H 14: DoH (15 pts)

What You Need

Any computer with Web access.

Background

Firefox now allows you to use DNS over HTTPS. This project demonstrates the value of that privacy-enhancing system, and its limitations (which are troubling).

Task 1: Browsing without DoH

Adjusting Firefox Settings

If you don't have Firefox, get it here:

https://getfirefox.com

Open Firefox. In the top right corner, click the "hamburger" icon, which consists of three bars.

Click Preferences. Search for network, as shown below.

In the Network section, click Settings.

Make sure that the "Enable DNS over HTTPS" box is not checked. as shown below.

Click OK.

Starting Wireshark Sniffing

If you don't have Wireshark, get it here:

https://www.wireshark.org/

Open Wireshark and start sniffing on the adapter that goes to the Internet.

Opening the "BADNESS" Page

Type this URL into Firefox and then press Enter:
badness.samsclass.info
The site shows a "Forbidden" message, as shown below. We didn't reach a page, but the system still performed a DNS lookup.

Viewing DNS Traffic

In Wireshark, stop the capture.

In the Filter bar, type:

dns
and press Enter.

The DNS requests for the "BADNESS" page are visible, exposing the URL to anyone who can sniff your traffic, as shown below.

Viewing Other Exposures

In Wireshark, in the Filter bar, type:
frame contains badness
and press Enter.

Several other packets also expose the URL, as shown below.

Task 2: Browsing with DoH

Adjusting Firefox Settings

In Firefox setings, check the "Enable DNS over HTTPS" box, as shown below.

Click OK.

Starting Wireshark Sniffing

In Wireshark, start sniffing again.

Opening the "WICKEDNESS" Page

Type this URL into Firefox and then press Enter:
wickedness.samsclass.info
The site shows a "Forbidden" message.

Viewing DNS Traffic

In Wireshark, stop the capture.

In the Filter bar, type:

dns
and press Enter.

There are no longer any DNS requests exposing the URL, as shown below.

Viewing Other Exposures

In Wireshark, in the Filter bar, type:
frame contains wickedness
and press Enter.

TLS packets still expose the URL, as shown below.

H 14.1: War Site (5 pts)

Download this PCAP file.

war.pcap

A user browsed to a domain containing the word war.

Find that domain name--it's the flag.

H 14.2: Flag (10 pts)

Download this PCAP file.

H14.pcap

A user browsed to a domain containing the word flag.

Find that domain name--it contains the flag.

Posted 10-2-17
Updated to new scoring engine 7-11-19