DoH隐蔽隧道检测综述

Survey of DoH Covert Tunnel Detection

域名系统(DNS)隧道是攻击者通过明文DNS协议传输敏感信息的一种途径,近年来备受关注。为解决DNS安全问题,互联网工程任务组(IETF)于2018年提出了DNS-over-HTTPS(DoH)协议,通过加密DNS数据传输保护用户隐私。然而,攻击者巧妙地利用DoH将DNS隧道嵌入HTTPS中,使传统检测方法失效,导致多个领域受到攻击事件的影响。文章对DoH隐蔽隧道检测进行了全面的梳理,包括对DNS加密状况、DoH隐蔽隧道检测特征(流特征、TLS握手特征、统计特征)的详细总结、数据集构建情况以及现有研究的分类。总结了当前存在的问题,如低通量、小样本和新协议,后续研究中将着力于提升DoH隐蔽隧道检测的全面性和鲁棒性。

Domain Name System(DNS)tunnel,as a channel for attackers to transmit sensitive information using plaintext DNS protocol,has attracted significant attention in recent years.To address the security concerns associated with DNS,the Internet Engineering Task Force(IETF)introduced the DNS-over-HTTPS(DoH)protocol in 2018.This protocol encrypts DNS data transmission,effectively safeguarding user privacy.However,attackers cleverly exploit the DoH protocol to conceal DNS tunnels within HTTPS,rendering traditional detection methods ineffective and leading to attacks across various domains.This paper comprehensively reviews the detection of DoH covert tunnels,covering aspects such as the state of DNS encryption,detailed summaries of DoH covert tunnel detection features(flow features,TLS handshake features,statistical features),dataset construction,and the categorization of existing research.It summarizes the current issues such as low throughput,small sample size,and new protocols,future research will focus on improving the comprehensiveness and robustness of DoH covert tunnel detection.