Switch to a new way of activating DNS-over-TLS
This change removes the global database of potential DNS-over-TLS
servers from Netd, and makes pinned or named servers mandatory-TLS,
not opportunistic.
Bug: 64753847
Change-Id: I226ffec3f59593bc40cd9019095c5261aae55fa0
Test: Tests pass. Normal browsing continues to work normally.
diff --git a/tests/binder_test.cpp b/tests/binder_test.cpp
index 209ca9e..b3a160d 100644
--- a/tests/binder_test.cpp
+++ b/tests/binder_test.cpp
@@ -637,83 +637,57 @@
return std::string(reinterpret_cast<char*>(output_bytes));
}
-TEST_F(BinderTest, TestAddPrivateDnsServer) {
+TEST_F(BinderTest, TestSetResolverConfiguration_Tls) {
std::vector<uint8_t> fp(SHA256_SIZE);
+ std::vector<uint8_t> short_fp(1);
+ std::vector<uint8_t> long_fp(SHA256_SIZE + 1);
+ std::vector<std::string> test_domains;
+ std::vector<int> test_params = { 300, 25, 8, 8 };
+ unsigned test_netid = 0;
static const struct TestData {
- const std::string address;
- const int port;
- const std::string name;
- const std::string fingerprintAlgorithm;
- const std::set<std::vector<uint8_t>> fingerprints;
+ const std::vector<std::string> servers;
+ const std::string tlsName;
+ const std::vector<std::vector<uint8_t>> tlsFingerprints;
const int expectedReturnCode;
} kTestData[] = {
- { "192.0.2.1", 853, "", "", {}, INetd::PRIVATE_DNS_SUCCESS },
- { "2001:db8::2", 65535, "host.name", "", {}, INetd::PRIVATE_DNS_SUCCESS },
- { "192.0.2.3", 443, "@@@@", "SHA-256", { fp }, INetd::PRIVATE_DNS_SUCCESS },
- { "2001:db8::4", 1, "", "SHA-256", { fp }, INetd::PRIVATE_DNS_SUCCESS },
- { "192.0.*.5", 853, "", "", {}, INetd::PRIVATE_DNS_BAD_ADDRESS },
- { "", 853, "", "", {}, INetd::PRIVATE_DNS_BAD_ADDRESS },
- { "2001:dg8::6", 65535, "", "", {}, INetd::PRIVATE_DNS_BAD_ADDRESS },
- { "192.0.2.7", 0, "", "SHA-256", { fp }, INetd::PRIVATE_DNS_BAD_PORT },
- { "2001:db8::8", 65536, "", "", {}, INetd::PRIVATE_DNS_BAD_PORT },
- { "192.0.2.9", 50053, "", "SHA-512", { fp }, INetd::PRIVATE_DNS_UNKNOWN_ALGORITHM },
- { "2001:db8::a", 853, "", "", { fp }, INetd::PRIVATE_DNS_BAD_FINGERPRINT },
- { "192.0.2.11", 853, "", "SHA-256", {}, INetd::PRIVATE_DNS_BAD_FINGERPRINT },
- { "2001:db8::c", 853, "", "SHA-256", { { 1 } }, INetd::PRIVATE_DNS_BAD_FINGERPRINT },
- { "192.0.2.12", 853, "", "SHA-256", { std::vector<uint8_t>(SHA256_SIZE + 1) },
- INetd::PRIVATE_DNS_BAD_FINGERPRINT },
- { "2001:db8::e", 1, "", "SHA-256", { fp, fp, fp }, INetd::PRIVATE_DNS_SUCCESS },
- { "192.0.2.14", 853, "", "SHA-256", { fp, { 1 } }, INetd::PRIVATE_DNS_BAD_FINGERPRINT },
+ { {"192.0.2.1"}, "", {}, 0 },
