Commit 0f975c8c authored by Aki Braun's avatar Aki Braun
Browse files

Merge branch 'nord-MI-DNSL-6' into 'main' 

[MI-DNSL-6] DNS leak requirement edit from @petzolt & NordSec.

Closes #2

See merge request cyber/stan4cr2/en-304-620-1!61
parents 037d8adb 6e67c963

clauses/5.Requirements.md

+4 −4
Original line number Diff line number Diff line
@@ -665,14 +665,14 @@ The VPN client shall monitor the DNS configuration of the system and take a user 


#### 5.2.9.7 MI-DNSL-6 Secure DNS protocols



The VPN client shall block or notify users of potential DNS bypass via encrypted DNS protocols, including DNS over TLS (DoT) and DNS over HTTPS (DoH), if the traffic is routed via the VPN connection.

The VPN client shall block or notify users of potential VPN bypass via encrypted DNS protocols, including DNS over TLS (DoT) and DNS over HTTPS (DoH), if the traffic is routed via the VPN connection based on DNS policies.



* Reference: TR-DNSL

* Objective: Prevent DNS query leaks outside of VPN connection

* Preparation: None

* Activities: Start the VPN connection, then for each of DNS over TLS (DoT) and DNS over HTTPS (DoH), configure the operating system or an application to use a well-known public DNS provider for that protocol, then generate DNS requests while capturing traffic on all network interfaces

* Verdict: For all tests, either DNS connections to well-known public DNS providers should be blocked, or the user should be notified that some software on their OS is using encrypted DNS protocols with servers that don't belong to the VPN manufacturer

* Evidence: A description of the method used to prevent DNS over TLS (DoT) and DNS over HTTPS (DoH) leaks, a list of authorized DNS server IP addresses, a packet capture showing the destination of all DNS queries

* Activities: Start the VPN connection, configure DNS-based policy routing, then for each of DNS over TLS (DoT) and DNS over HTTPS (DoH), configure the operating system or an application to use a well-known public DNS provider for that protocol, then generate DNS requests while capturing traffic on all network interfaces. If using notifications rather than blocking, observe the client UI or documentation for static warnings regarding encrypted DNS protocols.

* Verdict: For all tests, either DNS connections to well-known public DNS providers should be blocked, or the user should be notified that some software on their OS could be using encrypted DNS protocols with servers that don't belong to the VPN manufacturer

* Evidence: A description of the method used to prevent or notify the user about DNS over TLS (DoT) and DNS over HTTPS (DoH) leaks, a list of authorized DNS server IP addresses, a packet capture showing the destination of all DNS queries, or a copy of the static notification provided to the user.



#### 5.2.9.8 MI-DNSL-7 No DNS leaks during network-level tunnel failure