No return, Acacia is sent to Shanhai!
Due to compliance requirements, I need to detect which hosts run DOT and DOH services on the host, and nmap can’t identify the fingerprints of these two services temporarily, but I can only do it myself. DOT (DNS over TLS), DOH (DNS over HTTPS), both of which are DNS encryption services, because I was also the first to contact them, so it took some time to access the information, recorded here.
DNS is the most basic protocol in the Internet. It can resolve domain names into IP addresses and has a wide range of uses. If the dns parsing request process is not encrypted, after the intermediary intercepts the dns request traffic, it can hijack, phish, and monitor the user’s browsing site.
The two are somewhat similar and are used to encrypt dns request traffic. The IETF has defined DNS on HTTPS as RFC8484 and defines it as RFC7858 and RFC8310 via TLS. DOT uses TCP as the basic connection protocol and is layered through TLS encryption and authentication. The default port for DOH is 443, based on the HTTPS protocol; the default port for DOT is 853, based on the tcp protocol.
As mentioned earlier, DOT defaults to port 853, so just scan the host to open port 853, or scan the full port to identify which ports are domain services. However, DOH defaults to port 443. The nmap probe returns the https service fingerprint, so it is difficult to judge and identify. The only way is to simulate the dns request of the DOH standard protocol and see if the parsing result can be returned normally. However, it is very difficult to construct a standard request package to study specific protocols and principles. Fortunately, someone has written a library in this area in python.
Official PYPI: https://pypi.org/project/doh-proxy/#doh-client
Doh-proxy is a library dedicated to proxy doh. It is divided into server tools and client tools. After installation, it comes with doh-proxy and doh-client. Focus on doh-client, you can simulate using doh. Encrypted dns request. Currently only supports >python3.5, you can install it directly with pip.
If no error is reported, the port 443 of 220.127.116.11 supports the doh service. If 18.104.22.168 is replaced with the host IP to be identified, it can be identified whether the port 443 of the host provides the DOH service. If you want to scan the host in batches, you can modify the client.py file in the site-packages/dohproxy directory, like this:
Then run the python client.py file.