+ { {"2001:db8::2"}, "host.name", {}, 0 },
+ { {"192.0.2.3"}, "@@@@", { fp }, 0 },
+ { {"2001:db8::4"}, "", { fp }, 0 },
+ { {"192.0.*.5"}, "", {}, EINVAL },
+ { {""}, "", {}, EINVAL },
+ { {"2001:dg8::6"}, "", {}, EINVAL },
+ { {"2001:db8::c"}, "", { short_fp }, EINVAL },
+ { {"192.0.2.12"}, "", { long_fp }, EINVAL },
+ { {"2001:db8::e"}, "", { fp, fp, fp }, 0 },
+ { {"192.0.2.14"}, "", { fp, short_fp }, EINVAL },
};
for (unsigned int i = 0; i < arraysize(kTestData); i++) {
const auto &td = kTestData[i];
std::vector<std::string> fingerprints;
- for (const std::vector<uint8_t>& fingerprint : td.fingerprints) {
+ for (const auto& fingerprint : td.tlsFingerprints) {
fingerprints.push_back(base64Encode(fingerprint));
}
- const binder::Status status = mNetd->addPrivateDnsServer(
- td.address, td.port, td.name, td.fingerprintAlgorithm, fingerprints);
+ binder::Status status = mNetd->setResolverConfiguration(
+ test_netid, td.servers, test_domains, test_params,
+ true, td.tlsName, fingerprints);
- if (td.expectedReturnCode == INetd::PRIVATE_DNS_SUCCESS) {
+ if (td.expectedReturnCode == 0) {
SCOPED_TRACE(String8::format("test case %d should have passed", i));
SCOPED_TRACE(status.toString8());
EXPECT_EQ(0, status.exceptionCode());
} else {
SCOPED_TRACE(String8::format("test case %d should have failed", i));
EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, status.exceptionCode());
+ EXPECT_EQ(td.expectedReturnCode, status.serviceSpecificErrorCode());
}
- EXPECT_EQ(td.expectedReturnCode, status.serviceSpecificErrorCode());
}
-}
-
-TEST_F(BinderTest, TestRemovePrivateDnsServer) {
- static const struct TestData {
- const std::string address;
- const int expectedReturnCode;
- } kTestData[] = {
- { "192.0.2.1", INetd::PRIVATE_DNS_SUCCESS },
- { "2001:db8::2", INetd::PRIVATE_DNS_SUCCESS },
- { "192.0.*.3", INetd::PRIVATE_DNS_BAD_ADDRESS },
- { "2001:dg8::4", INetd::PRIVATE_DNS_BAD_ADDRESS },
- { "", INetd::PRIVATE_DNS_BAD_ADDRESS },
- };
-
- for (unsigned int i = 0; i < arraysize(kTestData); i++) {
- const auto &td = kTestData[i];
-
- const binder::Status status = mNetd->removePrivateDnsServer(td.address);
-
- if (td.expectedReturnCode == INetd::PRIVATE_DNS_SUCCESS) {
- SCOPED_TRACE(String8::format("test case %d should have passed", i));
- EXPECT_EQ(0, status.exceptionCode());
- } else {
- SCOPED_TRACE(String8::format("test case %d should have failed", i));
- EXPECT_EQ(binder::Status::EX_SERVICE_SPECIFIC, status.exceptionCode());
- }
- EXPECT_EQ(td.expectedReturnCode, status.serviceSpecificErrorCode());
- }
+ // Ensure TLS is disabled before the start of the next test.
