DNS over HTTPS (DoH) is a protocol for securing DNS communication by sending DNS queries and getting DNS responses over HTTPS. For details, refer to RFC 8484 (https://tools.ietf.org/html/rfc8484)..)
This article shows you can deploy DNS over HTTPS (DoH) with automatic certificate enrollment and renewal from Let’s Encrypt CA using ACME protocol.
Note: In this article, we obtain the certificate from Let’s Encrypt CA using ACME protocol, however, Thunder device also supports getting the certificate from other well-known CAs, such as Sectigo, using EAB credentials.
Setup
Logically, the setup looks as follows:
The client browser will be configured with the DoH URI https://doh.a10tests.com/dns-query, and the domain name doh.a10tests.com will resolve to the VIP address on the Thunder device.
Prerequisite
Provision a domain name and create a DNS A record for the URI that will be used by the client browser for DoH.
In this example, it is doh.a10tests.com.
Initial configuration of Thunder device
Here we have a Thunder CFW running ACOS 5.2.1-p5.
The current Thunder device configuration is as follows:
ip dns primary 8.8.8.8
!
ip dns secondary 9.9.9.9
!
timezone America/Los_Angeles
!
ntp server time.google.com
!
glm use-mgmt-port
glm enable-requests
glm allocate-bandwidth 1000
!
interface management
ip address dhcp
!
interface ethernet 1
enable
ip address 10.111.96.164 255.255.255.192
!
!
ip route 0.0.0.0 /0 10.111.96.129
!
sflow setting local-collection
!
sflow collector ip 127.0.0.1 6343
!
!
cloud-services meta-data
enable
provider openstack
!
end
Verify the Thunder device has internet access via the data interface (e.g. ethernet 1), and not just the management interface. This is because when we start the ACME certificate enrollment progress, the Thunder device will attempt to access the Let’s Encrypt server using the data interface:
vThunder# ping www.google.com
PING www.google.com (142.250.72.132) 56(84) bytes of data.
64 bytes from lax17s49-in-f4.1e100.net (142.250.72.132): icmp_seq=1 ttl=59 time=23.6 ms
64 bytes from lax17s49-in-f4.1e100.net (142.250.72.132): icmp_seq=2 ttl=59 time=18.0 ms
64 bytes from lax17s49-in-f4.1e100.net (142.250.72.132): icmp_seq=3 ttl=59 time=17.0 ms
Thunder device configuration
Configure ACME profile and SLB VIP
Configure an ACME certificate profile and virtual server with vport 80 on the Thunder device:
pki acme-cert doh-le
domain doh.a10tests.com
san-domain doh.a10tests.com
force
log-level 2
cert-type rsa
account-email <email-id>
!
slb server apache 10.111.96.190
port 80 tcp
health-check-disable
!
slb service-group SG-HTTP tcp
health-check-disable
member apache 80
!
!
slb virtual-server VIP1 use-if-ip ethernet 1
port 80 http
source-nat auto
service-group SG-HTTP
reply-acme-challenge
Under vport 80, we configure the command “reply-acme-challenge” to respond to the HTTP-01 challenge that will be sent by the Let’s Encrypt ACME server when we start the enrollment process.
Here we have configured the vport 80 with service-group SG-HTTP consisting of one server, 10.111.96.190. This server however has not been provisioned and is a dummy web server defined just to create the service-group. To ensure that the service for vport 80 service is up, we have disabled health checks at both the server and service-group levels as shown above.
Verify the virtual service is up:
vThunder#sh slb virtual-server
Total Number of Virtual Services configured: 1
Virtual Server Name IP Current Total Request Response Peak
Service-Group Service connection connection packets packets connection
----------------------------------------------------------------------------------------
*VIP1 10.111.96.164 All Up
port 80 http 0 1 4 0 0
SG-HTTP 80/http 0 0 3 0 0
Total received conn attempts on this port: 1
Start the certificate enrollment process
To follow the enrollment progress, open a separate terminal window to the Thunder device and run the command show pki acme-cert log <acme-profile-name> follow
Example:
vThunder#sh pki acme-cert log doh-le follow
Now start the enrollment process by running the command “enroll” under the ACME profile :
vThunder#conf t
vThunder(config)#pki acme-cert doh-le
vThunder(config-acme cert:doh-le)#enroll
Check the enrollment status using:
vThunder(config-acme cert:doh-le)#sh pki acme-cert status
Certificate name: doh-le status: SUCCESS
Last enrollment/renewal: SUCCESS
Rotated files: 1
To view the list of certificates available on the Thunder device:
vThunder#sh pki cert
Name Type Expiration Status
-----------------------------------------------------------------------
doh-le certificate/key Apr 6 00:57:16 2023 GMT [Unexpired, Unbound]
DoH configuration on the Thunder device
Once the certificate has been provisioned, configure DoH on the Thunder device using this certificate and the corresponding private key:
slb server RS1 10.111.96.166
port 53 tcp
port 53 udp
!
