Abstract
DNS-over-HTTPS (DoH) is a privacy-enhancing protocol that encrypts plaintext query data in DNS resolution. However, DoH often faces accessibility challenges due to phenomena known as DoH downgrades, where DoH queries are reverted to plaintext DNS queries. Unlike downgrades in other security protocols, which are undoubtedly malicious, the act of downgrading DoH queries can be both desirable and undesirable depending on the context; e.g., enterprise networks are officially advised to avoid or downgrade DoH for security reasons. Recent research has drawn attention to the deeper examination of the phenomena of DoH downgrades, focusing on the prevalence, techniques, and potential bypass strategies. However, existing studies on DoH downgrades have several limitations, notably that they severely overestimate the severity of DoH downgrades across the globe as they lack any distinction between desirable and undesirable downgrades of DoH. In this work, we conduct a large-scale measurement study to provide a more accurate depiction of the DoH downgrade landscape. By minimizing the influence of desirable downgrades of DoH in our measurement probes, we show a skewed long-tail distribution of DoH downgrades across the globe. Our stateful probing techniques also reveal hidden DoH filtering mechanisms that were previously undetected. Furthermore, we design near perfect bypass strategies against existing DoH downgrades. Our study expands our limited understanding of DoH downgrades, offering a more accurate, fine-grained, and comprehensive view of the phenomena.
Published Version
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call