+ mNetd->setResolverConfiguration(
+ test_netid, kTestData[0].servers, test_domains, test_params,
+ false, "", {});
}
void expectNoTestCounterRules() {
diff --git a/tests/dns_responder/dns_responder_client.cpp b/tests/dns_responder/dns_responder_client.cpp
index ff5b556..879e19c 100644
--- a/tests/dns_responder/dns_responder_client.cpp
+++ b/tests/dns_responder/dns_responder_client.cpp
@@ -91,12 +91,22 @@
bool DnsResponderClient::SetResolversForNetwork(const std::vector<std::string>& servers,
const std::vector<std::string>& domains, const std::vector<int>& params) {
- auto rv = mNetdSrv->setResolverConfiguration(TEST_NETID, servers, domains, params);
+ auto rv = mNetdSrv->setResolverConfiguration(TEST_NETID, servers, domains, params,
+ false, "", {});
return rv.isOk();
}
-bool DnsResponderClient::SetResolversForNetwork(const std::vector<std::string>& searchDomains,
- const std::vector<std::string>& servers, const std::string& params) {
+bool DnsResponderClient::SetResolversWithTls(const std::vector<std::string>& servers,
+ const std::vector<std::string>& domains, const std::vector<int>& params,
+ const std::string& name,
+ const std::vector<std::string>& fingerprints) {
+ auto rv = mNetdSrv->setResolverConfiguration(TEST_NETID, servers, domains, params,
+ true, name, fingerprints);
+ return rv.isOk();
+}
+
+bool DnsResponderClient::SetResolversForNetwork(const std::vector<std::string>& servers,
+ const std::vector<std::string>& searchDomains, const std::string& params) {
std::string cmd = StringPrintf("resolver setnetdns %d \"", mOemNetId);
if (!searchDomains.empty()) {
cmd += searchDomains[0].c_str();
diff --git a/tests/dns_responder/dns_responder_client.h b/tests/dns_responder/dns_responder_client.h
index ed7d38d..2df536c 100644
--- a/tests/dns_responder/dns_responder_client.h
+++ b/tests/dns_responder/dns_responder_client.h
@@ -29,8 +29,15 @@
bool SetResolversForNetwork(const std::vector<std::string>& servers,
const std::vector<std::string>& domains, const std::vector<int>& params);
- bool SetResolversForNetwork(const std::vector<std::string>& searchDomains,
- const std::vector<std::string>& servers, const std::string& params);
+ bool SetResolversForNetwork(const std::vector<std::string>& servers,
+ const std::vector<std::string>& searchDomains,
+ const std::string& params);
+
+ bool SetResolversWithTls(const std::vector<std::string>& servers,
+ const std::vector<std::string>& searchDomains,
+ const std::vector<int>& params,
+ const std::string& name,
+ const std::vector<std::string>& fingerprints);
static void SetupDNSServers(unsigned num_servers, const std::vector<Mapping>& mappings,
std::vector<std::unique_ptr<test::DNSResponder>>* dns,
diff --git a/tests/netd_test.cpp b/tests/netd_test.cpp
index bd47a05..8e1eb16 100644
--- a/tests/netd_test.cpp
+++ b/tests/netd_test.cpp
@@ -281,7 +281,7 @@
dns.addMapping(host_name, ns_type::ns_t_a, "1.2.3.3");
ASSERT_TRUE(dns.startServer());
std::vector<std::string> servers = { listen_addr };
- ASSERT_TRUE(SetResolversForNetwork(mDefaultSearchDomains, servers, mDefaultParams));
+ ASSERT_TRUE(SetResolversForNetwork(servers, mDefaultSearchDomains, mDefaultParams));
const hostent* result;
@@ -389,7 +389,7 @@
std::vector<std::string> servers = { listen_addr };
- ASSERT_TRUE(SetResolversForNetwork(mDefaultSearchDomains, servers, mDefaultParams));
+ ASSERT_TRUE(SetResolversForNetwork(servers, mDefaultSearchDomains, mDefaultParams));
dns.clearQueries();
dns2.clearQueries();
@@ -422,7 +422,7 @@
// Change the DNS resolver, ensure that queries are still cached.
