DNS-over-HTTPS Downgrade Attack

In our recent project about DNS-over-HTTPS (DoH), we found that Brave may subject to DoH downgrade attacks. To be more specific, if DoH URI resolution or DoH traffic is intercepted by a MitM attacker (via DNS cache poisoning, TCP RST attack, etc), the browser will fallback to normal DNS without any notification to the users. Thus the DNS traffic could be further manipulated by the attackers and censors.

We hope this information could be useful for your product development. We wonder if it’s possible for you to tackle this problem. Here are our suggestions. 1) DoH protocol could be improved. 2) it’s better if user could choose strict mode to prohibit fallback if they want to. 3) at least, users could be notified when DoH is not working just like the indicator of HTTPS certificate.

If you have a CVE* identifier specific to this, why not submit a bug report for it (?)