Mullvad DNS over HTTPS server audit
by Alexander Alasjö 2021-03-04
Our good friends at Mullvad asked us to publish the report for a pentest we recently conducted on their DNS over HTTPS servers.
You can find the report here: Assured_Mullvad_DoH_server_audit_report.pdf
Read more on the Mullvad blog: Mullvad DoH and DoT - beta release
The audit focused on configuration in regards to privacy, attack surface reduction and security best practices. The server deployment and configuration displayed a good level of security in general.
At the time of the audit, the exposed services were running at a good patch level, with no known vulnerabilities.
The most notable findings during the audit was related to a misconfiguration of the DNS service (Unbound), NTP service and iptables egress/ingress configuration, these issues were promptly resolved by the Mullvad team and verified during the audit period.