servers = { listen_addr2 };
- ASSERT_TRUE(SetResolversForNetwork(mDefaultSearchDomains, servers, mDefaultParams));
+ ASSERT_TRUE(SetResolversForNetwork(servers, mDefaultSearchDomains, mDefaultParams));
dns.clearQueries();
dns2.clearQueries();
@@ -456,7 +456,7 @@
dns.addMapping(host_name, ns_type::ns_t_a, "1.2.3.5");
ASSERT_TRUE(dns.startServer());
std::vector<std::string> servers = { listen_addr };
- ASSERT_TRUE(SetResolversForNetwork(mDefaultSearchDomains, servers, mDefaultParams));
+ ASSERT_TRUE(SetResolversForNetwork(servers, mDefaultSearchDomains, mDefaultParams));
addrinfo hints;
memset(&hints, 0, sizeof(hints));
@@ -480,7 +480,7 @@
dns.addMapping(host_name, ns_type::ns_t_a, "1.2.3.3");
ASSERT_TRUE(dns.startServer());
std::vector<std::string> servers = { listen_addr };
- ASSERT_TRUE(SetResolversForNetwork(searchDomains, servers, mDefaultParams));
+ ASSERT_TRUE(SetResolversForNetwork(servers, searchDomains, mDefaultParams));
dns.clearQueries();
const hostent* result = gethostbyname("nihao");
@@ -515,7 +515,7 @@
int sample_count = 8;
std::string params = StringPrintf("%u %d %d %d", sample_validity, success_threshold,
sample_count, sample_count);
- ASSERT_TRUE(SetResolversForNetwork(mDefaultSearchDomains, servers, params));
+ ASSERT_TRUE(SetResolversForNetwork(servers, mDefaultSearchDomains, params));
// Repeatedly perform resolutions for non-existing domains until MAXNSSAMPLES resolutions have
// reached the dns0, which is set to fail. No more requests should then arrive at that server
@@ -576,7 +576,7 @@
}
}
if (serverSubset.empty()) serverSubset = servers;
- ASSERT_TRUE(SetResolversForNetwork(mDefaultSearchDomains, serverSubset,
+ ASSERT_TRUE(SetResolversForNetwork(serverSubset, mDefaultSearchDomains,
mDefaultParams));
addrinfo hints;
memset(&hints, 0, sizeof(hints));
@@ -644,7 +644,7 @@
ASSERT_TRUE(dns.startServer());
std::vector<std::string> servers = { listen_addr };
std::vector<std::string> domains = { "domain1.org" };
- ASSERT_TRUE(SetResolversForNetwork(domains, servers, mDefaultParams));
+ ASSERT_TRUE(SetResolversForNetwork(servers, domains, mDefaultParams));
addrinfo hints;
memset(&hints, 0, sizeof(hints));
@@ -657,7 +657,7 @@
// Test that changing the domain search path on its own works.
domains = { "domain2.org" };
- ASSERT_TRUE(SetResolversForNetwork(domains, servers, mDefaultParams));
+ ASSERT_TRUE(SetResolversForNetwork(servers, domains, mDefaultParams));
dns.clearQueries();
EXPECT_EQ(0, getaddrinfo("test13", nullptr, &hints, &result));
@@ -710,8 +710,7 @@
// There's nothing listening on this address, so validation will either fail or
/// hang. Either way, queries will continue to flow to the DNSResponder.
- auto rv = mNetdSrv->addPrivateDnsServer(listen_addr, 853, "", "", {});
- ASSERT_TRUE(SetResolversForNetwork(mDefaultSearchDomains, servers, mDefaultParams));
+ ASSERT_TRUE(SetResolversWithTls(servers, mDefaultSearchDomains, mDefaultParams_Binder, "", {}));
const hostent* result;
@@ -719,7 +718,8 @@
ASSERT_FALSE(result == nullptr);
EXPECT_EQ("1.2.3.3", ToString(result));
- rv = mNetdSrv->removePrivateDnsServer(listen_addr);
+ // Clear TLS bit.
+ ASSERT_TRUE(SetResolversForNetwork(servers, mDefaultSearchDomains, mDefaultParams_Binder));
dns.stopServer();
}
@@ -749,10 +749,9 @@
ASSERT_FALSE(bind(s, reinterpret_cast<struct sockaddr*>(&tlsServer), sizeof(tlsServer)));
ASSERT_FALSE(listen(s, 1));
- auto rv = mNetdSrv->addPrivateDnsServer(listen_addr, 853, "", "", {});
- ASSERT_TRUE(SetResolversForNetwork(mDefaultSearchDomains, servers, mDefaultParams));
+ // Trigger TLS validation.
