Mullvad DNS over HTTPS server audit

by Alexander Alasjö 2021-03-04

Our good friends at Mullvad asked us to publish the report for a pentest we recently conducted on their DNS over HTTPS servers.

You can find the report here: Assured_Mullvad_DoH_server_audit_report.pdf

Read more on the Mullvad blog: Mullvad DoH and DoT - beta release

The audit focused on configuration in regards to privacy, attack surface reduction and security best practices. The server deployment and configuration displayed a good level of security in general.

At the time of the audit, the exposed services were running at a good patch level, with no known vulnerabilities.

The most notable findings during the audit was related to a misconfiguration of the DNS service (Unbound), NTP service and iptables egress/ingress configuration, these issues were promptly resolved by the Mullvad team and verified during the audit period.