slb server RS2 10.111.96.181
port 53 tcp
port 53 udp
!
slb service-group SG-DNS-TCP tcp
member RS1 53
member RS2 53
!
slb service-group SG-DNS-UDP udp
member RS1 53
member RS2 53
!
slb template client-ssl doh-cssl
certificate doh-le key doh-le
!
slb template doh doh-template
forwarder
forwarding-ipv4 10.111.96.164 internal
!
slb virtual-server VIP1 use-if-ip ethernet 1
port 53 dns-tcp
source-nat auto
service-group SG-DNS-TCP
port 53 dns-udp
source-nat auto
service-group SG-DNS-UDP
port 80 http
source-nat auto
service-group SG-HTTP
reply-acme-challenge
port 443 https
template doh doh-template
template client-ssl doh-cssl
Optional configuration
- You can additionally configure the following features:
Enable integrated DDoS protection
Secure HTTP port 80 by applying security policies
Apply DNS template to:
Enable DNS caching - Filter malformed DNS packets
- Filter DNS ANY type of queries
ip anomaly-drop bad-content 24
ip anomaly-drop drop-all
ip anomaly-drop out-of-sequence 24
ip anomaly-drop zero-window 24
!
icmp-rate-limit 2000
!
slb common
dns-cache-enable
!
slb template dns dns-template
default-policy cache
malformed-query drop
query-type-filter deny
query-type ANY
!
slb template virtual-port acme
drop-unknown-conn
reset-unknown-conn
!
slb virtual-server VIP1 use-if-ip ethernet 1
port 53 dns-tcp
source-nat auto
service-group SG-DNS-TCP
template dns dns-template
port 53 dns-udp
source-nat auto
service-group SG-DNS-UDP
template dns dns-template
port 80 http
attack-detection
source-nat auto
service-group SG-HTTP
template virtual-port acme
reply-acme-challenge
port 443 https
template doh doh-template
template client-ssl doh-cssl
Note that these are only some of the options that are available on the Thunder device, and for more details, refer to the ACOS documentation.
Client browser configuration
Configure the client browser to use this DoH service.
For example, in the Firefox browser, open Settings and search for “doh”:
Then configure your custom DoH URI as shown below.
Here we configure the URI:
https://doh.a10tests.com/dns-query
where doh.a10tests.com is the domain name for which the certificate had been provisioned.
Verification
Now open a website. e.g. www.a10networks.com using the client browser. This will trigger the DNS resolution process:
You can verify by doing a packet capture on the Thunder device:
vThunder#debug l4
vThunder#debug packet
vThunder#debug monitor
Wait for debug output, enter <ctrl c> to exit
@4603002919 i( 1, 0)> ip 192.67.159.26 > 10.111.96.164 tcp 28180 > 443 PA 9251af32:f4bba19a(390)
@4603002919 o( 0, 1)> ip 192.67.159.26 > 10.111.96.164 udp 28180 > 53 len 136 qry id 256
@4603002919 i( 0, 0)> ip 192.67.159.26 > 10.111.96.164 udp 28180 > 53 len 136 qry id 256
@4603002920 o( 1, 0)> ip 10.111.96.164 > 10.111.96.181 udp 24830 > 53 len 136 qry id 256
To view the statistics for the virtual-server:
vThunder#sh slb virtual-server VIP1
Virtual server: VIP1 State: Functional Up IP: 10.111.96.164
Port Curr-conn Total-conn Rev-Pkt Fwd-Pkt Peak-con
Virtual Port:53 / service:SG-DNS-TCP / state:All Up
port 53 dns-tcp 0 0 0 0 0
Virtual Port:53 / service:SG-DNS-UDP / state:All Up
port 53 dns-udp 1 84 22 260 0
Virtual Port:80 / service:SG-HTTP / state:All Up
port 80 http 0 0 0 0 0
Virtual Port:443 / service: / state:Functional Up
port 443 https 6 0 186 331 0
Total Traffic 7 84 208 591 0
vThunder#