[T&C] DNS over HTTPS (DoH) and DNS services on the same VIP
siddharthaa
Member ✭
DNS over HTTPS (DoH) is a protocol for securing DNS communication by sending DNS queries and getting DNS responses over HTTPS. In DoH, each DNS query-response pair is mapped into an HTTP exchange. For details, refer to RFC 8484 (https://tools.ietf.org/html/rfc8484).
Thunder CFW enables you to provide DoH service to end-users without having to upgrade the DNS infrastructure itself. Additionally, starting from ACOS 5.2.0, you can run DoH and DNS services on the same VIP, and internally ACOS will chain DoH + DNS services.
Here is a sample setup:
Here we configure 100.64.1.250 as a VIP for both DoH and DNS services as follows:
slb virtual-server DOH-VIP 100.64.1.250 port 53 dns-udp service-group SG-DNS template dns dns1 port 443 https service-group SG-HTTP template doh chain template client-ssl ssl1
Under port 443 of the VIP, we apply a DoH template named “chain”. This DoH template is configured with the command to forward the DNS traffic to the VIP 100.64.1.250:
slb template doh chain non-dns-request allow source-nat disable forwarder forwarding-ipv4 100.64.1.250 internal
Under port 53, we can then apply a DNS template, such as the one shown here:
slb template dns dns1 malformed-query drop ! slb virtual-server DOH-VIP 100.64.1.250 port 53 dns-udp service-group SG-DNS template dns dns1
If we enable packet capture on the Thunder device, we can see that it receives DoH traffic destined to the VIP 100.64.1.250. The Thunder CFW decrypts this traffic, converts it to regular DNS format, and forwards it to the VIP 100.64.1.250.
The DNS service on this VIP processes the traffic as per the DNS template “dns1” and then sends it to the DNS servers configured under port 53 of the VIP.
@5159806984 o( 1, 0)> ip 100.64.1.250 > 100.64.1.1 tcp 443 > 53543 A fba1b44:f47003f(0) @5159806984 o( 0, 1)> ip 100.64.1.1 > 100.64.1.250 udp 53543 > 53 len 67 qry id 256 @5159806984 i( 0, 0)> ip 100.64.1.1 > 100.64.1.250 udp 53543 > 53 len 67 qry id 256 @5159806984 i( 0, 0,3e65a0)> DNS request retransmit @5159806984 o( 2, 0)> ip 100.64.1.1 > 100.64.100.10 udp 53543 > 53 len 67 qry id 256
Here is the complete configuration for reference:
interface ethernet 1 enable ip address 100.64.1.253 255.255.255.0 ! interface ethernet 2 enable ip address 100.64.100.253 255.255.255.0 ! ! ip route 0.0.0.0 /0 100.64.100.254 ! slb server RS10 100.64.100.10 port 53 udp port 80 tcp ! slb server RS11 100.64.100.11 port 53 udp port 80 tcp ! slb service-group SG-DNS udp member RS10 53 member RS11 53 ! slb service-group SG-HTTP tcp member RS10 80 member RS11 80 ! slb template client-ssl ssl1 cert mycert key mykey ! slb template dns dns1 malformed-query drop ! slb template doh chain non-dns-request allow source-nat disable forwarder forwarding-ipv4 100.64.1.250 internal ! slb virtual-server DOH-VIP 100.64.1.250 port 53 dns-udp service-group SG-DNS template dns dns1 port 443 https service-group SG-HTTP template doh chain template client-ssl ssl1 ! sflow setting local-collection ! sflow collector ip 127.0.0.1 6343 ! ! end
Note: Port 80 is open on the two servers to enable the health check to pass for the service-group SG-HTTP. Alternatively, you can configure an ICMP health-monitor for the service port or service group.
Want to watch a demo of DoH? Go to https://transcend.a10networks.com/