Commit e7b99262 authored by Valerie Aurora's avatar Valerie Aurora
Browse files

Rewrite DNS tunneling requirement to new format

parent 4abd3da9

clauses/5.Requirements.md

+7 −4
Original line number Diff line number Diff line
@@ -229,11 +229,14 @@ The VPN client shall inspect the system DNS configuration when attempting to con 


#### 5.2.X.x **[MI-DNSL-5]** Secure DNS protocols



The VPN client shall block (or notify users of) potential DNS bypass via encrypted DNS protocols, including DNS over TLS (DoT) and DNS over HTTPS (DoH).

The VPN client shall block (or notify users of) potential DNS bypass via encrypted DNS protocols, including DNS over TLS (DoT) and DNS over HTTPS (DoH), if the traffic is routed via the VPN connection.



* Test: with the VPN connected, the test shall be performed separately for both DNS over TLS (DoT) and DNS over HTTPS (DoH), configure the operating system or an application to use a well-known public DNS provider for that protocol, then generate DNS requests while capturing traffic on all network interfaces

* Result: in both tests, either DNS connections to well-known public DNS providers should be blocked, or the user should be notified that some software on their OS is using encrypted DNS protocols with servers that don't belong to the VPN provider

* Documentation: a description of the method used to prevent DNS over TLS (DoT) and DNS over HTTPS (DoH) leaks, a list of authorized DNS server IP addresses, a packet capture showing the destination of all DNS queries

  * Reference: TR-DNSL

  * Objective: Prevent DNS query leaks outside of VPN connection

  * Preparation: None

  * Activities: Start the VPN connection, then for each of DNS over TLS (DoT) and DNS over HTTPS (DoH), configure the operating system or an application to use a well-known public DNS provider for that protocol, then generate DNS requests while capturing traffic on all network interfaces

  * Verdict: For all tests, either DNS connections to well-known public DNS providers should be blocked, or the user should be notified that some software on their OS is using encrypted DNS protocols with servers that don't belong to the VPN provider

  * Evidence: A description of the method used to prevent DNS over TLS (DoT) and DNS over HTTPS (DoH) leaks, a list of authorized DNS server IP addresses, a packet capture showing the destination of all DNS queries



#### 5.2.X.x Mapping of mitigations to risk factors and security profiles