@@ -589,24 +589,26 @@ The VPN service shall provide a method to force revocation, temporary or permane
#### 5.2.9.1 Requirement
DNS leaks occur, even if confidentially of all traffic, including DNS queries, shall be preserved, if the client does not or only partially tunnels DNS traffic through the VPN connection. This could either happen due to misconfiguration, system overwrites, or by design for example in case only partial traffic is tunnelled, so called split tunnelling.
Special attention to DNS queries is required, because they are usually transmitted in plaintext and could be eavesdropped on by an attacker on the wire or the DNS server itself and disclose which domains the user is trying to connect to.
Further, the user might want to set special DNS configuration either configured by the enterprise or custom configured in a consumer context. The VPN provider then must honour this DNS configuration.
DNS leaks occur if the client does not or only partially tunnels cleartext DNS traffic through the VPN connection. This could either happen due to misconfiguration, system overwrites, or by design for example in case only partial traffic is tunnelled, so-called split tunnelling.
Special attention to DNS queries is required, because they are usually transmitted in plaintext and could be eavesdropped on by an attacker on the wire or the DNS server itself and disclose which domains the user is trying to connect to.
Further, the user might want to set special DNS configuration either configured by the enterprise or custom configured in a consumer context. The VPN provider then must honour this DNS configuration.
A DNS server is authorised if:
1. the DNS server is configured by administrating user, or
2. the DNS server is provided by the VPN manufacturer
> NOTE: is an evolution away plaintext DNS to secure DNS, with platforms, browsers and/or applications increasingly using "secure DNS" that is transported over TLS or HTTPS. Unlike cleartext DNS that uses port 53, use of secure DNS can be harder to identify, inhibiting the enforcement of specific policies to use a specifically configured DNS server.
The following requirements apply to DNS traffic intended for the VPN connection. DNS queries for connection establishment, maintenance or restoration of the VPN tunnel are excluded.
> NOTE: The network configuration of a system is frequently changed by multiple different pieces of software, many of which the VPN client has no control over or insight into.
#### 5.2.9.2 MI-DNSL-1 Inform user of visibility of DNS queries
The VPN client shall prominently inform the user of the visibility of their plaintext DNS queries under the current configuration and their consequences in simple plain language, focusing on the potential risk and impact to the user of such visibility and potential steps to resolve this risk.
The VPN client shall prominently inform the user of the handling of their plaintext DNS queries under the current configuration and their consequences in simple plain language, focusing on the potential risk and impact to the user of such handling and, where applicable, potential steps to resolve this risk.
The product shall require the user to actively confirm that they have read the information before being able to use the VPN connection.
@@ -620,35 +622,35 @@ The product shall require the user to actively confirm that they have read the i
#### 5.2.9.3 MI-DNSL-2 Configurable exclusive DNS routing
Unless DNS traffic is routed exclusively through the VPN at all times, the VPN client shall offer a configuration option to route all DNS queries through the VPN connection.
Unless DNS traffic is routed exclusively through the VPN at all times, the VPN client shall offer a configuration option to route all DNS queries using well-known ports through the VPN connection.
* Reference: TR-DNSL
* Objective: Prevent DNS query leaks outside of VPN connection
* Preparation: Configure the VPN to route all DNS queries through the VPN connection
* Objective: Prevent plaintext DNS query leaks outside of VPN connection
* Preparation: Configure the VPN to route all DNS queries using well-known ports through the VPN connection
* Activities: Start the VPN connection and perform a DNS lookup while capturing traffic on all network interfaces
* Verdict: All DNS traffic shall be routed exclusively through the VPN connection => PASS, otherwise FAIL
* Evidence: VPN client configuration, a packet capture showing the destination of all DNS queries
* Verdict: All plaintext DNS traffic shall be routed exclusively through the VPN connection => PASS, otherwise FAIL
* Evidence: VPN client configuration, a packet capture showing the destination of all DNS queries using well-known ports
> NOTE: Excluded from this verdict are DNS queries which are transmitted using DoH, DoT or other DNS query hiding techniques.
#### 5.2.9.4 MI-DNSL-3 Exclusive DNS routing by default
By default the VPN client shall route all DNS queries through the VPN connection.
By default, the VPN client shall route all DNS queries using well-known ports through the VPN connection.
