In April of 2018 Cloudflare launched its privacy-enabling, high speed 126.96.36.199 DNS service.
A privacy-enabling DNS server is one that implements DNS over TLS as defined in RFC7858. RFC7858 “describes the use of Transport Layer Security (TLS) to provide privacy for DNS. Encryption provided by TLS eliminates opportunities for eavesdropping and on-path tampering with DNS queries in the network, such as discussed in RFC 7626.”
Support for DNS over TLS was added to CDRouter’s WAN DNS servers in CDRouter 10.7 to help facilitate the testing and adoption of privacy-enabling DNS features within CPE and edge devices.
DNS over TLS does not need to be explicitly enabled or configured within CDRouter. CDRouter’s WAN DNS servers support DNS over TLS by default.
With the addition of TLS support CDRouter’s DNS servers will now respond to DNS queries over both IPv4 and IPv6 (if enabled) using the following transport and port combinations:
- Traditional DNS over UDP on port 53
- DNS over TCP on port 53
- DNS over TLS (over TCP) on port 853
Configuring the CPE
DNS over TLS is not widely supported in current CPE devices. If supported, the authentication domain name (ADN) and optionally the IP address of one or more privacy-enabling DNS servers must be configured within the CPE.
Since no standardized method exists for dynamic discovery of privacy-enabling DNS ADNs and IPs, the CPE must be manually configured with this information. RFC8310 defines two sources of ADNs:
Full Direct Configuration as defined in Section 7.1 in which the CPE is staticly configured with both the ADN and IP of each privacy-enabling DNS server.
Direct Configuration as defined in Section 7.2 in which the CPE is staticly configured with only the ADN of each privacy-enabling DNS server.
Full Direct configuration of the CPE requires both the ADN and IP of one or more privacy-enabling DNS servers whereas Direct Configuration requires only the ADN. Both sources are supported by CDRouter. ADN and IP information for CDRouter’s WAN DNS servers can be found in the sections below.
DNS Server ADNs
The CPE must be configured with the ADN of one or more of CDRouter’s WAN DNS servers to enable DNS over TLS.
|WAN DNS Server||ADN|
DNS Server IPv4 Addresses
In addition to the ADN, the CPE may be optionally configured with the IPv4 address of each DNS server.
|WAN DNS Server||Default IPv4 Address||Testvar|
DNS Server IPv6 Addresses
If IPv6 is enabled, the CPE may also be configured with the ADN, IPv4, and/or IPv6 address of each DNS server.
|WAN DNS Server||Default IPv6 Address||Testvar|
DNS Usage Profiles
Section 1 of RFC8310 defines two DNS usage profiles:
A Strict Privacy profile, which requires an encrypted connection and successful authentication of the DNS server; this mitigates both passive eavesdropping and client redirection (at the expense of providing no DNS service if an encrypted, authenticated connection is not available).
An Opportunistic Privacy profile, which will attempt, but does not require, encryption and successful authentication; it therefore provides limited or no mitigation for such attacks but maximizes the chance of DNS service.
It is important to understand which profile is required by the CPE even if it is not a configurable option. If strict privacy is required, the CPE should never send DNS queries in the clear on the WAN. Opportunistic privacy does allow this in certain situations.
The testvar dnsUsageProfile should be set to a value of
strict-privacy if required by the CPE. The dns_500 test case and its
variants can be used to verify strict privacy behavior of the CPE.
CDRouter currently supports the
ADN only authentication mechanisms
defined in Section 6.3 of
For both authentication mechanisms, if the CPE requires strict privacy it must validate the wildcard based PKIX certificates provided by CDRouter’s WAN DNS servers. To properly validate these certificates the CPE must have the appropriate intermediate and root CAs installed and must follow the authentication guidelines referenced in Section 8.1 of RFC8310.
The intermediate and root CAs required for validation of CDRouter’s DNS server certificates can be found in the following locations on a CDRouter system:
- Intermediate CAs (2):
- Root CA:
Note that these certificates are provided in .pem format and can be converted to other formats if required by the CPE.
To properly authenticate CDRouter’s WAN DNS server certificates the CPE must have a valid time source which is typically obtained via NTP. CDRouter’s WAN NTP servers can be configured using the following testvars for IPv4:
And the following testvars for IPv6:
Test Cases & Test Modules
CDRouter includes a number of DNS specific test cases and test modules that are designed to fully test and verify a CPE’s DNS functionality over all supported transports including UDP, TCP, and TLS.
The same core tests can now be run over all DNS and IP transport combinations:
|Test Module||DNS Transport||IP Version||Number of Test Cases|
In addition, within each module listed above is a new test case (dns_500 and variants) that specifically verifies that the CPE does not leak DNS queries in plaintext over UDP or TCP on the WAN if it requires strict privacy.
CDRouter can be used to verify that the CPE’s integrated DNS proxy supports DNS over TLS and also that the CPE does not negatively impact DNS over TLS connections that are flowing through it.
DNS Proxy Testing
To test the CPE’s DNS proxy, DNS over TLS must be enabled and properly configured with CDRouter’s DNS server ADNs and optionally IPs. If strict privacy is required the CPE must always use DNS over TLS on the WAN, even if its proxy supports other DNS transports on the LAN. This means that any DNS queries received from CDRouter’s LAN client(s) and all DNS traffic generated by the CPE itself should be relayed over TLS to the upstream DNS servers on the WAN.
If the CPE’s DNS proxy does not support DNS over TLS on the LAN, any DNS over TLS tests that target the DUT’s DNS proxy should fail. In these situations the DNS over TLS tests should be skipped or run in passthrough mode instead.
DNS Passthrough Testing
To verify that the CPE does not interfere with DNS over TLS queries flowing through it, the testvar lanStaticDns can be enabled and the testvar lanDnsServer can be set to the IP address of one of CDRouter’s WAN DNS servers. This will force CDRouter’s LAN client to send its queries directly to the DNS server, bypassing the CPE’s DNS proxy.
The CPE should be properly authenticating any privacy-enabling DNS servers when configured. The CPE should reject CDRouter’s WAN DNS server certificates if:
- The correct intermediate and root CAs are not installed
- The certificates do not match the ADN configured on the CPE
- The certificates are expired
These scenarios can all be tested with CDRouter. Note that the testvar ntpStartDate can be used to verify certificate expiration behavior by adjusting the CPE’s time reference.