@@ -366,7 +366,7 @@ Repository Metadata shall have an expiry date included in the signed portion of
From the moment the user activates the VPN connection until the user knowingly deactivates the VPN connection, no network traffic intended for the VPN connection shall exit the endpoint via anything other than the VPN connection, whether or not it is functioning.
Out of scope for the following requirements are other software on the user's endpoint with elevated privileges, users with administrator privileges, as well as the opperating system itself that could change relevant network configuration (network interfaces, routes, DNS) or circumvent the VPN tunnel due to elevated privileges.
Out of scope for the following requirements are other software on the user's endpoint with elevated privileges, users with administrator privileges, as well as the operating system itself that could change relevant network configuration (network interfaces, routes, DNS) or circumvent the VPN tunnel due to elevated privileges.
#### 5.2.5.2 MI-ROUT-1 VPN routing stays in effect until VPN connection deactivated
@@ -595,80 +595,73 @@ The VPN service shall provide a method to force revocation, temporary or permane
#### 5.2.9.1 Requirement
1. The VPN client shall be able to be configured with authorized DNS server(s).
2. When configured with an authorized DNS server, the client shall deny plaintext DNS queries to non-authorized DNS servers.
DNS leaks occur if the client does not or only partially tunnels DNS traffic through the VPN connection. This could either happen due to misconfiguration, system overwrites, or by design for example in case only partial traffic is tunnelled, so called split tunnelling.
Further, the user might want to set special DNS configuration either configured by the enterprise or custom configured in a consumer context. The VPN provider then must honour this DNS configuration.
Special attention to DNS queries is required, because they are usually transmitted in plaintext and could be eavesdropped on by an attacker on the wire or the DNS server itself and disclose which domains the user is trying to connect to.
A DNS server is authorised if:
1. the DNS server is configured by administrating user, or
2. the DNS server is provided by the VPN manufacturer
The following requirements apply to DNS traffic intended for the VPN connection. DNS queries for connection establishment, maintenance or restoration of the VPN tunnel are excluded.
> [!note]
> The network configuration of a system is frequently changed by multiple different pieces of software, many of which the VPN client has no control over or insight into.
#### 5.2.9.2 MI-DNSL-1 Inform user of visibility of DNS queries
The VPN client shall prominently inform the user of the visibility of their DNS queries under the current configuration and their consequences in simple plain language, focusing on the potential risk and impact to the user of such visibility. The VPN client shall inform the user about the circumstances under which their DNS queries may become visible on a public network or to the operators of DNS servers including but not limited to, and where applicable:
The VPN client shall prominently inform the user of the visibility of their plaintext DNS queries under the current configuration and their consequences in simple plain language, focusing on the potential risk and impact to the user of such visibility and potential steps to resolve this risk.
* Connecting any interface to a new network
* Other network management software changing the DNS configuration
* Changing the VPN client DNS configuration to use untrusted DNS servers
* Other software on the system using its own DNS configuration
* Browsers or other software using DNS over encrypted connections
The product shall require the user to actively confirm that they have read the information before using the VPN connection.
The product shall require the user to actively confirm that they have read the information before being able to use the VPN connection.
* Objective: Transfer risk of loss of confidentiality to the user
* Objective: Consent to and transfer of risk of loss of confidentiality to the user
* Preparation: None
* Activities: Start the VPN client, read any information displayed, and try to use the VPN connection before confirming that the user has read the information
* Verdict: Information is displayed at VPN client startup, information is clear and complete, VPN connection is not usable until the user confirms
* Activities: Start the VPN client, configure the VPN in such a way that DNS queries are not routed exclusively through the VPN and read any information displayed. Attempt to use the VPN connection before confirming that the user has read the information
* Verdict: Information is displayed is clear and complete, VPN connection is not usable until the user confirms
#### 5.2.9.3 MI-DNSL-2 Configurable exclusive DNS routing
The VPN client shall offer a configuration option to route all DNS queries through the VPN connection to authorized DNS servers.
Unless DNS traffic is routed exclusively through the VPN at all times, the VPN client shall offer a configuration option to route all DNS queries through the VPN connection.
* Reference: TR-DNSL
* Objective: Prevent DNS query leaks outside of VPN connection
* Preparation: Configure the VPN to route all DNS queries to specific authorized servers through the VPN connection
* Preparation: Configure the VPN to route all DNS queries through the VPN connection
* Activities: Start the VPN connection and perform a DNS lookup while capturing traffic on all network interfaces
* Verdict: All DNS traffic shall be routed exclusively through the VPN connection to authorized DNS servers => PASS, otherwise FAIL
* Evidence: VPN client configuration, a list of authorized DNS server IP addresses, a packet capture showing the destination of all DNS queries
* Verdict: All DNS traffic shall be routed exclusively through the VPN connection => PASS, otherwise FAIL
* Evidence: VPN client configuration, a packet capture showing the destination of all DNS queries
> [!note]
> Excluded from this verdict are DNS queries which are transmitted using DoH, DoT or other DNS query hiding techniques.