+ ASSERT_TRUE(SetResolversWithTls(servers, mDefaultSearchDomains, mDefaultParams_Binder, "", {}));
- // SetResolversForNetwork should have triggered a validation connection to this address.
struct sockaddr_storage cliaddr;
socklen_t sin_size = sizeof(cliaddr);
int new_fd = accept(s, reinterpret_cast<struct sockaddr *>(&cliaddr), &sin_size);
@@ -777,7 +776,8 @@
ASSERT_FALSE(result == nullptr);
EXPECT_EQ("1.2.3.2", ToString(result));
- rv = mNetdSrv->removePrivateDnsServer(listen_addr);
+ // Clear TLS bit.
+ ASSERT_TRUE(SetResolversForNetwork(servers, mDefaultSearchDomains, mDefaultParams_Binder));
dns.stopServer();
close(s);
}
@@ -798,8 +798,7 @@
test::DnsTlsFrontend tls(listen_addr, listen_tls, listen_addr, listen_udp);
ASSERT_TRUE(tls.startServer());
- auto rv = mNetdSrv->addPrivateDnsServer(listen_addr, 853, "", "", {});
- ASSERT_TRUE(SetResolversForNetwork(mDefaultSearchDomains, servers, mDefaultParams));
+ ASSERT_TRUE(SetResolversWithTls(servers, mDefaultSearchDomains, mDefaultParams_Binder, "", {}));
const hostent* result;
@@ -821,9 +820,9 @@
EXPECT_TRUE(result == nullptr);
EXPECT_EQ(HOST_NOT_FOUND, h_errno);
- // Remove the TLS server setting. Queries should now be routed to the
+ // Reset the resolvers without enabling TLS. Queries should now be routed to the
// UDP endpoint.
- rv = mNetdSrv->removePrivateDnsServer(listen_addr);
+ ASSERT_TRUE(SetResolversForNetwork(servers, mDefaultSearchDomains, mDefaultParams_Binder));
result = gethostbyname("tls3");
ASSERT_FALSE(result == nullptr);
@@ -835,6 +834,7 @@
TEST_F(ResolverTest, GetHostByName_TlsFingerprint) {
const char* listen_addr = "127.0.0.3";
const char* listen_udp = "53";
+ const char* listen_tls = "853";
test::DNSResponder dns(listen_addr, listen_udp, 250, ns_rcode::ns_r_servfail, 1.0);
ASSERT_TRUE(dns.startServer());
for (int chain_length = 1; chain_length <= 3; ++chain_length) {
@@ -842,17 +842,11 @@
dns.addMapping(host_name, ns_type::ns_t_a, "1.2.3.1");
std::vector<std::string> servers = { listen_addr };
- // Run each TLS server on a new port to avoid any possible races related to reopening
- // sockets that were just closed.
- int tls_port = 853 + chain_length;
- const char* listen_tls = std::to_string(tls_port).c_str();
test::DnsTlsFrontend tls(listen_addr, listen_tls, listen_addr, listen_udp);
tls.set_chain_length(chain_length);
ASSERT_TRUE(tls.startServer());
- auto rv = mNetdSrv->addPrivateDnsServer(listen_addr, tls_port, "", "SHA-256",
- { base64Encode(tls.fingerprint()) });
- EXPECT_EQ(0, rv.exceptionCode());
- ASSERT_TRUE(SetResolversForNetwork(mDefaultSearchDomains, servers, mDefaultParams));
+ ASSERT_TRUE(SetResolversWithTls(servers, mDefaultSearchDomains, mDefaultParams_Binder, "",
+ { base64Encode(tls.fingerprint()) }));
const hostent* result;
@@ -868,8 +862,8 @@
EXPECT_TRUE(tls.waitForQueries(2, 5000));
}
- rv = mNetdSrv->removePrivateDnsServer(listen_addr);
- EXPECT_EQ(0, rv.exceptionCode());
+ // Clear TLS bit to ensure revalidation.
+ ASSERT_TRUE(SetResolversForNetwork(servers, mDefaultSearchDomains, mDefaultParams_Binder));
tls.stopServer();
}
dns.stopServer();
@@ -889,25 +883,18 @@
ASSERT_TRUE(tls.startServer());
std::vector<uint8_t> bad_fingerprint = tls.fingerprint();
bad_fingerprint[5] += 1; // Corrupt the fingerprint.
