Rewrite DNS leak requirements to be more achievable

### 5.2.X **[TR-DNSL]** DNS leak prevention

The VPN client shall prevent DNS queries intended to be routed through the VPN connection from being resolved by unauthorized servers while the VPN connection is active, unless explicitly authorized by the user.

The VPN client shall implement methods to reduce the likelihood of DNS queries being routed to unauthorized DNS servers while the VPN connection is active.

Guidance: All requirements for DNS configuration assume that the VPN client is the only software changing DNS configuration on the system. The VPN client is not required to prevent DNS configuration changes by software other than the VPN client.

Guidance: The network configuration of a system is frequently changed by multiple different pieces of software, many of which the VPN client has no control over or insight into.

#### 5.2.X.x **[MI-DNSL-1]** Configurable exclusive DNS routing

#### 5.2.X.x **[MI-DNSL-1]** Inform user of visibility of DNS queries

If so configured, the VPN client shall route all DNS queries through the VPN connection to authorized DNS servers.

The VPN client shall prominently inform the user of the visibility of their DNS queries under the current configuration and their consequences in simple plain language, focusing on the potential risk and impact to the user of such visibility. The VPN client shall inform the user about the circumstances under which their DNS queries may become visible on a public network or to the operators of DNS servers including but not limited to, and where applicable:

  * Connecting any interface to a new network

  * Other network management software changing the DNS configuration

  * Changing the VPN client DNS configuration to use untrusted DNS servers

  * Other software on the system using its own DNS configuration

  * Browsers or other software using DNS over encrypted connections

The product shall require the user to actively confirm that they have read the information before using the VPN connection.

  * Reference: TR-DNSL

  * Objective: Transfer risk of loss of confidentiality to the user

  * Preparation: None

  * Activities: Start the VPN client, read any information displayed, and try to use the VPN connection before confirming that the user has read the information

  * Verdict: Information is displayed at VPN client startup, information is clear and complete, VPN connection is not usable until the user confirms

  * Evidence: Logs, screenshots, screen recordings, packet captures

#### 5.2.X.x **[MI-DNSL-2]** Configurable exclusive DNS routing

The VPN client shall offer a configuration option to route all DNS queries through the VPN connection to authorized DNS servers.

  * Reference: TR-DNSL

  * Objective: Prevent DNS query leaks outside of VPN connection

  * Verdict: All DNS traffic shall be routed exclusively through the VPN connection to authorized DNS servers => PASS, otherwise FAIL

  * Evidence: VPN client configuration, a list of authorized DNS server IP addresses, a packet capture showing the destination of all DNS queries

#### 5.2.X.x **[MI-DNSL-2]** Exclusive DNS routing by default

#### 5.2.X.x **[MI-DNSL-3]** Exclusive DNS routing by default

By default the VPN client shall route all DNS queries through the VPN connection to authorized DNS servers.

  * Verdict: All DNS traffic shall be routed exclusively through the VPN connection to authorized DNS servers => PASS, otherwise FAIL

  * Evidence: A list of authorized DNS server IP addresses, a packet capture showing the destination of all DNS queries

#### 5.2.X.x **[MI-DNSL-3]** DNS fallback prevention

> FIXME: This isn't achievable with current operating system services. Discuss at meeting - maybe frame this as best effort?

The VPN client shall prevent the operating system or applications from sending DNS queries to non-authorized servers during a VPN disconnection or network interface change.

  * Reference: TR-DNSL

  * Objective: Prevent DNS query leaks outside of VPN connection

  * Preparation: Configure the VPN to route all DNS queries to specific authorized servers through the VPN connection

  * Activities: Connect to the VPN, force a VPN connection failure and a network interface change while capturing traffic on all network interfaces

  * Verdict: No DNS queries are sent to any IP address not belonging to the VPN service

  * Evidence: A description of the simulated disruption methods, a list of authorized DNS server IP addresses, a packet capture showing the destination of all DNS queries

#### 5.2.X.x **[MI-DNSL-4]** DNS misconfiguration

The VPN client shall inspect the system DNS configuration when attempting to connect and shall validate any DNS configuration it receives from the VPN server. If it detects a statically configured, non-authorized DNS server, the client shall either reject the configuration, refuse to connect, or provide a clear warning to the user.

  * Verdict: In all tests, the client refuses the connection or displays an explicit warning to the user detailing the risk of a DNS leak

  * Evidence: Client logs or screenshots demonstrating that the conflicting DNS configuration was detected and that the appropriate action was taken

#### 5.2.X.x **[MI-DNSL-5]** Secure DNS protocols

#### 5.2.X.x **[MI-DNSL-5]** Monitoring of DNS configuration

The VPN client shall monitor the DNS configuration of the system and take a user-configurable action when it detects that the DNS configuration has changed from the one the VPN client specified in a way that affects DNS query visibility to third parties. By default, the user-configurable option shall be to disable network traffic outside of the system. The VPN client shall detect DNS configuration changes within 30 seconds.

  * Reference: TR-DNSL

  * Objective: Prevent DNS query leaks outside of VPN connection

  * Preparation: Configure the VPN client to use exclusive DNS routing to authorized DNS servers

  * Activities: Start the VPN client, then alter the DNS configuration to stop using the authorized DNS servers

  * Verdict: Within 30 seconds of the configuration change, networking is disabled

  * Evidence: Logs, before and after configuration files, packet captures

Guidance: A platform-independent method of monitoring would be for the VPN client to send DNS queries periodically and check the source of the answer.

#### 5.2.X.x **[MI-DNSL-6]** Secure DNS protocols

The VPN client shall block (or notify users of) potential DNS bypass via encrypted DNS protocols, including DNS over TLS (DoT) and DNS over HTTPS (DoH), if the traffic is routed via the VPN connection.

The VPN client shall block or notify users of potential DNS bypass via encrypted DNS protocols, including DNS over TLS (DoT) and DNS over HTTPS (DoH), if the traffic is routed via the VPN connection.

  * Reference: TR-DNSL

  * Objective: Prevent DNS query leaks outside of VPN connection

#### 5.2.X.x Mapping of mitigations to risk factors and security profiles

| Security Profile | Requires mitigations                           |

|------------------|-------------------------------------------------------|

| UC-1             | MI-DNSL-1, MI-DNSL-3                                  |

| UC-2, UC-4       | MI-DNSL-1, MI-DNSL-3, MI-DNSL-4                       |

| UC-3             | MI-DNSL-1, MI-DNSL-2, MI-DNSL-3, MI-DNSL-4, MI-DNSL-5 |

|------------------|------------------------------------------------|

| UC-1             | DNSL-1, DNSL-2                                 |

| UC-2             | DNSL-1, DNSL-2, DNSL-3, DNSL-4                 |

| UC-3             | DNSL-1, DNSL-2, DNSL-3, DNSL-4, DNSL-5, DNSL-6 |

| UC-4             | DNSL-2, DNSL-4                                 |

### 5.2.X **TR-EISO**: Endpoint isolation