ExtraHop Logo
Try ExtraHop
Menu iconX icon
  • Platformchevron right
  • Solutionschevron right
  • Modern NDRchevron right
  • Resourceschevron right
  • Companychevron right
User iconSign In
Contact Us

DETECTION OVERVIEW

New DNS over HTTPS (DoH) Activity

Risk Factors

DoH is supported by several browsers, applications, and public DoH providers. DoH can be enabled by anyone–even if your network prohibits the service. Attackers can hide C&C communication over DNS through the encryption provided by DoH.

The system might change the risk score for this detection.

Kill Chain

Caution

Risk Score

41

Detection diagram
Next in Caution: New Dual-Use Software Activity

Attack Background

N/A

Mitigation Options

Quarantine the client and check for indicators of compromise

Disable DoH by updating individual browser settings or establishing an enterprise policy

Disable DoH requests sent from Firefox browsers by adding a canary domain (use-application-dns.net) for your local network resolver

Block outbound traffic to known DoH providers at the network perimeter

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use casesArrow pointing right