- auto rv = mNetdSrv->addPrivateDnsServer(listen_addr, 853, "", "SHA-256",
- { base64Encode(bad_fingerprint) });
- ASSERT_TRUE(SetResolversForNetwork(mDefaultSearchDomains, servers, mDefaultParams));
-
- const hostent* result;
+ ASSERT_TRUE(SetResolversWithTls(servers, mDefaultSearchDomains, mDefaultParams_Binder, "",
+ { base64Encode(bad_fingerprint) }));
// The initial validation should fail at the fingerprint check before
// issuing a query.
EXPECT_FALSE(tls.waitForQueries(1, 500));
- result = gethostbyname("badtlsfingerprint");
- ASSERT_FALSE(result == nullptr);
- EXPECT_EQ("1.2.3.1", ToString(result));
+ // A fingerprint was provided and failed to match, so the query should fail.
+ EXPECT_EQ(nullptr, gethostbyname("badtlsfingerprint"));
- // The query should have bypassed the TLS frontend, because validation
- // failed.
- EXPECT_FALSE(tls.waitForQueries(1, 500));
-
- rv = mNetdSrv->removePrivateDnsServer(listen_addr);
+ // Clear TLS bit.
+ ASSERT_TRUE(SetResolversForNetwork(servers, mDefaultSearchDomains, mDefaultParams_Binder));
tls.stopServer();
dns.stopServer();
}
@@ -928,9 +915,8 @@
ASSERT_TRUE(tls.startServer());
std::vector<uint8_t> bad_fingerprint = tls.fingerprint();
bad_fingerprint[5] += 1; // Corrupt the fingerprint.
- auto rv = mNetdSrv->addPrivateDnsServer(listen_addr, 853, "", "SHA-256",
- { base64Encode(bad_fingerprint), base64Encode(tls.fingerprint()) });
- ASSERT_TRUE(SetResolversForNetwork(mDefaultSearchDomains, servers, mDefaultParams));
+ ASSERT_TRUE(SetResolversWithTls(servers, mDefaultSearchDomains, mDefaultParams_Binder, "",
+ { base64Encode(bad_fingerprint), base64Encode(tls.fingerprint()) }));
const hostent* result;
@@ -944,7 +930,8 @@
// Wait for query to get counted.
EXPECT_TRUE(tls.waitForQueries(2, 5000));
- rv = mNetdSrv->removePrivateDnsServer(listen_addr);
+ // Clear TLS bit.
+ ASSERT_TRUE(SetResolversForNetwork(servers, mDefaultSearchDomains, mDefaultParams_Binder));
tls.stopServer();
dns.stopServer();
}
@@ -963,9 +950,8 @@
test::DnsTlsFrontend tls(listen_addr, listen_tls, listen_addr, listen_udp);
ASSERT_TRUE(tls.startServer());
- auto rv = mNetdSrv->addPrivateDnsServer(listen_addr, 853, "", "SHA-256",
- { base64Encode(tls.fingerprint()) });
- ASSERT_TRUE(SetResolversForNetwork(mDefaultSearchDomains, servers, mDefaultParams));
+ ASSERT_TRUE(SetResolversWithTls(servers, mDefaultSearchDomains, mDefaultParams_Binder, "",
+ { base64Encode(tls.fingerprint()) }));
const hostent* result;
@@ -988,7 +974,8 @@
ASSERT_TRUE(result == nullptr);
EXPECT_EQ(HOST_NOT_FOUND, h_errno);
- rv = mNetdSrv->removePrivateDnsServer(listen_addr);
+ // Clear TLS bit.
