Our good friends at Mullvad asked us to publish the report for a pentest we recently conducted on their DNS over HTTPS servers.
The audit focused on configuration in regards to privacy, attack surface reduction and security best practices. The server deployment and configuration displayed a good level of security in general.
At the time of the audit, the exposed services were running at a good patch level, with no known vulnerabilities.
The most notable findings during the audit was related to a misconfiguration of the DNS service (Unbound), NTP service and iptables egress/ingress configuration, these issues were promptly resolved by the Mullvad team and verified during the audit period.