Detecting C2 over DNS over HTTPS

We are conducting purple team, and I really expected Extrahop to flag on C2 and Data exfiltration over DoH. Does anyone have a good alert for this.


@jason.carrier.ctr - welcome to the forums!

I’m on the Product team here at ExtraHop, and can provide a quick update on DoH visibility/detection.

This is an area of active research / investigation for us. Near term, our focus is on better classification of DoH traffic based on identification of known DoH providers, and detection of unexpected DoH usage by a device.

I also want to mention that a best practice among several of our customers has been to disable DoH. I’m curious if you’re considering that.


We have disabled it, but we are what you would call hyper paranoid. We turned it off at firewall and browsers, but would still like a detection.