It is DoH, see the attached original DNS over HTTPS request in the decrypted until.PNG file. In the blog We used mitmproxy to hijack and decrypt the HTTPS session when we showcased our finding so it is easier for readers to follow, maybe that caused confusion.https://twitter.com/bagder/status/1146740062127886338 …
-
Show this thread
-
Replying to @360Netlab
No, it is a https post all right, but not rfc8484 DoH.
2 replies 0 retweets 9 likes -
Replying to @bagder
It‘s not uncommon for an implementation to not strictly follow RFC, here the attacker utilizes cloudflare’ DoH. As can be seen from the screenshots from the previous thread.
1 reply 0 retweets 2 likes -
Replying to @360Netlab
Which is why I clarified that it wasn't the standard we know as DoH!
1 reply 0 retweets 2 likes -
Replying to @bagder @360Netlab
You said it is not DoH, but it, well, is..
2 replies 0 retweets 1 like -
Your opinion is that if it resolves a domain using HTTPS, then it's DoH? Like any cgi script that does gethostbyname(param) and outputs JSON is DoH?
1 reply 0 retweets 0 likes -
If it looks like this and is using a DoH resolver then.. it’s close enough for me to shorthand it as DoH.pic.twitter.com/FYZ0fX2UgW
2 replies 0 retweets 8 likes
I see, I misunderstood the argument. I agree it's okay to refer to that as DoH.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.