[T&C] DNS over HTTPS (DoH) with certificate from Let's Encrypt
siddharthaa
Member, Administrator admin
DNS over HTTPS (DoH) is a protocol for securing DNS communication by sending DNS queries and getting DNS responses over HTTPS. For details, refer to RFC 8484 (https://tools.ietf.org/html/rfc8484).
This article shows you can deploy DNS over HTTPS (DoH) with automatic certificate enrollment and renewal from Let's Encrypt CA using ACME protocol.
Note: In this article, we obtain the certificate from Let's Encrypt CA using ACME protocol, however, Thunder device also supports getting the certificate from other well-known CAs, such as Sectigo, using EAB credentials.
Setup
Logically, the setup looks as follows:
The client browser will be configured with the DoH URI https://doh.a10tests.com/dns-query, and the domain name doh.a10tests.com will resolve to the VIP address on the Thunder device.
Prerequisite
Provision a domain name and create a DNS A record for the URI that will be used by the client browser for DoH.
In this example, it is doh.a10tests.com.
Initial configuration of Thunder device
Here we have a Thunder CFW running ACOS 5.2.1-p5.
The current Thunder device configuration is as follows:
ip dns primary 8.8.8.8 ! ip dns secondary 9.9.9.9 ! timezone America/Los_Angeles ! ntp server time.google.com ! glm use-mgmt-port glm enable-requests glm allocate-bandwidth 1000 ! interface management ip address dhcp ! interface ethernet 1 enable ip address 10.111.96.164 255.255.255.192 ! ! ip route 0.0.0.0 /0 10.111.96.129 ! sflow setting local-collection ! sflow collector ip 127.0.0.1 6343 ! ! cloud-services meta-data enable provider openstack ! end
Verify the Thunder device has internet access via the data interface (e.g. ethernet 1), and not just the management interface. This is because when we start the ACME certificate enrollment progress, the Thunder device will attempt to access the Let's Encrypt server using the data interface:
vThunder# ping www.google.com PING www.google.com (142.250.72.132) 56(84) bytes of data. 64 bytes from lax17s49-in-f4.1e100.net (142.250.72.132): icmp_seq=1 ttl=59 time=23.6 ms 64 bytes from lax17s49-in-f4.1e100.net (142.250.72.132): icmp_seq=2 ttl=59 time=18.0 ms 64 bytes from lax17s49-in-f4.1e100.net (142.250.72.132): icmp_seq=3 ttl=59 time=17.0 ms
Thunder device configuration
Configure ACME profile and SLB VIP
Configure an ACME certificate profile and virtual server with vport 80 on the Thunder device:
pki acme-cert doh-le domain doh.a10tests.com san-domain doh.a10tests.com force log-level 2 cert-type rsa account-email <email-id> ! slb server apache 10.111.96.190 port 80 tcp health-check-disable ! slb service-group SG-HTTP tcp health-check-disable member apache 80 ! ! slb virtual-server VIP1 use-if-ip ethernet 1 port 80 http source-nat auto service-group SG-HTTP reply-acme-challenge
Under vport 80, we configure the command "reply-acme-challenge" to respond to the HTTP-01 challenge that will be sent by the Let's Encrypt ACME server when we start the enrollment process.
Here we have configured the vport 80 with service-group SG-HTTP consisting of one server, 10.111.96.190. This server however has not been provisioned and is a dummy web server defined just to create the service-group. To ensure that the service for vport 80 service is up, we have disabled health checks at both the server and service-group levels as shown above.
