[T&C] Using DNS over HTTPS (DoH) while preserving Client IP
Thunder CFW enables you to provide DNS over HTTPS (DoH) service to end-users without having to upgrade the DNS infrastructure itself.
Here is a sample setup:
The client browser (in this case Firefox browser) is configured with a custom DoH URI, which resolves to a VIP on the Thunder CFW:
The Thunder CFW configuration is as follows:
interface ethernet 1 enable ip address 100.64.1.253 255.255.255.0 ! interface ethernet 2 enable ip address 100.64.100.253 255.255.255.0 ! interface ethernet 3 enable ip address 192.168.1.253 255.255.255.0 ! ! ip route 0.0.0.0 /0 192.168.1.1 ! slb server RS10 100.64.100.10 port 53 udp port 80 tcp ! slb server RS11 100.64.100.11 port 53 udp port 80 tcp ! slb service-group SG-DNS udp member RS10 53 member RS11 53 ! slb service-group SG-HTTP tcp member RS10 80 member RS11 80 ! slb template client-ssl doh.a10test.com cert doh key doh ! slb template client-ssl a10tests.com cert a10tests.com key a10tests.com ! slb template doh doh forwarder udp-service-group SG-DNS ! slb virtual-server VIP1 100.64.1.250 port 53 dns-udp service-group SG-DNS port 80 http service-group SG-HTTP port 443 https service-group SG-HTTP template doh doh template client-ssl a10tests.com ! sflow setting local-collection ! sflow collector ip 127.0.0.1 6343 ! ! end
Note: Port 80 is open on the two servers to enable the health check to pass for the service-group SG-HTTP. Alternatively, you can configure an ICMP health-monitor for the service port or service group.
For DoH, you apply a DoH template under port 443 of a VIP as shown above.
By default, the client IP will not be preserved in the DNS traffic sent to the back-end DNS servers. For example, here is a screenshot of packet capture on the DNS server, and as one can see, the source IP is that of the Thunder device, not the original client IP.
So how can we preserve the original client IP?
This can be achieved using the following command under the DoH template:
slb template doh doh source-nat disable forwarder udp-service-group SG-DNS
Here is a screenshot of packet capture on the DNS server with the modified DoH template applied:
Now the original client IP (e.g., 100.64.1.1) is preserved in the DNS packet sent to the back-end DNS server.