CDRouter Support

Testing DNS over TLS with CDRouter

knowledge-base version 10.7

Overview

In April of 2018 Cloudflare launched its privacy-enabling, high speed 1.1.1.1 DNS service.

A privacy-enabling DNS server is one that implements DNS over TLS as defined in RFC7858. RFC7858 “describes the use of Transport Layer Security (TLS) to provide privacy for DNS. Encryption provided by TLS eliminates opportunities for eavesdropping and on-path tampering with DNS queries in the network, such as discussed in RFC 7626.”

Support for DNS over TLS was added to CDRouter’s WAN DNS servers in CDRouter 10.7 to help facilitate the testing and adoption of privacy-enabling DNS features within CPE and edge devices.

Configuring CDRouter

DNS over TLS does not need to be explicitly enabled or configured within CDRouter. CDRouter’s WAN DNS servers support DNS over TLS by default.

With the addition of TLS support CDRouter’s DNS servers will now respond to DNS queries over both IPv4 and IPv6 (if enabled) using the following transport and port combinations:

  • Traditional DNS over UDP on port 53
  • DNS over TCP on port 53
  • DNS over TLS (over TCP) on port 853

Configuring the CPE

DNS over TLS is not widely supported in current CPE devices. If supported, the authentication domain name (ADN) and optionally the IP address of one or more privacy-enabling DNS servers must be configured within the CPE.

Since no standardized method exists for dynamic discovery of privacy-enabling DNS ADNs and IPs, the CPE must be manually configured with this information. RFC8310 defines two sources of ADNs:

  1. Full Direct Configuration as defined in Section 7.1 in which the CPE is staticly configured with both the ADN and IP of each privacy-enabling DNS server.

  2. Direct Configuration as defined in Section 7.2 in which the CPE is staticly configured with only the ADN of each privacy-enabling DNS server.

Full Direct configuration of the CPE requires both the ADN and IP of one or more privacy-enabling DNS servers whereas Direct Configuration requires only the ADN. Both sources are supported by CDRouter. ADN and IP information for CDRouter’s WAN DNS servers can be found in the sections below.

DNS Server ADNs

The CPE must be configured with the ADN of one or more of CDRouter’s WAN DNS servers to enable DNS over TLS.

WAN DNS Server ADN
DNS1 dns1.cdrouter.xyz
DNS2 dns2.cdrouter.xyz
DNS3 dns3.cdrouter.xyz
DNS4 dns4.cdrouter.xyz

DNS Server IPv4 Addresses

In addition to the ADN, the CPE may be optionally configured with the IPv4 address of each DNS server.

WAN DNS Server Default IPv4 Address Testvar
DNS1 202.254.101.1 wanDnsServer
DNS2 202.254.101.2 wanBackupDnsServer
DNS3 Disabled wanBackupDnsServer2
DNS4 Disabled wanBackupDnsServer3

DNS Server IPv6 Addresses

If IPv6 is enabled, the CPE may also be configured with the ADN, IPv4, and/or IPv6 address of each DNS server.

WAN DNS Server Default IPv6 Address Testvar
DNS1 3001:51a:cafe::2 ipv6WanDnsServer
DNS2 3001:51a:cafe::3 ipv6WanBackupDnsServer
DNS3 Disabled ipv6WanBackupDnsServer2
DNS4 Disabled ipv6WanBackupDnsServer3

DNS Usage Profiles

Section 1 of RFC8310 defines two DNS usage profiles:

  1. A Strict Privacy profile, which requires an encrypted connection and successful authentication of the DNS server; this mitigates both passive eavesdropping and client redirection (at the expense of providing no DNS service if an encrypted, authenticated connection is not available).

  2. An Opportunistic Privacy profile, which will attempt, but does not require, encryption and successful authentication; it therefore provides limited or no mitigation for such attacks but maximizes the chance of DNS service.

It is important to understand which profile is required by the CPE even if it is not a configurable option. If strict privacy is required, the CPE should never send DNS queries in the clear on the WAN. Opportunistic privacy does allow this in certain situations.

