Dataset of DNS over HTTPS traffic from Firefox (Comcast, CZNIC, DNSForge, DSNSB, DOHli) The dataset contains DoH and HTTPS traffic that was captured in a virtualized environment (Docker) and generated automatically by Firefox browser with enabled DoH towards 5 different DoH servers (Comcast, CZNIC, DNSForge, DSNSB, DOHli) and a web page loads towards a sample of web pages taken from Majestic Million dataset. The data are provided in the form of PCAP files. However, we also provided TLS enriched flow data that are generated with opensource [ipfixprobe](https://github.com/CESNET/ipfixprobe) flow exporter. Other than TLS related information is not relevant since the dataset comprises only encrypted TLS traffic. The TLS enriched flow data are provided in the form of CSV files with the following columns: Column Name Column Description DST_IP Destination IP address SRC_IP Source IP address BYTES The number of transmitted bytes from Source to Destination BYTES_REV The number of transmitted bytes from Destination to Source TIME_FIRST Timestamp of the first packet in the flow in format YYYY-MM-DDTHH-MM-SS TIME_LAST Timestamp of the last packet in the flow in format YYYY-MM-DDTHH-MM-SS PACKETS The number of packets transmitted from Source to Destination PACKETS_REV The number of packets transmitted from Destination to Source DST_PORT Destination port SRC_PORT Source port PROTOCOL The number of transport protocol TCP_FLAGS Logic OR across all TCP flags in the packets transmitted from Source to Destination TCP_FLAGS_REV Logic OR across all TCP flags in the packets transmitted from Destination to Source TLS_ALPN The Value of Application Protocol Negotiation Extension sent from Server TLS_JA3 The JA3 fingerprint TLS_SNI The value of Server Name Indication Extension sent by Client The DoH resolvers in the dataset can be identified by IP addresses written in doh_resolver_ip.csv file. The main part of the dataset is located in DoH-Gen-F-CCDDD.tar.gz and has the following structure: . ������������ data | - Main directory with data ��������� generated | - Directory with generated captures ��������� pcap | - Generated PCAPs ��� ��������� firefox ��������� tls-flow-csv | - Generated CSV flow data ��������� firefox Total stats of generated data: Name Value Total Data Size 40.2 GB Total files 10 DoH extracted tls flows ~100 K Non-DoH extracted tls flows ~315 K DoH Server information Name Provider DoH query url Comcast https://corporate.comcast.com https://doh.xfinity.com/dns-query CZNIC https://www.nic.cz https://odvr.nic.cz/doh DNSForge https://dnsforge.de https://dnsforge.de/dns-query DNSSB https://dns.sb/doh/ https://doh.dns.sb/dns-query DOHli https://doh.li https://doh.li/dns-query

This research was funded by the Ministry of Interior of the Czech Republic, grant No. VJ02010024: Flow-Based Encrypted Traffic Analysis and also by the Grant Agency of the CTU in Prague, grant No. SGS20/210/OHK3/3T/18 funded by the MEYS of the Czech Republic, and also by Brno University of Technology, Faculty of Information Technology internal grant FIT-S-20-6293, and also by Technology Agency of the Czech Republic, grant No. FW03010099: Context-based Encrypted Traffic Analysis Using Flow Data.