feat: Add DNS leak and transparency requirements

  * Verdict: For all tests, either DNS connections to well-known public DNS providers should be blocked, or the user should be notified that some software on their OS is using encrypted DNS protocols with servers that don't belong to the VPN provider

  * Evidence: A description of the method used to prevent DNS over TLS (DoT) and DNS over HTTPS (DoH) leaks, a list of authorized DNS server IP addresses, a packet capture showing the destination of all DNS queries

#### 5.2.5.8 Mapping of mitigations to risk factors and security profiles

#### 5.2.5.7 **[MI-DNSL-7]** No DNS leaks during network-level tunnel failure

The VPN client shall ensure that DNS queries are not sent to non-authorized DNS servers when the connection to the VPN server is lost at the network level.

  * Reference: TR-DNSL

  * Objective: Prevent DNS query leaks during tunnel failure

  * Preparation: Start the VPN connection with exclusive DNS routing enabled.

  * Activities: Induce a network-level tunnel failure by blocking traffic to the VPN server's IP address using a host-based firewall. Attempt to resolve a domain name while capturing traffic on all network interfaces.

  * Verdict: No DNS queries are sent to DNS servers outside of the VPN connection.

  * Evidence: Method used to induce tunnel failure, packet capture, log messages.

#### 5.2.5.8 **[MI-DNSL-8]** Disclose DNS provider

The VPN client shall clearly inform the user about the operator of the DNS servers being used by the VPN service (e.g., "DNS resolution provided by VPN Provider" or "DNS resolution provided by Google"). This information should be easily accessible in the client's interface.

  * Reference: TR-DNSL

  * Objective: Inform the user about third parties handling their DNS queries

  * Preparation: None

  * Activities: Inspect the VPN client's user interface and any accompanying documentation.

  * Verdict: The operator of the DNS service is clearly disclosed.

  * Evidence: Screenshot of the relevant UI element or documentation.

#### 5.2.5.9 Mapping of mitigations to risk factors and security profiles

| Risk factors      | Requires mitigations                                   |

|-------------------|------------------------------------------------|

| DAT < 1           | DNSL-1, DNSL-2                                 |

| DAT < 2 & ADM > 0 | DNSL-1, DNSL-2, DNSL-3, DNSL-4                 |

| DAT > 1           | DNSL-1, DNSL-2, DNSL-3, DNSL-4, DNSL-5, DNSL-6 |

|-------------------|--------------------------------------------------------|

| DAT < 1           | DNSL-1, DNSL-2, DNSL-8                                 |

| DAT < 2 & ADM > 0 | DNSL-1, DNSL-2, DNSL-3, DNSL-4, DNSL-8                 |

| DAT > 1           | DNSL-1, DNSL-2, DNSL-3, DNSL-4, DNSL-5, DNSL-6, DNSL-7, DNSL-8 |

| ADM < 1           | DNSL-2, DNSL-4                                         |

| Security Profile | Requires mitigations                                   |

|------------------|------------------------------------------------|

| UC-1             | DNSL-1, DNSL-2                                 |

| UC-2             | DNSL-1, DNSL-2, DNSL-3, DNSL-4                 |

| UC-3             | DNSL-1, DNSL-2, DNSL-3, DNSL-4, DNSL-5, DNSL-6 |

|------------------|--------------------------------------------------------|

| UC-1             | DNSL-1, DNSL-2, DNSL-8                                 |

| UC-2             | DNSL-1, DNSL-2, DNSL-3, DNSL-4, DNSL-8                 |

| UC-3             | DNSL-1, DNSL-2, DNSL-3, DNSL-4, DNSL-5, DNSL-6, DNSL-7, DNSL-8 |

| UC-4             | DNSL-2, DNSL-4                                         |

### 5.2.6 **TR-EISO**: Endpoint isolation