Forum Discussion
F5 as DNS over TLS Proxy
Hello Folks,
I digged into the F5 Proxy capability for DNS over TLS and stumbled upon a problem.
Flow is:
- Client -> Virtual Server DNS Plain (udp/53) -> DNS Server DNS over TLS (DTLS) (udp/853)
- Client -> Virtual Server DNS Plain (tcp/53) -> DNS Server DNS over TLS (TLS) (tcp/853)
While the second one with tcp works without problems, the first one with UDP protocol does not work. I am now unsure if DNS over TLS should work with UDP via dtls. Has anyone implemented this functionality? I could not find any documentation, only a F5 lab that mentioned this configuration for TCP (https://clouddocs.f5.com/training/community/dns/html/class5/module3/module3.html).
Configuration is simple as:
ltm virtual vs_dns_to_dot_udp {
destination 10.12.24.56:domain
ip-protocol udp
mask 255.255.255.255
pool dot-pool
profiles {
serverssl-dns {
context serverside
}
udp { }
}
serverssl-use-sni disabled
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
}
ltm virtual vs_dns_to_dot_tcp {
destination 10.12.24.56:domain
ip-protocol tcp
mask 255.255.255.255
pool dot-pool
profiles {
serverssl-dns {
context serverside
}
tcp { }
}
serverssl-use-sni disabled
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
}
I can see outgoing UDP packets, but no answer. I tested with Google and Quad9 public DNS Servers. Both are providing DoT services.
Thanks for your reply. I have already read this documentation, but I see no hints how to configure DNS (UDP) -> DNS over DTLS (UDP). DNS (TCP) -> DNS over TLS (TCP) works.
It seems DNS over TLS is defined by RFC 7858 and DNS over DTLS by RFC 8094.
I am unsure if DNS over DTLS is supported by F5 or any public resolver. If this is not supported an other attempt would be to translate DNS (udp) to DNS over TLS (TCP), but I have no idea how it can be done in a simple way with F5.
Hi Juergen,
Can you try this documentaiton
https://clouddocs.f5.com/training/community/dns/html/class5/module2/module2.htmlDNS > Class 5 - DNS over HTTPS/DNS over TLS (Pre TMOS 16.1)Source | Edit on
PDF
Proxying DNS over TLS Queries to Traditional DNS¶
DoT-to-DNS is a bit more simplistic. We’re simply taking the existing DNS request and encapsulating it in TLS. No iRule magic needed here; just classic BIG-IP high-performance SSL offloading.
The client-SSL profile on this virtual server specifies that SSL/TLS termination should occur on the client side of the connection.
DNS > Class 6 - Native DNS over HTTPS/DNS over TLS
Kindly rate and mark it as solution if it help resolve your issue.
HTH
Best regards
F5 Design Engineer
MVP
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com