Detecting Data Exfiltration over Encrypted DNS

Data breaches linked to individual and company information are exposed on an almost daily basis. With increasing media attention and visibility of this security issue, users are becoming more aware of privacy concerns related to their activity on the Internet. Fundamental to the operation of the Internet is the Domain Name System (DNS), which translates domain names to IP addresses enabling easy web browsing. Encrypted DNS has become popular to increase user privacy by ensuring that activity transmitted over domain queries is not visible to intermediary network devices between the client and the DNS endpoint. Unfortunately, this undermines the security services designed to analyse DNS traffic for the detection of exploitation of DNS for use as a covert communication and data exfiltration channel. In this work, we propose a solution, DoHxP, to enable protection of DNS over HTTPS (DoH) traffic from data exfiltration without compromising user privacy. Our results show that DoHxP successfully prevents up to 99.88% of the malicious DoH traffic from being transmitted outside of the network.