* Reference: TR-DNSL
* Objective: Prevent DNS query leaks outside of VPN connection
* Objective: Prevent DNS query leaks using well-known ports outside of VPN connection
* Activities: Start the VPN connection and perform a DNS lookup while capturing traffic on all network interfaces
* Verdict: All DNS traffic shall be routed exclusively through the VPN connection => PASS, otherwise FAIL
* Evidence: A packet capture showing that no DNS query is transmitted outside the VPN tunnel
* Verdict: All plaintext DNS traffic shall be routed exclusively through the VPN connection => PASS, otherwise FAIL
* Evidence: A packet capture showing that no DNS query using well-known ports is transmitted outside the VPN tunnel
#### 5.2.9.6 MI-DNSL-5 Monitoring of DNS configuration
The VPN client shall monitor changes in the local DNS configuration and take a user-configurable action when it detects that the DNS configuration has changed from the one the VPN client specified. By default, the configurable option shall be to disable network traffic outside of the system.
The VPN client shall monitor changes in the local DNS configuration and take a user-configurable action when it detects that the DNS configuration has changed from the one the VPN client specified. By default, the configurable option shall be to disable network traffic outside the system.
This requirement is only applicable, if changes in the local DNS configuration would affect the plaintext DNS query visibility outside the tunnel to third parties of the system.
* Reference: TR-DNSL
* Objective: Prevent DNS query leaks outside of VPN connection
* Objective: Prevent plaintext DNS query leaks outside of VPN connection
* Preparation: Configure the VPN client to use exclusive DNS routing to authorized DNS servers
* Activities: Start the VPN client and capture network packages on all interfaces, then alter the DNS configuration to stop using the authorized DNS servers
* Verdict: Analyse network packages, if DNS packages are leaked outside the tunnel, then within 30 seconds of the configuration change, networking is disabled
@@ -656,24 +658,24 @@ This requirement is only applicable, if changes in the local DNS configuration w
#### 5.2.9.7 MI-DNSL-6 Secure DNS protocols
The VPN client shall block or notify users of potential VPN bypass via encrypted DNS protocols, including DNS over TLS (DoT) and DNS over HTTPS (DoH), if the traffic is routed via the VPN connection based on DNS policies.
The VPN client shall block or notify users of potential VPN bypass via encrypted DNS protocols, including when using the dedicated port for DNS over TLS (DoT), if the traffic is routed via the VPN connection based on DNS policies.
* Reference: TR-DNSL
* Objective: Prevent DNS query leaks outside of VPN connection
* Preparation: None
* Activities: Start the VPN connection, configure DNS-based policy routing, then for each of DNS over TLS (DoT) and DNS over HTTPS (DoH), configure the operating system or an application to use a well-known public DNS provider for that protocol, then generate DNS requests while capturing traffic on all network interfaces. If using notifications rather than blocking, observe the client UI or documentation for static warnings regarding encrypted DNS protocols.
* Activities: Start the VPN connection, configure DNS-based policy routing, then for each of DNS over TLS (DoT), configure the operating system or an application to use a well-known public DNS provider for that protocol using the well-known port 853, then generate DNS requests while capturing traffic on all network interfaces. If using notifications rather than blocking, observe the client UI or documentation for static warnings regarding encrypted DNS protocols.
* Verdict: For all tests, either DNS connections to well-known public DNS providers should be blocked, or the user should be notified that some software on their OS could be using encrypted DNS protocols with servers that don't belong to the VPN manufacturer
* Evidence: A description of the method used to prevent or notify the user about DNS over TLS (DoT) and DNS over HTTPS (DoH) leaks, a list of authorized DNS server IP addresses, a packet capture showing the destination of all DNS queries, or a copy of the static notification provided to the user.
* Evidence: A description of the method used to prevent or notify the user about DNS over TLS (DoT) leaks, a list of authorized DNS server IP addresses, a packet capture showing the destination of all DNS queries, or a copy of the static notification provided to the user.
#### 5.2.9.8 MI-DNSL-7 No DNS leaks during network-level tunnel failure
The VPN client shall ensure that DNS queries intended for the VPN tunnel are not sent to non-authorized DNS servers when the connection to the VPN server is lost at the network level.
The VPN client shall ensure that DNS queries using well-known ports intended for the VPN tunnel are not sent to non-authorized DNS servers when the connection to the VPN server is lost at the network level.
* Reference: TR-DNSL
* Objective: Prevent DNS query leaks during tunnel failure
* Preparation: Start the VPN connection with exclusive DNS routing enabled.
* Activities: Induce a network-level tunnel failure by blocking traffic to the VPN server's IP address using a host-based firewall. Attempt to resolve a domain name while capturing traffic on all network interfaces.
* Verdict: No DNS queries are sent to DNS servers outside of the VPN connection.
* Verdict: No DNS queries using well-known ports are sent to DNS servers outside the VPN connection.
* Evidence: Method used to induce tunnel failure, packet capture, log messages.
