Comparative Analysis of DNS over HTTPS Detectors

Abstract

DNS over HTTPS (DoH) is a protocol that encrypts DNS traffic to improve user privacy and security. However, its use also poses challenges for network operators and security analysts who need to detect and monitor network traffic for security purposes. Therefore, there are multiple DoH detection proposals that leverage machine learning to identify DoH connections; however, these proposals were often tested on different datasets, and their evaluation methodologies were not consistent enough to allow direct performance comparison. In this study, seven DoH detection proposals were recreated and evaluated with six different experiments to answer research questions that targeted specific deployment scenarios concerning ML-model transferability, usability, and longevity. For thorough testing, a large Collection of DoH datasets along with a novel 5-week dataset was used, which enabled the evaluation of models’ longevity. This study provides insights into the current state of DoH detection techniques and evaluates the models in scenarios that have not been previously tested. Therefore, this paper goes beyond classical replication studies and shows previously unknown properties of seven published DoH detectors.

DNS over HTTPS (DoH) is a protocol that encrypts DNS traffic to improve user privacy and security. However, its use also poses challenges for network operators and security analysts who need to detect and monitor network traffic for security purposes. Therefore, there are multiple DoH detection proposals that leverage machine learning to identify DoH connections; however, these proposals were often tested on different datasets, and their evaluation methodologies were not consistent enough to allow direct performance comparison. In this study, seven DoH detection proposals were recreated and evaluated with six different experiments to answer research questions that targeted specific deployment scenarios concerning ML-model transferability, usability, and longevity. For thorough testing, a large Collection of DoH datasets along with a novel 5-week dataset was used, which enabled the evaluation of models’ longevity. This study provides insights into the current state of DoH detection techniques and evaluates the models in scenarios that have not been previously tested. Therefore, this paper goes beyond classical replication studies and shows previously unknown properties of seven published DoH detectors.