#### 5.2.9.4 MI-DNSL-3 Exclusive DNS routing by default
By default the VPN client shall route all DNS queries through the VPN connection to authorized DNS servers.
By default the VPN client shall route all DNS queries through the VPN connection.
* Reference: TR-DNSL
* Objective: Prevent DNS query leaks outside of VPN connection
* Preparation: Configure the VPN's authorized servers
* Activities: Start the VPN connection and perform a DNS lookup while capturing traffic on all network interfaces
* Verdict: All DNS traffic shall be routed exclusively through the VPN connection to authorized DNS servers => PASS, otherwise FAIL
* Evidence: A list of authorized DNS server IP addresses, a packet capture showing the destination of all DNS queries
#### 5.2.9.5 MI-DNSL-4 DNS misconfiguration
The VPN client shall validate any DNS configuration it receives from the VPN server. If it detects a misconfiguration, e.g. a statically configured, non-authorized DNS server, the client shall either refuse to connect or provide a clear warning to the user.
* Reference: TR-DNSL
* Objective: Prevent DNS query leaks outside of VPN connection
* Preparation: None
* Activities: Perform two separate tests:
1. manually configure the operating system primary network interface to use a public DNS server not associated with the VPN manufacturer and attempt to connect
2. connect to a test VPN server that is configured to push a public DNS server IP address to the client
* Verdict: In all tests, the client refuses the connection or displays an explicit warning to the user detailing the risk of a DNS leak
* Evidence: Client logs or screenshots demonstrating that the conflicting DNS configuration was detected and that the appropriate action was taken
* Verdict: All DNS traffic shall be routed exclusively through the VPN connection => PASS, otherwise FAIL
* Evidence: A packet capture showing that no DNS query is transmitted outside the VPN tunnel
#### 5.2.9.6 MI-DNSL-5 Monitoring of DNS configuration
The VPN client shall monitor the DNS configuration of the system and take a user-configurable action when it detects that the DNS configuration has changed from the one the VPN client specified in a way that affects plaintext DNS query visibility to third parties. By default, the user-configurable option shall be to disable network traffic outside of the system.
The VPN client shall monitor changes in the local DNS configuration and take a user-configurable action when it detects that the DNS configuration has changed from the one the VPN client specified. By default, the configurable option shall be to disable network traffic outside of the system.
This requirement is only applicable, if changes in the local DNS configuration would affect the plaintext DNS query visibility outside the tunnel to third parties of the system.
* Reference: TR-DNSL
* Objective: Prevent DNS query leaks outside of VPN connection
* Preparation: Configure the VPN client to use exclusive DNS routing to authorized DNS servers
* Activities: Start the VPN client, then alter the DNS configuration to stop using the authorized DNS servers
* Verdict: Within 30 seconds of the configuration change, networking is disabled
* Activities: Start the VPN client and capture network packages on all interfaces, then alter the DNS configuration to stop using the authorized DNS servers
* Verdict: Analyse network packages, if DNS packages are leaked outside the tunnel, then within 30 seconds of the configuration change, networking is disabled
* Evidence: Logs, before and after configuration files, packet captures
> [!note]
> A platform-independent method of monitoring would be for the VPN client to send DNS queries periodically and check the source of the answer.
#### 5.2.9.7 MI-DNSL-6 Secure DNS protocols
The VPN client shall block or notify users of potential VPN bypass via encrypted DNS protocols, including DNS over TLS (DoT) and DNS over HTTPS (DoH), if the traffic is routed via the VPN connection based on DNS policies.
@@ -682,7 +675,7 @@ The VPN client shall block or notify users of potential VPN bypass via encrypted
#### 5.2.9.8 MI-DNSL-7 No DNS leaks during network-level tunnel failure
The VPN client shall ensure that DNS queries are not sent to non-authorized DNS servers when the connection to the VPN server is lost at the network level.
The VPN client shall ensure that DNS queries intended for the VPN tunnel are not sent to non-authorized DNS servers when the connection to the VPN server is lost at the network level.
* Reference: TR-DNSL
* Objective: Prevent DNS query leaks during tunnel failure
@@ -857,7 +850,7 @@ The VPN shall support mixing a preshared key (PSK) into the key derivation proce
* Preparation: Attach a debugger to the VPN client binding to cryptographic functions or capture traffic on all interfaces
* Activities: Create protocol trace when setting up a post-quantum safe tunnel or capture packet showing the encryption headers
* Verdict: Protocol trace or packet capture demonstrating that the PSK is incorporated into key derivation during tunnel establishment => PASS, otherwise => FAIL
* Evidence: The protocol trace or packet capture demonstating the mixing a preshared key into the key derivation process
* Evidence: The protocol trace or packet capture demonstrating the mixing a preshared key into the key derivation process
#### 5.2.14.3 MI-CRYPT-2: Use conformant encryption
