From 387cf8fe423fe4fba1cbbd0285cd0846cfe9aa3a Mon Sep 17 00:00:00 2001 From: bvanlieu Date: Tue, 23 Jan 2024 15:01:55 -0500 Subject: [PATCH] First completed draft --- docs/class5/class5.rst | 2 +- docs/class6/class6.rst | 2 +- docs/class6/configuration.rst | 161 ++++++++++++++++++++++++++++++++-- docs/credits.rst | 2 + 4 files changed, 160 insertions(+), 7 deletions(-) diff --git a/docs/class5/class5.rst b/docs/class5/class5.rst index 01642bd..7d8fc87 100644 --- a/docs/class5/class5.rst +++ b/docs/class5/class5.rst @@ -1,5 +1,5 @@ Class 5 - DNS over HTTPS/DNS over TLS (Pre TMOS 16.1) -===================================== +===================================================== Introduction ~~~~~~~~~~~~ diff --git a/docs/class6/class6.rst b/docs/class6/class6.rst index 08c0873..30d29ce 100644 --- a/docs/class6/class6.rst +++ b/docs/class6/class6.rst @@ -1,5 +1,5 @@ Class 6 - Native DNS over HTTPS/DNS over TLS -===================================== +============================================ Introduction ~~~~~~~~~~~~ diff --git a/docs/class6/configuration.rst b/docs/class6/configuration.rst index 4102d22..53f130a 100644 --- a/docs/class6/configuration.rst +++ b/docs/class6/configuration.rst @@ -161,8 +161,8 @@ For this lab, we created these DoH Virtual Servers via the GTM/DNS listener proc .. note:: The following steps are NOT part of this lab exercise but are shared to help the student understand the process and steps required to create this virtual server object on the BIG-IP system. -Creating a DoH Virtaul Server (tmsh) ------------------------------------- +Creating a DoH Virtual Server (tmsh) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To create a DoH Server virtual server listener, the following example configuration is provided. In this example, we use a traditional udp/tcp 53 dns pool for this, as our VS will convert HTTP/2 to traditional DNS: :: @@ -172,8 +172,8 @@ To create a DoH Proxy virtual server listener – as mentioned in the note above tmsh create ltm virtual lab_doh_proxy ip-protocol tcp profiles add { dns doh-proxy http http2 httprouter tcp clientssl-secure serverssl-secure } source-address-translation { type automap } destination 10.1.10.6:443 pool doh_dns.google -Creating a DoH Virtaul Server (Web UI) ------------------------------------- +Creating a DoH Virtual Server (Web UI) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ You can create a virtual server on the BIG-IP system where clients send DoH HTTP/2 application requests. Due to the extremely specific nature of the DoH virtual servers, some fields and configurations are required and will generate an error if not applied correctly. @@ -198,4 +198,155 @@ You can create a virtual server on the BIG-IP system where clients send DoH HTTP #. In the **HTTP/2 Profile (Client)** menu, select an http2 profile from the available options. Our lab uses the defautl *http2* profile #. In the **HTTP/2 Profile (Server)** menu, make sure *None* is selected #. From the **Default Pool** list, select the pool that is configured for the application server. Our lab uses *traditional_dns.google* -#. Click **Finished** \ No newline at end of file +#. Click **Finished** + +Proxying DNS over HTTPS Queries to Traditional DNS +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Certificate Requirements for DoH/DoT Virtual Servers +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. note:: : DNS over HTTPS requires a valid server-side & client-side certificate. In our lab, we created a self-signed CA certificate and a self- signed certificate for the server. We loaded those certificates into your Firefox browser so that the browser will trust the BIG-IP DoH resolver. + +Mozilla Firefox, Chrome, and Edge all offer ways to configure DNS over HTTPS. As of today, Safari does not offer support for DoH. Unfortunately for all of the browsers that support it, as of this document’s creation (January 2024), it is not possible to reverse engineer the implementation, which means that if it doesn't work, your browser won't load the page with ERR_NXDOMAIN (or equivalent). Firefox's and Chrome's developer tools do