Decoding DNS over HTTP(s) Requests, (Mon, Jan 30th)

This post was originally published on this site

I have written before about scans for DNS over HTTP(s) (DoH) servers. DoH is now widely supported in different browsers and recursive resolvers. It has been an important piece in the puzzle to evade various censorship regimes, in particular, the "Big Chinese Firewall". Malware has at times used DoH, but often uses its own HTTP(s) based resolvers that do not necessarily comply with the official DoH standard.

Just today, one of our honeypots received the following requests from various IPs:


The different URLs correspond to various common implementations of DoH. The most common default appears to be "/dns-query" (BIND and Unbound). This is also the endpoint used by the RFC. Some DNS servers (for example, Power DNS) use "/" as the default. 

The payload is a Base64 encoded DNS message:

00000000: 0d42 0100 0001 0000 0000 0000 0562 6169  .B...........bai
00000010: 6475 0363 6f6d 0000 0100 01    

0d42 – Query ID
0100 – Recursion desired flag set
0001 – One Query
0000 – No Answers
0000 – No Authority Records
0000 – No Additional Records
0562 6169 6475 0363 6f6d 00
0001 – Internet Zone
0001 – A Records

So in short: An "A" records query for If you see any requests like this in your logs: Don't worry about it too much. I wouldn't consider it some simple recognizance. They are unlikely to "attack" your server even if you have a DNS over HTTPS resolver running. However, they may use it to anonymize their requests which may also trigger some alerts if they are attempting to look up suspect hostnames. This traffic may also lead to resource issues if you have a smaller server.

I did earlier today add DoH responses to some of my honeypots, so we will see if anything changes.


Johannes B. Ullrich, Ph.D. , Dean of Research,

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.