[T&C] Using DNS over HTTPS (DoH) while preserving Client IP

siddharthaa · December 21, 2020, 7:33pm

Thunder CFW enables you to provide DNS over HTTPS (DoH) service to end-users without having to upgrade the DNS infrastructure itself.

Here is a sample setup:

The client browser (in this case Firefox browser) is configured with a custom DoH URI, which resolves to a VIP on the Thunder CFW:

The Thunder CFW configuration is as follows:

interface ethernet 1 
 enable 
 ip address 100.64.1.253 255.255.255.0 
!
interface ethernet 2 
 enable 
 ip address 100.64.100.253 255.255.255.0 
!
interface ethernet 3 
 enable 
 ip address 192.168.1.253 255.255.255.0 
!
!
ip route 0.0.0.0 /0 192.168.1.1 
!
slb server RS10 100.64.100.10 
 port 53 udp 
 port 80 tcp 
!
slb server RS11 100.64.100.11 
 port 53 udp 
 port 80 tcp 
!
slb service-group SG-DNS udp 
 member RS10 53 
 member RS11 53 
!
slb service-group SG-HTTP tcp 
 member RS10 80 
 member RS11 80 
!
slb template client-ssl doh.a10test.com 
 cert doh 
 key doh 
!
slb template client-ssl a10tests.com 
 cert a10tests.com 
 key a10tests.com 
!
slb template doh doh 
 forwarder 
   udp-service-group SG-DNS 
!
slb virtual-server VIP1 100.64.1.250 
 port 53 dns-udp 
   service-group SG-DNS 
 port 80 http 
   service-group SG-HTTP 
 port 443 https 
   service-group SG-HTTP 
   template doh doh 
   template client-ssl a10tests.com 
!
sflow setting local-collection 
!
sflow collector ip 127.0.0.1 6343 
!
!
end

Note: Port 80 is open on the two servers to enable the health check to pass for the service-group SG-HTTP. Alternatively, you can configure an ICMP health-monitor for the service port or service group.

For DoH, you apply a DoH template under port 443 of a VIP as shown above.

By default, the client IP will not be preserved in the DNS traffic sent to the back-end DNS servers. For example, here is a screenshot of packet capture on the DNS server, and as one can see, the source IP is that of the Thunder device, not the original client IP.

So how can we preserve the original client IP?

This can be achieved using the following command under the DoH template:

slb template doh doh 
 source-nat disable 
 forwarder 
   udp-service-group SG-DNS

Here is a screenshot of packet capture on the DNS server with the modified DoH template applied:

Now the original client IP (e.g., 100.64.1.1) is preserved in the DNS packet sent to the back-end DNS server.

Discussion	Replies	Views
[T&C] DNS over HTTPS (DoH) and DNS services on the same VIP Tips dns , cfw , tls-ssl	331	December 21, 2020
[T&C] DNS over HTTPS (DoH) with certificate from Let's Encrypt Tips dns , certificate , devops , acme , tls-ssl	933	February 4, 2023
[T&C] Deploy DNS recursive resolver using Thunder CFW Tips dns , slb-adc , cfw	853	March 22, 2023
[T&C] Deploy NAT64 and DNS64 with Thunder CGN/CFW Tips	533	May 13, 2022
[T&C] HTTP/HTTPS URL Filtering with Thunder ADC/CFW Tips slb-adc , cfw , url-filtering , firewall , gi-firewall	1062	December 20, 2021

[T&C] Using DNS over HTTPS (DoH) while preserving Client IP

Related topics