Search Results

Testing DNS over TLS and HTTPS with CDRouter


In April of 2018 Cloudflare launched its privacy-enabling, high speed DNS service. A privacy-enabling DNS server is one that implements DNS over TLS (DoT) or DNS over HTTPS (DoH).

DoT is defined in RFC7858 DoH is defined in RFC8484 Both are supported in CDRouter.

These advanced DNS transports have been added to CDRouter to help facilitate the testing and adoption of privacy-enabling DNS features within CPE and edge devices.

Configuring CDRouter

DoT and DoH do not need to be explicitly enabled or configured within CDRouter. CDRouter’s WAN DNS servers support DoT and DoH by default.

With the addition of DoT and DoH support CDRouter’s DNS servers will now respond to DNS queries over both IPv4 and IPv6 (if enabled) using the following transport and port combinations:

  • DNS over UDP on port 53
  • DNS over TCP on port 53
  • DNS over TLS (over TCP) on port 853
  • DNS over HTTPS on port 443

Configuring the CPE for DoT

The CPE’s DNS proxy must support DoT and must be configured with the authentication domain name (ADN) and optionally the IP address of one or more of CDRouter’s privacy-enabling DNS servers.

Since no standardized method exists for dynamic discovery of privacy-enabling DNS ADNs and IPs, the CPE must be manually configured with this information. RFC8310 defines two sources of ADNs:

  1. Full Direct Configuration as defined in Section 7.1 in which the CPE is statically configured with both the ADN and IP of each privacy-enabling DNS server.

  2. Direct Configuration as defined in Section 7.2 in which the CPE is statically configured with only the ADN of each privacy-enabling DNS server.

Full Direct Configuration of the CPE requires both the ADN and IP of one or more privacy-enabling DNS servers whereas Direct Configuration requires only the ADN. Both sources are supported by CDRouter. ADN and IP information for CDRouter’s WAN DNS servers can be found in the sections below.

DNS Usage Profiles

Section 1 of RFC8310 defines two DNS usage profiles:

  1. A Strict Privacy profile, which requires an encrypted connection and successful authentication of the DNS server; this mitigates both passive eavesdropping and client redirection (at the expense of providing no DNS service if an encrypted, authenticated connection is not available).

  2. An Opportunistic Privacy profile, which will attempt, but does not require, encryption and successful authentication; it therefore provides limited or no mitigation for such attacks but maximizes the chance of DNS service.

It is important to understand which profile is required by the CPE even if it is not a configurable option. If strict privacy is required, the CPE should never send DNS queries in the clear on the WAN. Opportunistic privacy does allow this in certain situations.

The testvar dnsUsageProfile should be set to a value of strict-privacy if required by the CPE. When dnsUsageProfile is set to strict-privacy, the testvar dnsUsageProfileStrictPrivacyTransports determines which secure transports (DNS over TLS, DNS over HTTPS (DoH) or both) the CPE is expected to use when sending DNS queries on the WAN. The dns_500 test case and its variants can be used to verify strict privacy behavior of the CPE.

Configuring the CPE for DoH

The CPE’s DNS proxy must support DoH and must be configured with the uniform resource identifier (URI) of one or more of CDRouter’s privacy-enabling DNS servers. DoH server URIs must be configured manually by the user or dynamically via DHCP or other protocols. URI and IP information for CDRouter’s WAN DNS servers can be found in the sections below.

CDRouter DNS Server ADNs and URIs

The CPE must be configured with the ADN or URI of one or more of CDRouter’s WAN DNS servers to enable DoT or DoH, respectively.


DNS Server IPv4 Addresses

In addition to the ADN, the CPE may be optionally configured with the IPv4 address of each DNS server for DoT.

WAN DNS Server Default IPv4 Address Testvar
DNS1 wanDnsServer
DNS2 wanBackupDnsServer
DNS3 Disabled wanBackupDnsServer2
DNS4 Disabled wanBackupDnsServer3

DNS Server IPv6 Addresses

If IPv6 is enabled, the CPE may also be configured with the ADN, IPv4, and/or IPv6 address of each DNS server for DoT.

WAN DNS Server Default IPv6 Address Testvar
DNS1 3001:51a:cafe::2 ipv6WanDnsServer
DNS2 3001:51a:cafe::3 ipv6WanBackupDnsServer
DNS3 Disabled ipv6WanBackupDnsServer2
DNS4 Disabled ipv6WanBackupDnsServer3


To properly authenticate CDRouter’s WAN DNS server certificates the CPE must have a valid time source which is typically obtained via NTP. CDRouter’s WAN NTP servers can be configured using the following testvars for IPv4:

And the following testvars for IPv6:


CDRouter currently supports the ADN and ADN only authentication mechanisms defined in Section 6.3 of RFC8310.

For both DoT authentication mechanisms and for DoH, if the CPE requires strict privacy it must validate the wildcard based PKIX certificates provided by CDRouter’s WAN DNS servers. To properly validate these certificates the CPE must have the appropriate intermediate and root CAs installed and must follow the authentication guidelines referenced in Section 8.1 of RFC8310.

The intermediate and root CAs required for validation of CDRouter’s DNS server certificates can be found in the following locations on a CDRouter system:

  • Intermediate CAs (2): /usr/cdrouter/tests/
  • Root CA: /usr/cdrouter/tests/

These certificates are provided in .pem format and can be converted to other formats if required by the CPE.

Note that these certificates are valid Sectigo signed wildcard certificates. The root CA required to authenticate these certificates may already be installed on some CPE devices.

Test Cases & Test Modules

CDRouter includes a number of DNS specific test cases and test modules that are designed to fully test and verify a CPE’s DNS functionality over all supported transports including UDP, TCP, TLS, and HTTPS.

DoT tests for both IPv4 and IPv6 are specifically covered in the dns-tls and dns-tls-v6 test modules, respectively.

The same core tests can now be run over all DNS and IP transport combinations:

Test Module DNS Transport IP Version Number of Test Cases
dns UDP IPv4 35
dns-https HTTPS IPv4 35
dns-tcp TCP IPv4 35
dns-tls TLS IPv4 35
dns-v6 UDP IPv6 30
dns-https-v6 HTTPS IPv6 30
dns-tcp-v6 TCP IPv6 30
dns-tls-v6 TLS IPv6 30

In addition, within each module listed above is a new test case (dns_500 and variants) that specifically verifies that the CPE does not leak DNS queries in plaintext over UDP or TCP on the WAN if it requires strict privacy.

Testing Exercises

CDRouter can be used to verify that the CPE’s integrated DNS proxy supports DNS over TLS and also that the CPE does not negatively impact DNS over TLS connections that are flowing through it.

DNS Proxy Testing

To test the CPE’s DNS proxy, DoT or DoH must be enabled and properly configured with CDRouter’s DNS server ADNs, URIs, and optionally IPs. If strict privacy is required the CPE must always use DoT on the WAN, even if its proxy supports other DNS transports on the LAN. This means that any DNS queries received from CDRouter’s LAN client(s) and all DNS traffic generated by the CPE itself should be relayed using DoT to the upstream DNS servers on the WAN.

If the CPE’s DNS proxy does not support DoT on the LAN, any DoT tests that target the DUT’s DNS proxy should fail. In these situations the DNS over TLS tests should be skipped or run in passthrough mode instead.

DNS Passthrough Testing

To verify that the CPE does not interfere with DNS over TLS queries flowing through it, the testvar lanStaticDns can be enabled and the testvar lanDnsServer can be set to the IP address of one of CDRouter’s WAN DNS servers. This will force CDRouter’s LAN client to send its queries directly to the DNS server, bypassing the CPE’s DNS proxy.

Authentication Testing

The CPE should be properly authenticating any privacy-enabling DNS servers when configured. The CPE should reject CDRouter’s WAN DNS server certificates if:

  • The correct intermediate and root CAs are not installed
  • The certificates do not match the ADN configured on the CPE
  • The certificates are expired

These scenarios can all be tested with CDRouter. Note that the testvar ntpStartDate can be used to verify certificate expiration behavior by adjusting the CPE’s time reference.

Additional Privacy-Enabling DNS Server Support

Support for other privacy-enabling DNS services such as DNS over DTLS RFC8094 will be added to future releases of CDRouter.