[T&C] DNS over HTTPS (DoH) and DNS services on the same VIP

siddharthaasiddharthaa Member, Administrator admin
edited August 2023 in Tips

DNS over HTTPS (DoH) is a protocol for securing DNS communication by sending DNS queries and getting DNS responses over HTTPS. In DoH, each DNS query-response pair is mapped into an HTTP exchange. For details, refer to RFC 8484 (https://tools.ietf.org/html/rfc8484).


Thunder CFW enables you to provide DoH service to end-users without having to upgrade the DNS infrastructure itself. Additionally, starting from ACOS 5.2.0, you can run DoH and DNS services on the same VIP, and internally ACOS will chain DoH + DNS services.

Here is a sample setup:



Here we configure 100.64.1.250 as a VIP for both DoH and DNS services as follows:

slb virtual-server DOH-VIP 100.64.1.250 
 port 53 dns-udp 
   service-group SG-DNS 
   template dns dns1 
 port 443 https 
   service-group SG-HTTP 
   template doh chain 
   template client-ssl ssl1   


Under port 443 of the VIP, we apply a DoH template named “chain”. This DoH template is configured with the command to forward the DNS traffic to the VIP 100.64.1.250:

slb template doh chain 
 non-dns-request allow 
 source-nat disable 
 forwarder 
   forwarding-ipv4 100.64.1.250 internal 


Under port 53, we can then apply a DNS template, such as the one shown here:

slb template dns dns1 
 malformed-query drop 
!
slb virtual-server DOH-VIP 100.64.1.250 
 port 53 dns-udp 
   service-group SG-DNS 
   template dns dns1  


If we enable packet capture on the Thunder device, we can see that it receives DoH traffic destined to the VIP 100.64.1.250. The Thunder CFW decrypts this traffic, converts it to regular DNS format, and forwards it to the VIP 100.64.1.250.

The DNS service on this VIP processes the traffic as per the DNS template “dns1” and then sends it to the DNS servers configured under port 53 of the VIP.

@5159806984 o( 1,  0)> ip 100.64.1.250 > 100.64.1.1 tcp 443 > 53543 A fba1b44:f47003f(0) 
@5159806984 o( 0,  1)> ip 100.64.1.1 > 100.64.1.250 udp 53543 > 53 len 67 qry id 256 
@5159806984 i( 0,  0)> ip 100.64.1.1 > 100.64.1.250 udp 53543 > 53 len 67 qry id 256 
@5159806984 i( 0,  0,3e65a0)> DNS request retransmit 
@5159806984 o( 2,  0)> ip 100.64.1.1 > 100.64.100.10 udp 53543 > 53 len 67 qry id 256 


Here is the complete configuration for reference:

interface ethernet 1 
 enable 
 ip address 100.64.1.253 255.255.255.0 
!
interface ethernet 2 
 enable 
 ip address 100.64.100.253 255.255.255.0 
!
!
ip route 0.0.0.0 /0 100.64.100.254 
!
slb server RS10 100.64.100.10 
 port 53 udp 
 port 80 tcp 
!
slb server RS11 100.64.100.11 
 port 53 udp 
 port 80 tcp 
!
slb service-group SG-DNS udp 
 member RS10 53 
 member RS11 53 
!
slb service-group SG-HTTP tcp 
 member RS10 80 
 member RS11 80 
!
slb template client-ssl ssl1 
 cert mycert 
 key mykey 
!
slb template dns dns1 
 malformed-query drop 
!
slb template doh chain 
 non-dns-request allow 
 source-nat disable 
 forwarder 
   forwarding-ipv4 100.64.1.250 internal 
!
slb virtual-server DOH-VIP 100.64.1.250 
 port 53 dns-udp 
   service-group SG-DNS 
   template dns dns1 
 port 443 https 
   service-group SG-HTTP 
   template doh chain 
   template client-ssl ssl1 
!
sflow setting local-collection 
!
sflow collector ip 127.0.0.1 6343 
!
!
end

Note: Port 80 is open on the two servers to enable the health check to pass for the service-group SG-HTTP. Alternatively, you can configure an ICMP health-monitor for the service port or service group.


Want to watch a demo of DoH? Go to https://transcend.a10networks.com/

Tagged:
Sign In or Register to comment.