### 5.2.X **[TR-ROUT]** VPN traffic routed only through VPN connection during VPN connection
### 5.2.X **[TR-ROUT]** VPN traffic routed only through VPN connection during VPN connection
From the moment the user activates the VPN connection until the user knowingly deactivates the VPN connection, no network traffic intended for the VPN connection shall exit the node via anything other than the VPN connection, whether not it is functioning.
From the moment the user activates the VPN connection until the user knowingly deactivates the VPN connection, no network traffic intended for the VPN connection shall exit the endpoint via anything other than the VPN connection, whether not it is functioning.
#### 5.2.X.x **[MI-ROUT-1]** VPN routing stays in effect until VPN connection deactivated
#### 5.2.X.x **[MI-ROUT-1]** VPN routing stays in effect until VPN connection deactivated
The product shall only report that the VPN connection is established after it has configured the system in such a way that all traffic intended to exit only through the VPN connection will only exit through the VPN connection until the user knowingly deactivates the VPN connection.
The product shall only report that the VPN connection is established after it has configured the system in such a way that all traffic intended to be routed through the VPN connection will only exit through the VPN connection until the user knowingly deactivates the VPN connection. This assumes no other software on the user's endpoint changes relevant network configuration (network interfaces, routes, DNS).
* Test: start the VPN connection, after it reports that it is connected, kill the VPN software in a way that does not allow it to execute any clean up routines, then attempt to transfer data that should only go through the VPN connection
* Test: start the VPN connection, after it reports that it is connected, kill the VPN software in a way that does not allow it to execute any clean up routines, then attempt to transfer data that should only go through the VPN connection
* Result: no data should exit the system
* Result: no data should exit the system
@@ -110,11 +110,11 @@ The VPN client or server shall detect when multiple clients are using credential
### 5.2.X **[TR-DNSL]** DNS leak prevention
### 5.2.X **[TR-DNSL]** DNS leak prevention
The VPN client shall prevent all DNS queries originating from the device from being resolved by non-authorized servers while the VPN connection is active, unless explicitly authorized by the user.
The VPN client shall prevent DNS queries intended to be routed through the VPN connection from being resolved by non-authorized servers while the VPN connection is active, unless explicitly authorized by the user.
#### 5.2.X.x **[MI-DNSL-1]** Exclusive DNS routing
#### 5.2.X.x **[MI-DNSL-1]** Exclusive DNS routing
The VPN client shall route all DNS queries through the VPN connection to authorized DNS servers.
If configured, the VPN client shall route all DNS queries through the VPN connection to authorized DNS servers.
* Test: with the VPN connected, perform concurrent DNS lookups while capturing traffic on all network interfaces
* Test: with the VPN connected, perform concurrent DNS lookups while capturing traffic on all network interfaces
* Result: all DNS traffic shall be routed exclusively through the VPN connection to authorized DNS servers
* Result: all DNS traffic shall be routed exclusively through the VPN connection to authorized DNS servers
@@ -122,7 +122,7 @@ The VPN client shall route all DNS queries through the VPN connection to authori
#### 5.2.X.x **[MI-DNSL-2]** DNS fallback prevention
#### 5.2.X.x **[MI-DNSL-2]** DNS fallback prevention
The VPN client shall prevent the operating system or applications from sending DNS queries to non-authorized servers during a VPN disconnection or network interface change.
The VPN client shall prevent the operating system or applications from sending DNS queries to non-authorized servers during a VPN disconnection or network interface change. This assumes no other piece of software on the user's endpoint changes DNS configuration concurrently with the VPN client.
* Test: with the VPN connected, simulate a VPN connection failure and a network interface change while capturing traffic on all network interfaces
* Test: with the VPN connected, simulate a VPN connection failure and a network interface change while capturing traffic on all network interfaces
* Result: no DNS queries are sent to any IP address not belonging to the VPN service
* Result: no DNS queries are sent to any IP address not belonging to the VPN service
@@ -139,20 +139,20 @@ The VPN client shall inspect the system DNS configuration when attempting to con
#### 5.2.X.x **[MI-DNSL-4]** Secure DNS protocols
#### 5.2.X.x **[MI-DNSL-4]** Secure DNS protocols
The VPN client shall prevent DNS queries from bypassing the VPN connection via encrypted DNS protocols, including DNS over TLS (DoT) and DNS over HTTPS (DoH), unless explicitly authorized by the user.
The VPN client shall block (or notify users of) potential DNS bypass via encrypted DNS protocols, including DNS over TLS (DoT) and DNS over HTTPS (DoH).
* Test: with the VPN connected, the test shall be performed separately for both DNS over TLS (DoT) and DNS over HTTPS (DoH), configure the operating system or an application to use a public DNS provider for that protocol, then generate DNS requests while capturing traffic on all network interfaces
* Test: with the VPN connected, the test shall be performed separately for both DNS over TLS (DoT) and DNS over HTTPS (DoH), configure the operating system or an application to use a well-known public DNS provider for that protocol, then generate DNS requests while capturing traffic on all network interfaces
* Result: in both tests, the DNS queries shall either be blocked or be resolved by the VPN authorized DNS servers
* Result: in both tests, either DNS connections to well-known public DNS providers should be blocked, or the user should be notified that some software on their OS is using encrypted DNS protocols with servers that don't belong to the VPN provider
* Documentation: a description of the method used to prevent DNS over TLS (DoT) and DNS over HTTPS (DoH) leaks, a list of authorized DNS server IP addresses, a packet capture showing the destination of all DNS queries
* Documentation: a description of the method used to prevent DNS over TLS (DoT) and DNS over HTTPS (DoH) leaks, a list of authorized DNS server IP addresses, a packet capture showing the destination of all DNS queries
#### 5.2.X.x Mapping of mitigations to risk factors and security profiles
#### 5.2.X.x Mapping of mitigations to risk factors and security profiles
