Detection of DoH traffic to known DoH-providers
This query identifies network traffic to well-known DoH endpoints (e.g., Cloudflare, Google, Quad9, Mozilla). DoH encrypts DNS requests inside HTTPS, which enhances privacy but creates blind spots for defenders. Adversaries can exploit DoH to bypass DNS-based filtering, hide access to phishing domains, establish stealthy command-and-control channels, or exfiltrate data without triggering traditional DNS logs. Monitoring and alerting on DoH connections helps restore visibility into DNS activity—one of the most critical layers of network defense.
Networkhunting
FDR intermediatepor ByteRay GmbH (cql-hub.com) 1 min read
Query
#event_simpleName = DnsRequest
| in(field="DomainName", values=["cloudflare-dns.com", "dns.google", "dns.quad9.net","mozilla.cloudflare-dns.com"])
| groupBy(["ComputerName","ContextBaseFileName"])Explicación
Importado desde cql-hub.com. Agrega explicación de pipes aquí.
Variables a ajustar
Revisa y ajusta los valores según tu entorno.