Support RFC 7858 DNS over TLS
This change adds the core capability for DNS over TLS, and creates
private APIs for activating it, but does not provide any way to
activate the functionality in a development environment or on a
real device.
Based on https://android-review.googlesource.com/#/c/373776/
Test: Complete unit+integration tests. Manual tests look good.
Bug: 34953048
Change-Id: Ib99ac1f631fd2c2c8fbf53bdb05f67f8be7713ac
diff --git a/server/ResolverController.h b/server/ResolverController.h
index 3da9ac9..a6a559d 100644
--- a/server/ResolverController.h
+++ b/server/ResolverController.h
@@ -39,6 +39,15 @@
int setDnsServers(unsigned netId, const char* searchDomains, const char** servers,
int numservers, const __res_params* params);
+ // Given a netId and the address of an insecure (i.e. normal) DNS server, this method checks
+ // if there is a known secure DNS server with the same IP address that has been validated as
+ // accessible on this netId. If so, it returns true, providing the server's address
+ // (including port) and pin fingerprints (possibly empty) in the output parameters.
+ // TODO: Add support for optional stronger security, by returning true even if the secure
+ // server is not accessible.
+ bool shouldUseTls(unsigned netId, const sockaddr_storage& insecureServer,
+ sockaddr_storage* secureServer, std::set<std::vector<uint8_t>>* fingerprints);
+
int clearDnsServers(unsigned netid);
int flushDnsCache(unsigned netid);
@@ -56,6 +65,11 @@
std::vector<std::string>* domains, std::vector<int32_t>* params,
std::vector<int32_t>* stats);
void dump(DumpWriter& dw, unsigned netId);
+
+ int addPrivateDnsServer(const std::string& server, int32_t port,
+ const std::string& fingerprintAlgorithm,
+ const std::set<std::vector<uint8_t>>& fingerprints);
+ int removePrivateDnsServer(const std::string& server);
};
} // namespace net