Verify the virtual service is up:
vThunder#sh slb virtual-server Total Number of Virtual Services configured: 1 Virtual Server Name IP Current Total Request Response Peak Service-Group Service connection connection packets packets connection ---------------------------------------------------------------------------------------- *VIP1 10.111.96.164 All Up port 80 http 0 1 4 0 0 SG-HTTP 80/http 0 0 3 0 0 Total received conn attempts on this port: 1
Start the certificate enrollment process
To follow the enrollment progress, open a separate terminal window to the Thunder device and run the command show pki acme-cert log <acme-profile-name> follow
Example:
vThunder#sh pki acme-cert log doh-le follow
Now start the enrollment process by running the command "enroll" under the ACME profile :
vThunder#conf t vThunder(config)#pki acme-cert doh-le vThunder(config-acme cert:doh-le)#enroll
Check the enrollment status using:
vThunder(config-acme cert:doh-le)#sh pki acme-cert status Certificate name: doh-le status: SUCCESS Last enrollment/renewal: SUCCESS Rotated files: 1
To view the list of certificates available on the Thunder device:
vThunder#sh pki cert Name Type Expiration Status ----------------------------------------------------------------------- doh-le certificate/key Apr 6 00:57:16 2023 GMT [Unexpired, Unbound]
DoH configuration on the Thunder device
Once the certificate has been provisioned, configure DoH on the Thunder device using this certificate and the corresponding private key:
slb server RS1 10.111.96.166 port 53 tcp port 53 udp ! slb server RS2 10.111.96.181 port 53 tcp port 53 udp ! slb service-group SG-DNS-TCP tcp member RS1 53 member RS2 53 ! slb service-group SG-DNS-UDP udp member RS1 53 member RS2 53 ! slb template client-ssl doh-cssl certificate doh-le key doh-le ! slb template doh doh-template forwarder forwarding-ipv4 10.111.96.164 internal ! slb virtual-server VIP1 use-if-ip ethernet 1 port 53 dns-tcp source-nat auto service-group SG-DNS-TCP port 53 dns-udp source-nat auto service-group SG-DNS-UDP port 80 http source-nat auto service-group SG-HTTP reply-acme-challenge port 443 https template doh doh-template template client-ssl doh-cssl
Optional configuration
You can additionally configure the following features:
Enable integrated DDoS protection
Secure HTTP port 80 by applying security policies
Apply DNS template to:
- Enable DNS caching
- Filter malformed DNS packets
- Filter DNS ANY type of queries
ip anomaly-drop bad-content 24 ip anomaly-drop drop-all ip anomaly-drop out-of-sequence 24 ip anomaly-drop zero-window 24 ! icmp-rate-limit 2000 ! slb common dns-cache-enable ! slb template dns dns-template default-policy cache malformed-query drop query-type-filter deny query-type ANY ! slb template virtual-port acme drop-unknown-conn reset-unknown-conn ! slb virtual-server VIP1 use-if-ip ethernet 1 port 53 dns-tcp source-nat auto service-group SG-DNS-TCP template dns dns-template port 53 dns-udp source-nat auto service-group SG-DNS-UDP template dns dns-template port 80 http attack-detection source-nat auto service-group SG-HTTP template virtual-port acme reply-acme-challenge port 443 https template doh doh-template template client-ssl doh-cssl
Note that these are only some of the options that are available on the Thunder device, and for more details, refer to the ACOS documentation.
Client browser configuration
Configure the client browser to use this DoH service.
For example, in the Firefox browser, open Settings and search for "doh":
Then configure your custom DoH URI as shown below.
Here we configure the URI:
https://doh.a10tests.com/dns-query
where doh.a10tests.com is the domain name for which the certificate had been provisioned.
Verification
Now open a website. e.g. www.a10networks.com using the client browser. This will trigger the DNS resolution process:
You can verify by doing a packet capture on the Thunder device:
vThunder#debug l4 vThunder#debug packet vThunder#debug monitor Wait for debug output, enter <ctrl c> to exit @4603002919 i( 1, 0)> ip 192.67.159.26 > 10.111.96.164 tcp 28180 > 443 PA 9251af32:f4bba19a(390) @4603002919 o( 0, 1)> ip 192.67.159.26 > 10.111.96.164 udp 28180 > 53 len 136 qry id 256 @4603002919 i( 0, 0)> ip 192.67.159.26 > 10.111.96.164 udp 28180 > 53 len 136 qry id 256 @4603002920 o( 1, 0)> ip 10.111.96.164 > 10.111.96.181 udp 24830 > 53 len 136 qry id 256
To view the statistics for the virtual-server:
vThunder#sh slb virtual-server VIP1 Virtual server: VIP1 State: Functional Up IP: 10.111.96.164 Port Curr-conn Total-conn Rev-Pkt Fwd-Pkt Peak-con ------------------------------------------------------------------------------- Virtual Port:53 / service:SG-DNS-TCP / state:All Up port 53 dns-tcp 0 0 0 0 0 Virtual Port:53 / service:SG-DNS-UDP / state:All Up port 53 dns-udp 1 84 22 260 0 Virtual Port:80 / service:SG-HTTP / state:All Up port 80 http 0 0 0 0 0 Virtual Port:443 / service: / state:Functional Up port 443 https 6 0 186 331 0 Total Traffic 7 84 208 591 0 vThunder#