Evading DoH via Live Memory Forensics for Phishing Detection and Content Filtering

Internet will see a boost in the DNS over HTTPS (DoH) traffic to enhance user privacy. The existing mechanisms of monitoring/filtering DNS traffic at end points/gateways that rely on URLs (either received via operating system DNS Client or via header analysis of DNS queries over network) will not work. In this paper, we propose a novel idea to uncover the DoH traffic by directly sniffing URLs from the RAM of end points/client machines. Our approach can be used by an organization's content filtering and phishing detection solutions. The contents viewed from their computing systems by employees can be monitored and controlled even when they use browsers supporting DoH to hide DNS queries. Our experimental analysis demonstrates feasibility, effectiveness and robustness of the proposed idea.