Is my DoH leaking?


#1

It seems the .red domain is blocked by my work’s firewall. But I can’t figure out how they obtained the https hostname I requested.

I’m using Firefox Nightly with DoH enabled via the TTR settings. Here’s the block:

And here’s the TTR entry from Firefox:

Any ideas on how the firewall got the hostname? And, no, it’s not porn. It’s the registry for the .red TLD.


#2

The block page you get shows that the HTTP requests are going through the iBoss content filtering gateway.

The block happens at HTTP level, not DNS.


#3

Thanks! I was hoping someone would recognize that block page.

I expected that the block targets HTTP requests, but how did it get the hostname from an HTTPS request?

The browser used DNS over HTTPS to 1.1.1.1, then received the IP address for the domain. At this point, isn’t a browser’s HTTPS request encrypted, and only the IP address is known by the gateway?


#4

The hostname not hidden in HTTPS traffic, but in addition, the iBoss gateway decrypts and inspects all HTTPS traffic.

When devices are configured to use the gateway as a proxy, the gateway can do whatever it wants, your browser will blindly trust it.


#5

If the hostname isn’t hidden in HTTPS traffic, is this because of SNI?


#6

Yes, SNI is what posts hostname in cleartext and allows hostname-based tracking and blocking.


#7

Thanks! I learned something new today, and it’s only 10AM!