not show the DoH network exchange so if anything fails in the process (invalid server certificate on the DoH server, network error), end users won't be able to troubleshoot the problem. + +If for **ANY** reason the “DNS lookup” test (below) fails, first test that the local Firefox browser trusts our self-signed, preloaded certificate. Open a browser window to https://10.1.10.6/ and “proceed” with the validation steps, if required. When visiting the previous link, you should receive a “invalid request” response with “DoH requires header Accept:application/dns-message”) if the self-signed certificates are working/trusted. + +.. image:: _images/browser-certificate-error-mozilla.png + :width: 7.5in + :height: 4.6875in + +In a real-world scenario, you would need a certificate signed by a well-known certificate authority and loaded into the BIG-IP and attached to the client-ssl profile in use for DoH/DoT listeners. Most DoH clients, including Firefox & Chrome, will not trust a DoH server if the certificate is not signed by a known certificate authority. + +Test Driving DNS over HTTPS to Traditional DNS +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Now, let’s generate some traffic and see the translations in real-time. + +**Firefox Configuration** + +For this test, we’re going to use Firefox as our DoH client. Open a new tab or click the second tab in Firefox to view the about:config page. On the top of that page, you’ll see a search box. Enter *trr* and press enter to see the DoH (trusted recursive resolver) configuration. + +.. image:: _images/firefox-trr-about-config.png + :width: 7.5in + :height: 4.6875in + +We’ve pre-configured a few things for you. First, we set **network.trr.uri** to our custom virtual server URL (https://10.1.10.6/dns-query). We have also enabled **network.trr.useGET** as it’s a bit faster than using POST, but you’re welcome to test using POST as well. We set **network.trr.mode** to **3**, which means we want Firefox to only use DoH. This will not be a typical configuration as Firefox defaults to traditional DNS when a DoH request fails. That explains the differing timeout values just below that setting. The **network.dns.skipTRR-when-parental-control-enabled** disables Firefox’s feature that disables DoH when parental control via DNS is sensed on the network. + + +**Firefox Network Utilties** + +Clicking on or opening a third tab in Firefox will open the networking tools page within the browser (*about:networking*). This is a terrific way to see if DoH (TRR in Mozilla-speak) is working. Click on **DNS Lookup** to bring up the DNS query tool. + +.. image:: _images/about-networking-dns-screen-results.png + :width: 7.5in + :height: 4.6875in + +DoH in Action +^^^^^^^^^^^^^ + +Open a new tab and browse to a website. Return to the third tab and click Refresh to see the updated DNS cache table. + +.. image:: _images/about-networking-contd-browsing.png + :width: 7.5in + :height: 4.6875in + +BIG-IP Statistics and Logging +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Back in the first tab on the F5 web UI, navigate to **Statistics -> Module Statistics -> Local Traffic**. Make sure that *V*irtual Servers* is selected in the *Statistics Type* drop-down. Observe the traffic statistics on the DoH-to-DNS virtual server. + +.. image:: _images/big-ip-statistics-reporting-doh.png + :width: 7.5in + :height: 4.6875in + +Capturing DNS over HTTPS Queries to Traditional DNS Traffic +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Finally, minimize *Firefox* to reveal the CLI shortcuts on the desktop: + +.. image:: _images/windows-desktop-bigipdnsproxy.png + :width: 7.5in + :height: 4.6875in + +First open the BIG-IP DNS Proxy link to bring up the BIG-IP’s CLI. Once running, then let’s start a capture that will show us both sides of the DoH proxy: :: + + tcpdump -nni 0.0 '(host 10.1.1.4 and host 10.1.10.100 and port 443) or (host 8.8.4.4 or host 8.8.8.8 and port 53)' + +Once running, maximize *Firefox* and perform another DNS lookup. View the HTTPS and DNS traffic in the packet capture output. The output below shows my queries to various