@@ -186,7 +186,7 @@ Guidance: All requirements for DNS configuration assume that the VPN client is t
If so configured, the VPN client shall route all DNS queries through the VPN connection to authorized DNS servers.
* Reference: TR-DNSL
* Objective: Prevent use of unauthorized DNS servers
* Objective: Prevent DNS query leaks outside of VPN connection
* Preparation: Configure the VPN to route all DNS queries to specific authorized servers through the VPN connection
* Activities: Start the VPN connection and perform a DNS lookup while capturing traffic on all network interfaces
* Verdict: All DNS traffic shall be routed exclusively through the VPN connection to authorized DNS servers => PASS, otherwise FAIL
@@ -197,7 +197,7 @@ If so configured, the VPN client shall route all DNS queries through the VPN con
By default the VPN client shall route all DNS queries through the VPN connection to authorized DNS servers.
* Reference: TR-DNSL
* Objective: Prevent use of unauthorized DNS servers
* Objective: Prevent DNS query leaks outside of VPN connection
* Preparation: Configure the VPN's authorized servers
* Activities: Start the VPN connection and perform a DNS lookup while capturing traffic on all network interfaces
* Verdict: All DNS traffic shall be routed exclusively through the VPN connection to authorized DNS servers => PASS, otherwise FAIL
@@ -205,22 +205,29 @@ By default the VPN client shall route all DNS queries through the VPN connection
#### 5.2.X.x **[MI-DNSL-3]** DNS fallback prevention
The VPN client shall prevent the operating system or applications from sending DNS queries to non-authorized servers during a VPN disconnection or network interface change. This assumes no other piece of software on the user's endpoint changes DNS configuration concurrently with the VPN client.
> FIXME: This isn't achievable with current operating system services. Discuss at meeting - maybe frame this as best effort?
* Test: with the VPN connected, simulate a VPN connection failure and a network interface change while capturing traffic on all network interfaces
* Result: no DNS queries are sent to any IP address not belonging to the VPN service
* Documentation: a description of the simulated disruption methods, a list of authorized DNS server IP addresses, a packet capture showing the destination of all DNS queries
The VPN client shall prevent the operating system or applications from sending DNS queries to non-authorized servers during a VPN disconnection or network interface change.
#### 5.2.X.x **[MI-DNSL-3]** DNS misconfiguration
* Reference: TR-DNSL
* Objective: Prevent DNS query leaks outside of VPN connection
* Preparation: Configure the VPN to route all DNS queries to specific authorized servers through the VPN connection
* Activities: Connect to the VPN, force a VPN connection failure and a network interface change while capturing traffic on all network interfaces
* Verdict: No DNS queries are sent to any IP address not belonging to the VPN service
* Evidence: A description of the simulated disruption methods, a list of authorized DNS server IP addresses, a packet capture showing the destination of all DNS queries
#### 5.2.X.x **[MI-DNSL-4]** DNS misconfiguration
The VPN client shall inspect the system DNS configuration when attempting to connect and shall validate any DNS configuration it receives from the VPN server. If it detects a statically configured, non-authorized DNS server, the client shall either reject the configuration, refuse to connect, or provide a clear warning to the user.
* Test: perform two separate tests: (1) manually configure the operating system primary network interface to use a public DNS server not associated with the VPN provider and attempt to connect, (2) connect to a test VPN server that is configured to push a public DNS server IP address to the client
* Result: in both tests, the client shall detect the conflicting DNS setting and either refuse the connection or display an explicit warning to the user detailing the risk of a DNS leak
* Output: client logs or screenshots demonstrating that the conflicting DNS configuration was detected and that the appropriate action was taken
* Documentation: a description of the client validation for both local and server-provided DNS settings
* Reference: TR-DNSL
* Objective: Prevent DNS query leaks outside of VPN connection
* Preparation: None
* Activities: Perform two separate tests: (1) manually configure the operating system primary network interface to use a public DNS server not associated with the VPN provider and attempt to connect, (2) connect to a test VPN server that is configured to push a public DNS server IP address to the client
* Verdict: In all tests, the client refuses the connection or displays an explicit warning to the user detailing the risk of a DNS leak
* Evidence: Client logs or screenshots demonstrating that the conflicting DNS configuration was detected and that the appropriate action was taken
#### 5.2.X.x **[MI-DNSL-4]** Secure DNS protocols
#### 5.2.X.x **[MI-DNSL-5]** Secure DNS protocols
The VPN client shall block (or notify users of) potential DNS bypass via encrypted DNS protocols, including DNS over TLS (DoT) and DNS over HTTPS (DoH).
