DNS cases
What is DoT?
DNS over TLS (DoT) is a network security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers using the Transport Layer Security (TLS) protocol. The goal of this method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data through man-in-the-middle attacks. The well-known port number for DoT is 853.
Where to find the DoT Case in the GUI?
Go to Performance Testing>Protocol>DNS>TCP.
How does DoT case work?
Currently, the application server is only supported in the DUT role. The DoT case only simulates the DNS client that sends the DNS queries.
The Bind9 SDNS server and FDN SDNS server can be used as the DNS server side for the DoT case.
Key configurations
Mode (DoT CPS/RPS)
If you select Simuser (CPS/RPS/CC), FortiTester simulates users processing through an actions list, one at a time. It allows you to determine the maximum number of concurrent users your device, infrastructure, or system can handle.
If you select Connections/second (CPS/RPS), FortiTester simulates TCP connections, each of them containing up to hundreds of transactions. It is useful to test how many concurrent connections can be handled by your device.
Enable DNS Outstanding Query (DoT RPS)
The Enable DNS Outstanding Query toggle button allows multiple DNS queries to be sent in parallel. By default, this option is disabled, and one DNS query is sent at a time; FortiTester waits for the DNS answer before sending the next DNS query.
If you enable Enable DNS Outstanding Query, you need to enter the DNS Query Parallel Count value so that this number of DNS queries can be sent in parallel.
Pcap shows that 10 DNS queries are sent together in parallel, FortiTester waits for the response, then the next group of 10 DNS queries are sent to the server.
Maximum Concurrent Connections (DoT CC)
This field determines the maximum number of concurrent TCP connections supported through or with the DUT/SUT. This test is intended to find the maximum number of entries the DUT/SUT can store in its connection table.
Think Time (DoT CC)
Think Time is the delay between client DNS queries (the unit is seconds).
Pcap shows that the time between two DNS queries is about 5 seconds, as configured in a transaction.
Domain Policy and Domain (DoT CPS/RPS/CC)
FortiTester queries the domains in the specified list. Only the “List” type and the “A” record are supported currently. You can configure the expected domain name.