+ ASSERT_TRUE(SetResolversForNetwork(servers, mDefaultSearchDomains, mDefaultParams_Binder));
tls.stopServer();
dns.stopServer();
}
@@ -1014,11 +1001,8 @@
test::DnsTlsFrontend tls2(listen_addr2, listen_tls, listen_addr2, listen_udp);
ASSERT_TRUE(tls1.startServer());
ASSERT_TRUE(tls2.startServer());
- auto rv = mNetdSrv->addPrivateDnsServer(listen_addr1, 853, "", "SHA-256",
- { base64Encode(tls1.fingerprint()) });
- rv = mNetdSrv->addPrivateDnsServer(listen_addr2, 853, "", "SHA-256",
- { base64Encode(tls2.fingerprint()) });
- ASSERT_TRUE(SetResolversForNetwork(mDefaultSearchDomains, servers, mDefaultParams));
+ ASSERT_TRUE(SetResolversWithTls(servers, mDefaultSearchDomains, mDefaultParams_Binder, "",
+ { base64Encode(tls1.fingerprint()), base64Encode(tls2.fingerprint()) }));
const hostent* result;
@@ -1048,8 +1032,8 @@
EXPECT_EQ(2U, dns1.queries().size());
EXPECT_EQ(2U, dns2.queries().size());
- rv = mNetdSrv->removePrivateDnsServer(listen_addr1);
- rv = mNetdSrv->removePrivateDnsServer(listen_addr2);
+ // Clear TLS bit.
+ ASSERT_TRUE(SetResolversForNetwork(servers, mDefaultSearchDomains, mDefaultParams_Binder));
tls2.stopServer();
dns1.stopServer();
dns2.stopServer();
@@ -1067,24 +1051,18 @@
test::DnsTlsFrontend tls(listen_addr, listen_tls, listen_addr, listen_udp);
ASSERT_TRUE(tls.startServer());
- auto rv = mNetdSrv->addPrivateDnsServer(listen_addr, 853, "www.example.com", "", {});
- ASSERT_TRUE(SetResolversForNetwork(mDefaultSearchDomains, servers, mDefaultParams));
-
- const hostent* result;
+ ASSERT_TRUE(SetResolversWithTls(servers, mDefaultSearchDomains, mDefaultParams_Binder,
+ "www.example.com", {}));
// The TLS server's certificate doesn't chain to a known CA, and a nonempty name was specified,
// so the client should fail the TLS handshake before ever issuing a query.
EXPECT_FALSE(tls.waitForQueries(1, 500));
- result = gethostbyname("badtlsname");
- ASSERT_FALSE(result == nullptr);
- EXPECT_EQ("1.2.3.1", ToString(result));
+ // The query should fail hard, because a name was specified.
+ EXPECT_EQ(nullptr, gethostbyname("badtlsname"));
- // The query should have bypassed the TLS frontend, because validation
- // failed.
- EXPECT_FALSE(tls.waitForQueries(1, 500));
-
- rv = mNetdSrv->removePrivateDnsServer(listen_addr);
+ // Clear TLS bit.
+ ASSERT_TRUE(SetResolversForNetwork(servers, mDefaultSearchDomains, mDefaultParams_Binder));
tls.stopServer();
dns.stopServer();
}
@@ -1102,9 +1080,8 @@
test::DnsTlsFrontend tls(listen_addr, listen_tls, listen_addr, listen_udp);
ASSERT_TRUE(tls.startServer());
- auto rv = mNetdSrv->addPrivateDnsServer(listen_addr, 853, "", "SHA-256",
- { base64Encode(tls.fingerprint()) });
- ASSERT_TRUE(SetResolversForNetwork(mDefaultSearchDomains, servers, mDefaultParams));
+ ASSERT_TRUE(SetResolversWithTls(servers, mDefaultSearchDomains, mDefaultParams_Binder, "",
+ { base64Encode(tls.fingerprint()) }));
// Wait for validation to complete.
EXPECT_TRUE(tls.waitForQueries(1, 5000));
@@ -1126,7 +1103,8 @@
// Wait for both A and AAAA queries to get counted.
EXPECT_TRUE(tls.waitForQueries(3, 5000));
- rv = mNetdSrv->removePrivateDnsServer(listen_addr);
+ // Clear TLS bit.
+ ASSERT_TRUE(SetResolversForNetwork(servers, mDefaultSearchDomains, mDefaultParams_Binder));
tls.stopServer();
dns.stopServer();
}