The testvar dnsUsageProfile should be set to a value of strict-privacy if required by the CPE. The dns_500 test case and its variants can be used to verify strict privacy behavior of the CPE.

Authentication

CDRouter currently supports the ADN and ADN only authentication mechanisms defined in Section 6.3 of RFC8310.

For both authentication mechanisms, if the CPE requires strict privacy it must validate the wildcard based PKIX certificates provided by CDRouter’s WAN DNS servers. To properly validate these certificates the CPE must have the appropriate intermediate and root CAs installed and must follow the authentication guidelines referenced in Section 8.1 of RFC8310.

The intermediate and root CAs required for validation of CDRouter’s DNS server certificates can be found in the following locations on a CDRouter system:

  • Intermediate CAs (2): /usr/cdrouter/tests/wildcard.cdrouter.xyz-ca.pem
  • Root CA: /usr/cdrouter/tests/wildcard.cdrouter.xyz-rootca.pem

Note that these certificates are provided in .pem format and can be converted to other formats if required by the CPE.

NTP

To properly authenticate CDRouter’s WAN DNS server certificates the CPE must have a valid time source which is typically obtained via NTP. CDRouter’s WAN NTP servers can be configured using the following testvars for IPv4:

And the following testvars for IPv6:

Test Cases & Test Modules

CDRouter includes a number of DNS specific test cases and test modules that are designed to fully test and verify a CPE’s DNS functionality over all supported transports including UDP, TCP, and TLS.

DNS over TLS tests for both IPv4 and IPv6 are specificly covered in the dns-tls and dns-tls-v6 test modules, respectively.

The same core tests can now be run over all DNS and IP transport combinations:

Test Module DNS Transport IP Version Number of Test Cases
dns UDP IPv4 35
dns-tcp TCP IPv4 35
dns-tls TLS IPv4 35
dns-v6 UDP IPv6 30
dns-tcp-v6 TCP IPv6 30
dns-tls-v6 TLS IPv6 30

In addition, within each module listed above is a new test case (dns_500 and variants) that specifically verifies that the CPE does not leak DNS queries in plaintext over UDP or TCP on the WAN if it requires strict privacy.

Testing Exercises

CDRouter can be used to verify that the CPE’s integrated DNS proxy supports DNS over TLS and also that the CPE does not negatively impact DNS over TLS connections that are flowing through it.

DNS Proxy Testing

To test the CPE’s DNS proxy, DNS over TLS must be enabled and properly configured with CDRouter’s DNS server ADNs and optionally IPs. If strict privacy is required the CPE must always use DNS over TLS on the WAN, even if its proxy supports other DNS transports on the LAN. This means that any DNS queries received from CDRouter’s LAN client(s) and all DNS traffic generated by the CPE itself should be relayed over TLS to the upstream DNS servers on the WAN.

If the CPE’s DNS proxy does not support DNS over TLS on the LAN, any DNS over TLS tests that target the DUT’s DNS proxy should fail. In these situations the DNS over TLS tests should be skipped or run in passthrough mode instead.

DNS Passthrough Testing

To verify that the CPE does not interfere with DNS over TLS queries flowing through it, the testvar lanStaticDns can be enabled and the testvar lanDnsServer can be set to the IP address of one of CDRouter’s WAN DNS servers. This will force CDRouter’s LAN client to send its queries directly to the DNS server, bypassing the CPE’s DNS proxy.

Authentication Testing

The CPE should be properly authenticating any privacy-enabling DNS servers when configured. The CPE should reject CDRouter’s WAN DNS server certificates if:

  • The correct intermediate and root CAs are not installed
  • The certificates do not match the ADN configured on the CPE
  • The certificates are expired

These scenarios can all be tested with CDRouter. Note that the testvar ntpStartDate can be used to verify certificate expiration behavior by adjusting the CPE’s time reference.

Additional Privacy-Enabling DNS Server Support

Support for other privacy-enabling DNS services such as DNS over DTLS RFC8094 and DNS over HTTPS, aka DoH will be added to future releases of CDRouter.

References

Contents

×

About CDRouter

CDRouter is made by QA Cafe, a technology company based in Portsmouth, NH.

Get in touch via our Contact page or by following us on your favorite service: