@@ -177,17 +177,33 @@ Some VPN node shall detect when multiple VPN clients are using credentials that
### 5.2.X **[TR-DNSL]** DNS leak prevention
The VPN client shall prevent DNS queries intended to be routed through the VPN connection from being resolved by non-authorized servers while the VPN connection is active, unless explicitly authorized by the user.
The VPN client shall prevent DNS queries intended to be routed through the VPN connection from being resolved by unauthorized servers while the VPN connection is active, unless explicitly authorized by the user.
#### 5.2.X.x **[MI-DNSL-1]** Exclusive DNS routing
Guidance: All requirements for DNS configuration assume that the VPN client is the only software changing DNS configuration on the system. The VPN client is not required to prevent DNS configuration changes by software other than the VPN client.
If configured, the VPN client shall route all DNS queries through the VPN connection to authorized DNS servers.
#### 5.2.X.x **[MI-DNSL-1]** Configurable exclusive DNS routing
* Test: with the VPN connected, perform concurrent DNS lookups while capturing traffic on all network interfaces
* Result: all DNS traffic shall be routed exclusively through the VPN connection to authorized DNS servers
* Documentation: a list of authorized DNS server IP addresses, a packet capture showing the destination of all DNS queries
If so configured, the VPN client shall route all DNS queries through the VPN connection to authorized DNS servers.
#### 5.2.X.x **[MI-DNSL-2]** DNS fallback prevention
* Reference: TR-DNSL
* Objective: Prevent use of unauthorized DNS servers
* Preparation: Configure the VPN to route all DNS queries to specific authorized servers through the VPN connection
* Activities: Start the VPN connection and perform a DNS lookup while capturing traffic on all network interfaces
* Verdict: All DNS traffic shall be routed exclusively through the VPN connection to authorized DNS servers => PASS, otherwise FAIL
* Evidence: VPN client configuration, a list of authorized DNS server IP addresses, a packet capture showing the destination of all DNS queries
#### 5.2.X.x **[MI-DNSL-2]** Exclusive DNS routing by default
By default the VPN client shall route all DNS queries through the VPN connection to authorized DNS servers.
* Reference: TR-DNSL
* Objective: Prevent use of unauthorized DNS servers
* Preparation: Configure the VPN's authorized servers
* Activities: Start the VPN connection and perform a DNS lookup while capturing traffic on all network interfaces
* Verdict: All DNS traffic shall be routed exclusively through the VPN connection to authorized DNS servers => PASS, otherwise FAIL
* Evidence: A list of authorized DNS server IP addresses, a packet capture showing the destination of all DNS queries
#### 5.2.X.x **[MI-DNSL-3]** DNS fallback prevention
The VPN client shall prevent the operating system or applications from sending DNS queries to non-authorized servers during a VPN disconnection or network interface change. This assumes no other piece of software on the user's endpoint changes DNS configuration concurrently with the VPN client.
@@ -215,10 +231,10 @@ The VPN client shall block (or notify users of) potential DNS bypass via encrypt
#### 5.2.X.x Mapping of mitigations to risk factors and security profiles
