Support DNS-over-TLS probes in NetworkDiagnostics

Probe DNS servers to see they support DNS-over-TLS. Use system CAs to verify whether the certificates sent by DNS servers are trusted or not. An error is thrown to cause the probe failed if DNS servers send untrusted certificates. Unlike the DnsResolver which doesn't verify the certificates in opportunistic mode, all of the DoT probes from NetworkDiagnostics check certificates. DoT probes apply to the DNS servers gotten from LinkProperties and the DoT servers gotten from PrivateDnsConfig whatever private DNS mode is. A common example in DNS strict mode: . DNS TLS dst{8.8.8.8} hostname{dns.google} src{192.168.43.2:48436} qtype{1} qname{815149-android-ds.metric.gstatic.com}: SUCCEEDED: 1/1 NOERROR (432ms) F DNS TLS dst{192.168.43.144} hostname{}: FAILED: java.net.ConnectException: failed to connect to /192.168.43.144 (port 853) from /192.168.43.2 (port 41770) after 2500ms: isConnected failed: ECONNREFUSED (Connection refused) (172ms) . DNS TLS dst{8.8.4.4} hostname{dns.google} src{192.168.43.2:37598} qtype{1} qname{759312-android-ds.metric.gstatic.com}: SUCCEEDED: 1/1 NOERROR (427ms) An example when the CA is not trusted: F DNS TLS dst{8.8.8.8} hostname{dns.google}: FAILED: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. (16ms) An example when TCP/TLS handshake timeout: F DNS TLS dst{8.8.8.8} hostname{dns.google}: FAILED: java.net.SocketTimeoutException: failed to connect to /8.8.8.8 (port 853) from /192.168.2.108 (port 45680) after 2500ms (2514ms) Bug: 132925257 Bug: 118369977 Test: atest FrameworksNetTests Change-Id: I1b54abed0e931ca4b8a97149459cde54da1c3d6f
author: Mike Yu <yumike@google.com> 2019-07-05 11:51:34 +0800
committer: Mike Yu <yumike@google.com> 2020-06-20 16:22:35 +0800
commit: 6a49d466d29529c0b15ae80fda6033130d0e65cc (patch)
tree: 2fff00f9c05305b13b2d4d9602f705f0472b12d5 /tests
parent: 788abd7c991d18117f4f3e918eddf79b7e6164d2 (diff)
1 files changed, 47 insertions, 0 deletions
diff --git a/tests/net/java/com/android/server/connectivity/DnsManagerTest.java b/tests/net/java/com/android/server/connectivity/DnsManagerTest.java
index 0a603b8e4b19..26a28da9755c 100644
--- a/tests/net/java/com/android/server/connectivity/DnsManagerTest.java
+++ b/tests/net/java/com/android/server/connectivity/DnsManagerTest.java
@@ -62,6 +62,8 @@ import androidx.test.runner.AndroidJUnit4;
 import com.android.internal.util.MessageUtils;
 import com.android.internal.util.test.FakeSettingsProvider;
 
+import libcore.net.InetAddressUtils;
+
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
@@ -379,4 +381,49 @@ public class DnsManagerTest {
             assertEquals(name, dnsTransTypes.get(i));
         }
     }
+
+    @Test
+    public void testGetPrivateDnsConfigForNetwork() throws Exception {
+        final Network network = new Network(TEST_NETID);
+        final InetAddress dnsAddr = InetAddressUtils.parseNumericAddress("3.3.3.3");
+        final InetAddress[] tlsAddrs = new InetAddress[]{
+            InetAddressUtils.parseNumericAddress("6.6.6.6"),
+            InetAddressUtils.parseNumericAddress("2001:db8:66:66::1")
+        };
+        final String tlsName = "strictmode.com";
+        LinkProperties lp = new LinkProperties();
+        lp.addDnsServer(dnsAddr);
+
+        // The PrivateDnsConfig map is empty, so the default PRIVATE_DNS_OFF is returned.
+        PrivateDnsConfig privateDnsCfg = mDnsManager.getPrivateDnsConfig(network);
+        assertFalse(privateDnsCfg.useTls);
+        assertEquals("", privateDnsCfg.hostname);
+        assertEquals(new InetAddress[0], privateDnsCfg.ips);
+
+        // An entry with default PrivateDnsConfig is added to the PrivateDnsConfig map.
+        mDnsManager.updatePrivateDns(network, mDnsManager.getPrivateDnsConfig());
+        mDnsManager.noteDnsServersForNetwork(TEST_NETID, lp);
+        mDnsManager.updatePrivateDnsValidation(
+                new DnsManager.PrivateDnsValidationUpdate(TEST_NETID, dnsAddr, "", true));
+        mDnsManager.updatePrivateDnsStatus(TEST_NETID, lp);
+        privateDnsCfg = mDnsManager.getPrivateDnsConfig(network);
+        assertTrue(privateDnsCfg.useTls);
+        assertEquals("", privateDnsCfg.hostname);
+        assertEquals(new InetAddress[0], privateDnsCfg.ips);
+
+        // The original entry is overwritten by a new PrivateDnsConfig.
+        mDnsManager.updatePrivateDns(network, new PrivateDnsConfig(tlsName, tlsAddrs));
+        mDnsManager.updatePrivateDnsStatus(TEST_NETID, lp);
+        privateDnsCfg = mDnsManager.getPrivateDnsConfig(network);
+        assertTrue(privateDnsCfg.useTls);
+        assertEquals(tlsName, privateDnsCfg.hostname);
+        assertEquals(tlsAddrs, privateDnsCfg.ips);
+
+        // The network is removed, so the PrivateDnsConfig map becomes empty again.
+        mDnsManager.removeNetwork(network);
+        privateDnsCfg = mDnsManager.getPrivateDnsConfig(network);
+        assertFalse(privateDnsCfg.useTls);
+        assertEquals("", privateDnsCfg.hostname);
+        assertEquals(new InetAddress[0], privateDnsCfg.ips);
+    }
 }
author	Mike Yu <yumike@google.com>	2019-07-05 11:51:34 +0800
committer	Mike Yu <yumike@google.com>	2020-06-20 16:22:35 +0800
commit	6a49d466d29529c0b15ae80fda6033130d0e65cc (patch)
tree	2fff00f9c05305b13b2d4d9602f705f0472b12d5 /tests
parent	788abd7c991d18117f4f3e918eddf79b7e6164d2 (diff)