Unbreaking the Internet and Converting Protocols

Piotr,

Great observations!

A. Unbreaking the Internet:

Re: do I use 1.1.1.1/32 on loopback on the server?

Yes. Not mentioned in the article I also use DSR on the BIG-IP to reduce one hop of traffic.

Traffic flow: 
client -> home router -> 
BIG-IP -> server -> 
client

Re: cheating

I am COMPLETELY cheating. In my home setup; once I changed my home router to point to the BIG-IP there's no way for the BIG-IP to connect back out (creates a routing loop). My only option was to point to 1.0.0.1. In an environment where the BIG-IP had a direct interface to the Internet you could route directly to 1.1.1.1.

Traffic flow: 
Client -> Internal Switch -> 
BIG-IP Internal Interface -> BIG-IP External Interface -> 
Internet

B. DNS over TLS

Re: How does UDP become TCP

The trick is that when you have a DNS profile that references a cache, you are turning the BIG-IP into another DNS client (initiates a completely new connection). So the flow is:

Client DNS Request (UDP request) -> [BIG-IP DNS] DNS_vs -> 
BIG-IP Cache DNS Request (TCP request) -> [BIG-IP DNS] dns_over_tls -> 
BIG-IP dns_over_tls (TCP/TLS request) -> [DNS over TLS (TCP port 853)]

C. DNS over HTTPS

This is bit convoluted, I did use the same IP address/port that adds to the confusion.

Your description is spot-on. There is a separate virtual server from the previous example. This is a case where you have:

192.168.1.254:53 TCP -> DNS over TLS (just performing TLS upgrade)
192.168.1.254:53 UDP -> DNS over HTTPS (performing conversion from UDP to HTTPS requests)

Somewhat like how Google uses UDP 443 for QUIC vs. TCP 443 for HTTPS; I am re-using the same port for two DIFFERENT services.

I meant for the article to be a progression of challenges. You did very well!

Eric