Forum Discussion

Juergen_Mang's avatar
Juergen_Mang
Icon for MVP rankMVP
Dec 02, 2024

F5 as DNS over TLS Proxy

Hello Folks,

I digged into the F5 Proxy capability for DNS over TLS and stumbled upon a problem.

Flow is:

  1. Client -> Virtual Server DNS Plain (udp/53) -> DNS Server DNS over TLS (DTLS) (udp/853)
  2. Client -> Virtual Server DNS Plain (tcp/53) -> DNS Server DNS over TLS (TLS) (tcp/853)

While the second one with tcp works without problems, the first one with UDP protocol does not work. I am now unsure if DNS over TLS should work with UDP via dtls. Has anyone implemented this functionality? I could not find any documentation, only a F5 lab that mentioned this configuration for TCP (https://clouddocs.f5.com/training/community/dns/html/class5/module3/module3.html).

 

Configuration is simple as:

ltm virtual vs_dns_to_dot_udp {
    destination 10.12.24.56:domain
    ip-protocol udp
    mask 255.255.255.255
    pool dot-pool
    profiles {
        serverssl-dns {
            context serverside
        }
        udp { }
    }
    serverssl-use-sni disabled
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
}
ltm virtual vs_dns_to_dot_tcp {
    destination 10.12.24.56:domain
    ip-protocol tcp
    mask 255.255.255.255
    pool dot-pool
    profiles {
        serverssl-dns {
            context serverside
        }
        tcp { }
    }
    serverssl-use-sni disabled
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
}

 

I can see outgoing UDP packets, but no answer. I tested with Google and Quad9 public DNS Servers. Both are providing DoT services.

application delivery
security
  • F5_Design_Engineer's avatar
    F5_Design_Engineer
    Icon for MVP rankMVP
    Dec 02, 2024

    Hi Juergen,

     

    Can you try this documentaiton

    https://clouddocs.f5.com/training/community/dns/html/class5/module2/module2.html

    DNS > Class 5 - DNS over HTTPS/DNS over TLS (Pre TMOS 16.1)Source | Edit on 

    PDF

    Proxying DNS over TLS Queries to Traditional DNS

    DoT-to-DNS is a bit more simplistic. We’re simply taking the existing DNS request and encapsulating it in TLS. No iRule magic needed here; just classic BIG-IP high-performance SSL offloading.

    The client-SSL profile on this virtual server specifies that SSL/TLS termination should occur on the client side of the connection.

    DNS > Class 6 - Native DNS over HTTPS/DNS over TLS

    Kindly rate and mark it as solution if it help resolve your issue.

    HTH

    Best regards

    F5 Design Engineer

    MVP

  • Juergen_Mang's avatar
    Juergen_Mang
    Icon for MVP rankMVP
    Dec 02, 2024

    Thanks for your reply. I have already read this documentation, but I see no hints how to configure DNS (UDP) -> DNS over DTLS (UDP). DNS (TCP) -> DNS over TLS (TCP) works.

    It seems DNS over TLS is defined by RFC 7858 and DNS over DTLS by RFC 8094.

    I am unsure if DNS over DTLS is supported by F5 or any public resolver. If this is not supported an other attempt would be to translate DNS (udp) to DNS over TLS (TCP), but I have no idea how it can be done in a simple way with F5.