diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2021-01-07 10:56:39 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-01-07 10:56:39 +0100 |
| commit | 2080cc73655a55a25b7d643b8c194d450425e753 (patch) | |
| tree | 97d3500fa80ea02084aaecc1c1fc4c22774d85da | |
| parent | 00dabce65e526a99e7848fe7ab53ac3bd9a68b92 (diff) | |
QUIC: add suppport for DNS-over-QUIC (#1107)
Even if it is only an early internet draft, DoQ has already (at least)
one deployed implementation.
See: https://www.zdnet.com/article/ad-blocker-adguard-deploys-worlds-first-dns-over-quic-resolver/
Draft: https://tools.ietf.org/html/draft-huitema-dprive-dnsoquic-00
In the future, if this protocol will be really used, it might be worth to
rename NDPI_PROTOCOL_DOH_DOT in NDPI_PROTOCOL_DOH_DOT_DOQ
| -rw-r--r-- | src/include/ndpi_protocol_ids.h | 2 | ||||
| -rw-r--r-- | src/lib/ndpi_main.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/quic.c | 7 | ||||
| -rw-r--r-- | tests/pcap/doq.pcapng | bin | 0 -> 27752 bytes | |||
| -rw-r--r-- | tests/pcap/doq_adguard.pcapng | bin | 0 -> 54864 bytes | |||
| -rw-r--r-- | tests/result/doq.pcapng.out | 10 | ||||
| -rw-r--r-- | tests/result/doq_adguard.pcapng.out | 8 |
7 files changed, 27 insertions, 2 deletions
diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index 1683510ef..52fc0ad5d 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -225,7 +225,7 @@ typedef enum { NDPI_PROTOCOL_KAKAOTALK = 193, /* KakaoTalk Chat (no voice call) */ NDPI_PROTOCOL_KAKAOTALK_VOICE = 194, /* KakaoTalk Voice */ NDPI_PROTOCOL_TWITCH = 195, /* Edoardo Dominici <edoaramis@gmail.com> */ - NDPI_PROTOCOL_DOH_DOT = 196, /* DoH (DNS over HTTPS), DoT (DNS over TLS) */ + NDPI_PROTOCOL_DOH_DOT = 196, /* DoH (DNS over HTTPS), DoT (DNS over TLS), DoQ (DNS over QUIC). TODO: rename in NDPI_PROTOCOL_DOH_DOT_DOQ? */ NDPI_PROTOCOL_WECHAT = 197, NDPI_PROTOCOL_MPEGTS = 198, NDPI_PROTOCOL_SNAPCHAT = 199, diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 6f536952a..0b84f98ef 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -875,7 +875,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DOH_DOT, 0 /* can_have_a_subprotocol */, no_master, no_master, "DoH_DoT", NDPI_PROTOCOL_CATEGORY_NETWORK /* dummy */, ndpi_build_default_ports(ports_a, 853, 0, 0, 0, 0) /* TCP */, - ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); + ndpi_build_default_ports(ports_b, 784, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_str, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_REDDIT, 0 /* can_have_a_subprotocol */, no_master, no_master, "Reddit", NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index 48a9db734..a4c93ed1e 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -1191,6 +1191,13 @@ static void process_tls(struct ndpi_detection_module_struct *ndpi_struct, Negotiated version is only present in the ServerHello message too, but fortunately, QUIC always uses TLS version 1.3 */ flow->protos.stun_ssl.ssl.ssl_version = 0x0304; + + /* DNS-over-QUIC: ALPN is "doq" or "doq-XXX" (for drafts versions) */ + if(flow->protos.stun_ssl.ssl.alpn && + strncmp(flow->protos.stun_ssl.ssl.alpn, "doq", 3) == 0) { + NDPI_LOG_DBG(ndpi_struct, "Found DOQ (ALPN: [%s])\n", flow->protos.stun_ssl.ssl.alpn); + ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DOH_DOT, NDPI_PROTOCOL_QUIC); + } } static void process_chlo(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, diff --git a/tests/pcap/doq.pcapng b/tests/pcap/doq.pcapng Binary files differnew file mode 100644 index 000000000..026d5e2af --- /dev/null +++ b/tests/pcap/doq.pcapng diff --git a/tests/pcap/doq_adguard.pcapng b/tests/pcap/doq_adguard.pcapng Binary files differnew file mode 100644 index 000000000..652074373 --- /dev/null +++ b/tests/pcap/doq_adguard.pcapng diff --git a/tests/result/doq.pcapng.out b/tests/result/doq.pcapng.out new file mode 100644 index 000000000..4572eaaea --- /dev/null +++ b/tests/result/doq.pcapng.out @@ -0,0 +1,10 @@ +ICMPV6 6 1170 1 +DoH_DoT 14 4788 1 + +JA3 Host Stats: + IP Address # JA3C + 1 ::1 1 + + + 1 UDP [::1]:47826 <-> [::1]:784 [proto: 188.196/QUIC.DoH_DoT][cat: Network/14][3 pkts/1690 bytes <-> 11 pkts/3098 bytes][Goodput ratio: 89/78][3.16 sec][ALPN: doq-i00][TLS Supported Versions: TLSv1.3;TLSv1.3 (draft);TLSv1.3 (draft);TLSv1.3 (draft)][bytes ratio: -0.294 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/7 1/329 2/1601 1/517][Pkt Len c2s/s2c min/avg/max/stddev: 117/117 563/282 1294/1294 521/340][Risk: ** SNI TLS extension was missing **][TLSv1.3][JA3C: c0ce40fbb78cbf86a14e6a38b26d6ede][Plen Bins: 0,21,50,0,0,0,7,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0] + 2 ICMPV6 [::1]:0 -> [::1]:0 [proto: 102/ICMPV6][cat: Network/14][6 pkts/1170 bytes -> 0 pkts/0 bytes][Goodput ratio: 68/0][3.10 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 100/0 620/0 1601/0 546/0][Pkt Len c2s/s2c min/avg/max/stddev: 195/0 195/0 195/0 0/0][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/result/doq_adguard.pcapng.out b/tests/result/doq_adguard.pcapng.out new file mode 100644 index 000000000..4618b41ee --- /dev/null +++ b/tests/result/doq_adguard.pcapng.out @@ -0,0 +1,8 @@ +DoH_DoT 296 44445 1 + +JA3 Host Stats: + IP Address # JA3C + 1 192.168.12.169 1 + + + 1 UDP 192.168.12.169:41070 <-> 94.140.14.14:784 [proto: 188.196/QUIC.DoH_DoT][cat: Network/14][164 pkts/17196 bytes <-> 132 pkts/27249 bytes][Goodput ratio: 60/80][38.08 sec][ALPN: doq-i00][TLS Supported Versions: TLSv1.3][bytes ratio: -0.226 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 232/242 2999/3045 449/458][Pkt Len c2s/s2c min/avg/max/stddev: 72/81 105/206 1274/1294 132/268][TLSv1.3][Client: dns.adguard.com][JA3C: 1e022f87823477abd6a79c31d70062d7][PLAIN TEXT (AKToSb)][Plen Bins: 15,47,16,9,4,0,2,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0] |