the state-of-the-art. Based on the collected data, we present several intriguing conclusions about the current DoH service ecosystem.
Paper Structure (25 sections, 5 figures, 5 tables)

This paper contains 25 sections, 5 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Encrypted resolver measurement
  4. Traditional resolver measurement
  5. Overview of Measurement
  6. Detection Mechanism
  7. Controlled Server Deployment
  8. Request Domain & Backend Logs
  9. Probing Implementation
  10. Dynamic Protocol Negotiation
  11. TLS Negotiation
  12. HTTP Negotiation
  13. Implementation of Golang
  14. Efficiency Experiment
  15. Single Thread Comparison
  16. ...and 10 more sections

Figures (5)

  • Figure 1: Domain assigning and backend logging
  • Figure 2: Tune results of E-DoH
  • Figure 3: Cumulative curves
  • Figure 4: Sample partial service resolution dependency connectivity component
  • Figure 5: Providers of the hidden resolvers