Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS User Guide

Table of Contents

DOHDET - Communication with DoH servers

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: May 1, 2026
  • 4 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

Method description

This method is used for the detection of devices that use DNS over HTTPS (DoH) protocol to resolve domain names. From the perspective of users, the main advantage of the DoH protocol is that it increases security and privacy by using encrypted communication. For this reason, no one can inspect which domains a user visits. Also, the DoH protocol uses the same port as the HTTPS protocol so it is nearly impossible to distinguish between DoH and regular HTTPS traffic. From the monitoring perspective, these properties may be problematic because the protocol may be misused to bypass network security policy or hide malicious malware activities.

This method consists of the following sub-methods:

  • KnownServers: Reports devices that use DNS over HTTPS protocol. This sub-method uses a list of publicly known DoH servers to report clients that use encrypted DNS. Note that this sub-method works only with flow data from Flowmon probes. Flow data from different sources do not contain the necessary information (queried DNS domain, SNI field or HTTP hostname) for evaluation.

  • BehavioralDetection: Reports devices that use DNS over HTTPS protocol. This sub-method uses a publicly known list of potential DoH servers to analyze communication with these servers using an advanced algorithm that inspects behavioral patterns in flow data. Based on these behavioral patterns, the algorithm classifies whether the target server is a DoH or an HTTPS server. If the target server is a DoH, clients that communicate with this server are reported. Note that there may be regular HTTPS servers that exhibit behavior similar to DoH servers and therefore false positive detections may occur.

Method configuration

It is recommended to apply this method for all IP addresses in the monitored network. The right place for traffic monitoring is the Internet connection line or the central switch. To update the list of known DoH servers, you must not block communication of the Flowmon appliance to the services.flowmon.com server on port 443 (HTTPS, standard secured web traffic). Also, ensure that your Flowmon appliance has the option Flowmon services enabled in Settings → System Settings → General settings.

Method parameters

General

  • ExcludeDoHServers: A filter with DoH servers that are allowed to be used in the monitored network. Events are not created when any monitored device uses these servers.

BehavioralDetection

  • MinimalDownload: The minimum amount of data in bytes that a client has to download from a DoH server to report an event.

  • MinimalUpload: The minimum amount of data in bytes that a client has to upload to a DoH server to report an event.

  • MinimumCoverage: The number of flows that need to be collected for a particular server before the algorithm evaluates whether it is a DoH server or not. The value of this parameter affects the length of the learning period – the higher value, the longer the learning period.

  • Threshold: The number of flows that must be identified as DoH communication to mark the server as a DoH server.

  • TimeToDeath: After the evaluation, the algorithm stores information about whether the server is a DoH server or a regular HTTPS server. This parameter specifies the number of days after which this information should be deleted and the evaluation should start again.

  • Tolerance: Allows you to tune the sensitivity of the detection. A higher value for this parameter will make the method less strict, which may increase the number of false positive detections. Conversely, a lower value of the parameter may lead to some legitimate DoH servers not being detected but may reduce the amount of false positive detections.

  • MinDoHRequests: The minimum number of client requests that must be evaluated as DoH requests to consider a target server a DoH server.

  • MinDoHResponses: The minimum number of server responses that must be evaluated as DoH responses to consider the server a DoH server.

  • MinBPPRequest: The minimum value of average bytes per packet metric for a client request to be considered a DoH request. Increasing this value makes the detection less sensitive.

  • MaxBPPRequest: The maximum value of average bytes per packet metric for a client request to be considered a DoH request. Decreasing this value makes the detection less sensitive.

  • MinBPPResponse: The minimum value of average bytes per packet metric for a server response to be considered a DoH response. Increasing this value makes the detection less sensitive.

  • MaxBPPResponse: The maximum value of average bytes per packet metric for a server response to be considered a DoH response. Decreasing this value makes the detection less sensitive.

  • MinPacketsRequest: The minimum number of packets for a client request to be considered a DoH request. Increasing this value makes the detection less sensitive.

  • MinPacketsResponse: The minimum number of packets for a server response to be considered a DoH response. Increasing this value makes the detection less sensitive.

Assigned filter

Only flows whose source or destination IP address matches the assigned filter will be processed.

Interpretation of results

The method can detect devices that use DNS over HTTPS protocol to resolve domain names. These detections may signal a misconfiguration or an attempt to bypass enterprise security policy with harmless software (like web browsers, operating systems, and so on). Also, it may potentially indicate an infection by malicious software that tries to hide its activities inside the encrypted communication channel.

TitleResults for “How to create a CRG?”Also Available inAlert