Testing DNS over TLS and HTTPS with CDRouter
In April of 2018 Cloudflare launched its privacy-enabling, high speed 22.214.171.124 DNS service. A privacy-enabling DNS server is one that implements DNS over TLS (DoT) or DNS over HTTPS (DoH).
These advanced DNS transports have been added to CDRouter to help facilitate the testing and adoption of privacy-enabling DNS features within CPE and edge devices.
DoT and DoH do not need to be explicitly enabled or configured within CDRouter. CDRouter’s WAN DNS servers support DoT and DoH by default.
With the addition of DoT and DoH support CDRouter’s DNS servers will now respond to DNS queries over both IPv4 and IPv6 (if enabled) using the following transport and port combinations:
- DNS over UDP on port 53
- DNS over TCP on port 53
- DNS over TLS (over TCP) on port 853
- DNS over HTTPS on port 443
The CPE’s DNS proxy must support DoT and must be configured with the authentication domain name (ADN) and optionally the IP address of one or more of CDRouter’s privacy-enabling DNS servers.
Since no standardized method exists for dynamic discovery of privacy-enabling DNS ADNs and IPs, the CPE must be manually configured with this information. RFC8310 defines two sources of ADNs:
Full Direct Configuration as defined in Section 7.1 in which the CPE is statically configured with both the ADN and IP of each privacy-enabling DNS server.
Direct Configuration as defined in Section 7.2 in which the CPE is statically configured with only the ADN of each privacy-enabling DNS server.
Full Direct Configuration of the CPE requires both the ADN and IP of one or more privacy-enabling DNS servers whereas Direct Configuration requires only the ADN. Both sources are supported by CDRouter. ADN and IP information for CDRouter’s WAN DNS servers can be found in the sections below.
Section 1 of RFC8310 defines two DNS usage profiles:
A Strict Privacy profile, which requires an encrypted connection and successful authentication of the DNS server; this mitigates both passive eavesdropping and client redirection (at the expense of providing no DNS service if an encrypted, authenticated connection is not available).
An Opportunistic Privacy profile, which will attempt, but does not require, encryption and successful authentication; it therefore provides limited or no mitigation for such attacks but maximizes the chance of DNS service.
It is important to understand which profile is required by the CPE even if it is not a configurable option. If strict privacy is required, the CPE should never send DNS queries in the clear on the WAN. Opportunistic privacy does allow this in certain situations.
The testvar dnsUsageProfile
should be set to a value
strict-privacy if required by the CPE. When dnsUsageProfile
is set to
strict-privacy, the testvar dnsUsageProfileStrictPrivacyTransports
secure transports (DNS over TLS, DNS over HTTPS (DoH) or both) the CPE
is expected to use when sending DNS queries on the WAN. The
dns_500 test case and its variants can be used to verify strict
privacy behavior of the CPE.
The CPE’s DNS proxy must support DoH and must be configured with the uniform resource identifier (URI) of one or more of CDRouter’s privacy-enabling DNS servers. DoH server URIs must be configured manually by the user or dynamically via DHCP or other protocols. URI and IP information for CDRouter’s WAN DNS servers can be found in the sections below.
The CPE must be configured with the ADN or URI of one or more of CDRouter’s WAN DNS servers to enable DoT or DoH, respectively.
|WAN DNS Server||DoT ADN||DoH URI|
In addition to the ADN, the CPE may be optionally configured with the IPv4 address of each DNS server for DoT.
|WAN DNS Server||Default IPv4 Address||Testvar|
If IPv6 is enabled, the CPE may also be configured with the ADN, IPv4, and/or IPv6 address of each DNS server for DoT.
|WAN DNS Server||Default IPv6 Address||Testvar|
To properly authenticate CDRouter’s WAN DNS server certificates the CPE must have a valid time source which is typically obtained via NTP. CDRouter’s WAN NTP servers can be configured using the following testvars for IPv4:
And the following testvars for IPv6:
CDRouter currently supports the
ADN only authentication mechanisms
defined in Section 6.3 of
For both DoT authentication mechanisms and for DoH, if the CPE requires strict privacy it must validate the wildcard based PKIX certificates provided by CDRouter’s WAN DNS servers. To properly validate these certificates the CPE must have the appropriate intermediate and root CAs installed and must follow the authentication guidelines referenced in Section 8.1 of RFC8310.
The intermediate and root CAs required for validation of CDRouter’s DNS server certificates can be found in the following locations on a CDRouter system:
- Intermediate CAs (2):
- Root CA:
These certificates are provided in .pem format and can be converted to other formats if required by the CPE.
Note that these certificates are valid Sectigo signed wildcard certificates. The root CA required to authenticate these certificates may already be installed on some CPE devices.
CDRouter includes a number of DNS specific test cases and test modules that are designed to fully test and verify a CPE’s DNS functionality over all supported transports including UDP, TCP, TLS, and HTTPS.
The same core tests can now be run over all DNS and IP transport combinations:
|Test Module||DNS Transport||IP Version||Number of Test Cases|
In addition, within each module listed above is a new test case (dns_500 and variants) that specifically verifies that the CPE does not leak DNS queries in plaintext over UDP or TCP on the WAN if it requires strict privacy.
CDRouter can be used to verify that the CPE’s integrated DNS proxy supports DNS over TLS and also that the CPE does not negatively impact DNS over TLS connections that are flowing through it.
To test the CPE’s DNS proxy, DoT or DoH must be enabled and properly configured with CDRouter’s DNS server ADNs, URIs, and optionally IPs. If strict privacy is required the CPE must always use DoT on the WAN, even if its proxy supports other DNS transports on the LAN. This means that any DNS queries received from CDRouter’s LAN client(s) and all DNS traffic generated by the CPE itself should be relayed using DoT to the upstream DNS servers on the WAN.
If the CPE’s DNS proxy does not support DoT on the LAN, any DoT tests that target the DUT’s DNS proxy should fail. In these situations the DNS over TLS tests should be skipped or run in passthrough mode instead.
To verify that the CPE does not interfere with DNS over TLS queries flowing through it, the testvar lanStaticDns can be enabled and the testvar lanDnsServer can be set to the IP address of one of CDRouter’s WAN DNS servers. This will force CDRouter’s LAN client to send its queries directly to the DNS server, bypassing the CPE’s DNS proxy.
The CPE should be properly authenticating any privacy-enabling DNS servers when configured. The CPE should reject CDRouter’s WAN DNS server certificates if:
- The correct intermediate and root CAs are not installed
- The certificates do not match the ADN configured on the CPE
- The certificates are expired
These scenarios can all be tested with CDRouter. Note that the testvar ntpStartDate can be used to verify certificate expiration behavior by adjusting the CPE’s time reference.
Support for other privacy-enabling DNS services such as DNS over DTLS RFC8094 will be added to future releases of CDRouter.