Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: Internet Storm Center - Internet Security | DShield Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

What's up with TCP 853 (DNS over TLS)?

Published: 2019-10-21
Last Updated: 2019-10-21 18:14:12 UTC
by Jim Clausing (Version: 1)
0 comment(s)

I was looking at some of our data lat last week and noticed an increase probes on tcp port 853. For those of you who aren't aware, tcp port 853 is assigned to DNS over TLS as defined in RFC 7858. DNS over TLS (or DoT) was defined in 2016 as a way of hiding the contents of DNS requests from prying eyes on the network since DNS normally occurs in the clear over port 53. Of course, over the last few months all of the discussion has actually been about an alternative to DoT, DNS over HTTPS (or DoH) defined in RFC 8484, since the major web browser vendors (Google and Mozilla) have announced that they are or will be supporting DoH within the browser in the near future. For the moment, I'll stay out of the debate about the merits of DoT vs. DoH. But, back to this story, since I noticed the increase on port 853, let's discuss DoT. Because DoT requires setting up a TLS connection, it was defined as a TCP protocol (where DNS was primarily UDP). There was a subsequent RFC 8094 which defined DNS over DTLS which moved this back to UDP, but obviously required more traffic to set up the initual TLS encryption, though once established could then potentially be pretty efficient. I had actually setup DoT on my home (bind9) DNS server just a few weeks ago using stunnel as described in the docs from, to do some testing, so seeing this increase got my attention (though I hadn't actually opened 853 to the internet, just to my internal network). I haven't setup a netcat listener or honeypot to capture the traffic, but you can see that while there were a couple of brief spikes in the number of targets late last year and then a ramping up starting around the beginning of September, the big jump including new scanners has just ramped up since the beginning of Oct. This first graph is 365 days.

And here I've zoomed into about the last 90 days.

Since this is all TCP traffic (though I'm not showing the TCP ration on that graph, but I did look at the data), I doubt that this is actually a search for DDoS reflectors, but I don't really know what it is that they are looking for here. I hope to get a honeypot up in the next couple of days to see if I can figure it out, but in the meantime if any of our readers have any insights into what is going on here, please let us know in the comments or via our contact page.

Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

Keywords: dns over tls
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Scanning Activity for NVMS-9000 Digital Video Recorder
Oct 20th 2019
18 hours ago by Guy (0 comments)

What Assumptions Are You Making?
Oct 19th 2019
2 days ago by Russell (0 comments)

Quick Malicious VBS Analysis
Oct 18th 2019
3 days ago by Xme (0 comments)

Phishing e-mail spoofing SPF-enabled domain
Oct 17th 2019
4 days ago by Jan (0 comments)

When MacOS Catalina Comes to Life: The First Few Minutes of Network Traffic From MacOS 10.15.
Oct 16th 2019
4 days ago by Johannes (0 comments)

Security Monitoring: At Network or Host Level?
Oct 16th 2019
5 days ago by Xme (0 comments)

YARA's XOR Modifier
Oct 14th 2019
6 days ago by DidierStevens (0 comments)

View All Diaries →

Latest Discussions

Suspicious Domain Scoring
created Oct 4th 2019
2 weeks ago by Luke (1 reply)

SANS ISC InfoSec News RSS Feed broken?
created Aug 29th 2019
1 month ago by Adi (2 replies)

created Aug 14th 2019
2 months ago by Anonymous (0 replies)

"Network Mom ACL Analyzer" finds errors, matches, and duplicates in Cisco ACLs
created Jul 29th 2019
2 months ago by DarrellRoot (0 replies)

Worth protecting my website?
created Jun 28th 2019
3 months ago by Anonymous (3 replies)

View All Forums →

Latest News

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
2 years ago by Brad (0 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
2 years ago by Johannes (0 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
2 years ago by Renato (0 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
1 year ago by Russ McRee (0 comments)

An infection from Rig exploit kit
Jun 17th 2019
4 months ago by Brad (0 comments)