websites. + +.. image:: _images/tcpdump-doh-testing.png + :width: 7.5in + :height: 4.6875in + +Stop your capture before moving to the next section. This concludes the DoH-to-DNS proxy part of the lab. + + +Proxying DNS over TLS Queries to Traditional DNS +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +DoT-to-DNS is a bit more simplistic. We’re simply taking the existing DNS request and encapsulating it in TLS. No iRule magic needed here; just classic BIG-IP high-performance SSL offloading. + +**The client-SSL profile on this virtual server specifies that SSL/TLS termination should occur on the client side of the connection.** + +Virtual Server Configuration +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Maximize *Firefox*. Click on the first tab to return to the BIG-IP web UI. Navigate to **Local Traffic -> Virtual Servers**. If you review the virtual server configuration, you’ll notice that we’re simply using a client-SSL profile and a backend pool. The client-SSL profile uses a self-signed certificate in this lab, you’ll need a certificate from a certificate authority that your clients’ browsers trust in a production deployment. + +.. image:: _images/dot-to-dns-vip-configuration.png + :width: 7.5in + :height: 4.6875in + + +Test Driving DNS over TLS to Traditional DNS +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Minimize Firefox to view the desktop shortcuts and launch the Lab “Attack Host” Server session. You’ll be automatically logged in. Let’s run a DNS over TLS query: :: + kdig +tls @10.1.10.6 www.f5.com + +You should see a response similar to the output below. Run a few more queries against other domains to generate statistics. + +.. image:: _images/DoT-to-DNS-KDIG-command.png + :width: 7.5in + :height: 4.6875in + +Viewing Statistics for DoT-to-DNS +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +You can then see statistics on the virtual server by navigating to **Statistics -> Module Statistics -> Local Traffic** and selecting *Virtual Servers* in the drop-down list. + +.. image:: _images/DoT-to-DNS-vs-statistics.png + :width: 7.5in + :height: 4.6875in + + +Because this virtual server takes advantage of backend pools, you will see statistics under the *Pools* statistics type as well. + +.. image:: _images/DoT-to-DNS-pool-statistics.png + :width: 7.5in + :height: 4.6875in + +Because we don’t have any type of logging configured for that virtual server, you won’t see any information in **System -> Logs** for this traffic. If you’d want to log in your environment, general LTM F5 logging/statistics practices can be used. + +Minimize Firefox and return to the BIG-IP DNS Proxy session from the first section of this lab or open a new session by clicking on the BIG-IP DNS Proxy icon on the desktop. Execute the follow tcpdump command: :: + tcpdump -nni 0.0 port 53 or port 853 + +Pull the Lab DNS Server session window up and re-run the **kdig** command. Observe the front and back-end connections using port 853 and 53, respectively, shown in the packet capture output. + +.. image:: _images/DoT-to-DNS-tcpdump.png + :width: 7.5in + :height: 4.6875in + +Stop your capture before moving on to the next section. This concludes the DoT-to-DNS part of the lab. + +Additional Resources +~~~~~~~~~~~~~~~~~~~~ + +The following resources will allow you to explore DoH and DoT more, and setup this functionality in your own environment. + +- RFC8484: DNS over HTTPS: https://tools.ietf.org/html/rfc8484 +- RFC7858: DNS over TLS: https://tools.ietf.org/html/rfc7858 +- F5 TMSH reference for DoH-PROXY listener: https://clouddocs.f5.com/cli/tmsh-reference/latest/modules/gtm/gtm_listener-doh-proxy.html +- F5 TMSH reference for DoH-SERVER profile: https://clouddocs.f5.com/cli/tmsh-reference/latest/modules/ltm/ltm_profile_doh-server.html +- F5 Knowledge base article K05451012: Overview of the BIG-IP DNS Queries over HTTPS feature: https://my.f5.com/manage/s/article/K05451012 diff --git a/docs/credits.rst b/docs/credits.rst index f31b07b..f070ac4 100644 --- a/docs/credits.rst +++ b/docs/credits.rst @@ -10,6 +10,8 @@ Credits Chris Meredith + Kyle Twenty + Brian Van Lieu