From 2080cc73655a55a25b7d643b8c194d450425e753 Mon Sep 17 00:00:00 2001
From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>
Date: Thu, 7 Jan 2021 10:56:39 +0100
Subject: QUIC: add suppport for DNS-over-QUIC (#1107)

Even if it is only an early internet draft, DoQ has already (at least)
one deployed implementation.
See: https://www.zdnet.com/article/ad-blocker-adguard-deploys-worlds-first-dns-over-quic-resolver/
Draft: https://tools.ietf.org/html/draft-huitema-dprive-dnsoquic-00

In the future, if this protocol will be really used, it might be worth to
rename NDPI_PROTOCOL_DOH_DOT in NDPI_PROTOCOL_DOH_DOT_DOQ
---
 tests/pcap/doq.pcapng               | Bin 0 -> 27752 bytes
 tests/pcap/doq_adguard.pcapng       | Bin 0 -> 54864 bytes
 tests/result/doq.pcapng.out         |  10 ++++++++++
 tests/result/doq_adguard.pcapng.out |   8 ++++++++
 4 files changed, 18 insertions(+)
 create mode 100644 tests/pcap/doq.pcapng
 create mode 100644 tests/pcap/doq_adguard.pcapng
 create mode 100644 tests/result/doq.pcapng.out
 create mode 100644 tests/result/doq_adguard.pcapng.out

(limited to 'tests')

diff --git a/tests/pcap/doq.pcapng b/tests/pcap/doq.pcapng
new file mode 100644
index 000000000..026d5e2af
Binary files /dev/null and b/tests/pcap/doq.pcapng differ
diff --git a/tests/pcap/doq_adguard.pcapng b/tests/pcap/doq_adguard.pcapng
new file mode 100644
index 000000000..652074373
Binary files /dev/null and b/tests/pcap/doq_adguard.pcapng differ
diff --git a/tests/result/doq.pcapng.out b/tests/result/doq.pcapng.out
new file mode 100644
index 000000000..4572eaaea
--- /dev/null
+++ b/tests/result/doq.pcapng.out
@@ -0,0 +1,10 @@
+ICMPV6	6	1170	1
+DoH_DoT	14	4788	1
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 ::1                      	 1      
+
+
+	1	UDP [::1]:47826 <-> [::1]:784 [proto: 188.196/QUIC.DoH_DoT][cat: Network/14][3 pkts/1690 bytes <-> 11 pkts/3098 bytes][Goodput ratio: 89/78][3.16 sec][ALPN: doq-i00][TLS Supported Versions: TLSv1.3;TLSv1.3 (draft);TLSv1.3 (draft);TLSv1.3 (draft)][bytes ratio: -0.294 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/7 1/329 2/1601 1/517][Pkt Len c2s/s2c min/avg/max/stddev: 117/117 563/282 1294/1294 521/340][Risk: ** SNI TLS extension was missing **][TLSv1.3][JA3C: c0ce40fbb78cbf86a14e6a38b26d6ede][Plen Bins: 0,21,50,0,0,0,7,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0]
+	2	ICMPV6 [::1]:0 -> [::1]:0 [proto: 102/ICMPV6][cat: Network/14][6 pkts/1170 bytes -> 0 pkts/0 bytes][Goodput ratio: 68/0][3.10 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 100/0 620/0 1601/0 546/0][Pkt Len c2s/s2c min/avg/max/stddev: 195/0 195/0 195/0 0/0][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/result/doq_adguard.pcapng.out b/tests/result/doq_adguard.pcapng.out
new file mode 100644
index 000000000..4618b41ee
--- /dev/null
+++ b/tests/result/doq_adguard.pcapng.out
@@ -0,0 +1,8 @@
+DoH_DoT	296	44445	1
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 192.168.12.169           	 1      
+
+
+	1	UDP 192.168.12.169:41070 <-> 94.140.14.14:784 [proto: 188.196/QUIC.DoH_DoT][cat: Network/14][164 pkts/17196 bytes <-> 132 pkts/27249 bytes][Goodput ratio: 60/80][38.08 sec][ALPN: doq-i00][TLS Supported Versions: TLSv1.3][bytes ratio: -0.226 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 232/242 2999/3045 449/458][Pkt Len c2s/s2c min/avg/max/stddev: 72/81 105/206 1274/1294 132/268][TLSv1.3][Client: dns.adguard.com][JA3C: 1e022f87823477abd6a79c31d70062d7][PLAIN TEXT (AKToSb)][Plen Bins: 15,47,16,9,4,0,2,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0]
-- 
cgit v1.2.3