# # Copyright 2018 - The Android Open Source Project # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. import time from acts import asserts from acts.controllers.openwrt_ap import MOBLY_CONTROLLER_CONFIG_NAME as OPENWRT from acts.test_decorators import test_tracker_info from acts_contrib.test_utils.net import connectivity_const as cconst from acts_contrib.test_utils.net import connectivity_test_utils as cutils from acts_contrib.test_utils.net import net_test_utils as nutils from acts_contrib.test_utils.tel.tel_ims_utils import set_wfc_mode from acts_contrib.test_utils.net.net_test_utils import start_tcpdump from acts_contrib.test_utils.net.net_test_utils import stop_tcpdump from acts_contrib.test_utils.tel.tel_defines import WFC_MODE_DISABLED from acts_contrib.test_utils.tel.tel_test_utils import get_operator_name from acts_contrib.test_utils.wifi import wifi_test_utils as wutils from acts_contrib.test_utils.wifi.WifiBaseTest import WifiBaseTest from scapy.all import rdpcap from scapy.all import Scapy_Exception from scapy.all import TCP from scapy.all import UDP RST = 0x04 SSID = wutils.WifiEnums.SSID_KEY class DnsOverTlsTest(WifiBaseTest): """Tests for DNS-over-TLS.""" def setup_class(self): """Setup devices for DNS-over-TLS test and unpack params.""" self.dut = self.android_devices[0] if len(self.android_devices) > 1: self.dut_b = self.android_devices[1] for ad in self.android_devices: ad.droid.setPrivateDnsMode(True) if OPENWRT not in self.user_params: nutils.verify_lte_data_and_tethering_supported(ad) set_wfc_mode(self.log, ad, WFC_MODE_DISABLED) req_params = ("ping_hosts",) opt_params = ("ipv4_only_network", "ipv4_ipv6_network", "dns_name", "configure_OpenWrt", "wifi_network") self.unpack_userparams(req_param_names=req_params, opt_param_names=opt_params) if OPENWRT in self.user_params: self.openwrt = self.access_points[0] if hasattr(self, "configure_OpenWrt") and self.configure_OpenWrt == "skip": self.dut.log.info("Skip configure Wifi interface due to config setup.") else: self.configure_openwrt_ap_and_start(wpa_network=True) self.wifi_network = self.openwrt.get_wifi_network() self.private_dns_servers = [self.dns_name] self.openwrt.network_setting.setup_dns_server(self.dns_name) else: self.private_dns_servers = [cconst.DNS_GOOGLE_HOSTNAME, cconst.DNS_QUAD9_HOSTNAME, cconst.DNS_CLOUDFLARE_HOSTNAME] self.tcpdump_pid = None def teardown_test(self): wutils.reset_wifi(self.dut) def teardown_class(self): for ad in self.android_devices: ad.droid.setPrivateDnsMode(True) if OPENWRT in self.user_params: self.openwrt.network_setting.remove_dns_server() def on_fail(self, test_name, begin_time): self.dut.take_bug_report(test_name, begin_time) def get_wifi_network(self, ipv6_supported): if OPENWRT in self.user_params: if ipv6_supported: self.openwrt.network_setting.enable_ipv6() else: self.openwrt.network_setting.disable_ipv6() return self.openwrt.get_wifi_network() if ipv6_supported: return self.ipv4_ipv6_network return self.ipv4_only_network def _start_tcp_dump(self, ad): """Start tcpdump on the given dut. Args: ad: dut to run tcpdump on """ self.tcpdump_pid = start_tcpdump(ad, self.test_name) def _stop_tcp_dump(self, ad): """Stop tcpdump and pull it to the test run logs. Args: ad: dut to pull tcpdump from """ return stop_tcpdump(ad, self.tcpdump_pid, self.test_name) def _verify_dns_queries_over_tls(self, pcap_file, tls=True): """Verify if DNS queries were over TLS or not. Args: pcap_file: tcpdump file tls: if queries should be over TLS or port 853 """ try: packets = rdpcap(pcap_file) except Scapy_Exception: asserts.fail("Not a valid pcap file") for pkt in packets: summary = "%s" % pkt.summary() for host in self.ping_hosts: host = host.split(".")[-2] if tls and UDP in pkt and pkt[UDP].dport == 53 and \ host in summary: asserts.fail("Found query to port 53: %s" % summary) elif not tls and TCP in pkt and pkt[TCP].dport == 853 and \ not pkt[TCP].flags: asserts.fail("Found query to port 853: %s" % summary) def _verify_no_rst_packets_port_853(self, pcap_file): """Verify if RST packets are found in the pcap file. Args: pcap_file: full path of tcpdump file """ packets = rdpcap(pcap_file) for pkt in packets: if TCP in pkt and pkt[TCP].flags == RST and pkt[TCP].dport == 853: asserts.fail("Found RST packets: %s" % pkt.summary()) def _test_private_dns_mode(self, ad, net, dns_mode, use_tls, hostname=None): """Test private DNS mode. Args: ad: android device object net: wifi network to connect to, LTE network if None dns_mode: private DNS mode use_tls: if True, the DNS packets should be encrypted hostname: private DNS hostname to set to """ # set private dns mode if dns_mode: cutils.set_private_dns(self.dut, dns_mode, hostname) # connect to wifi if net: wutils.start_wifi_connection_scan_and_ensure_network_found( self.dut, net[SSID]) wutils.wifi_connect(self.dut, net) # start tcpdump on the device self._start_tcp_dump(self.dut) # ping hosts should pass for host in self.ping_hosts: self.log.info("Pinging %s" % host) status = wutils.validate_connection(self.dut, host) asserts.assert_true(status, "Failed to ping host %s" % host) self.log.info("Ping successful") # stop tcpdump pcap_file = self._stop_tcp_dump(self.dut) # verify DNS queries self._verify_dns_queries_over_tls(pcap_file, use_tls) # reset wifi wutils.reset_wifi(self.dut) def _test_invalid_private_dns(self, net, dns_mode, dns_hostname): """Test private DNS with invalid hostname, which should failed the ping. :param net: Wi-Fi network to connect to :param dns_mode: private DNS mode :param dns_hostname: private DNS hostname :return: """ cutils.set_private_dns(self.dut, dns_mode, dns_hostname) if net: wutils.start_wifi_connection_scan_and_ensure_network_found( self.dut, net[SSID]) wutils.wifi_connect( self.dut, net, assert_on_fail=False, check_connectivity=False) self._start_tcp_dump(self.dut) # ping hosts should NOT pass ping_result = False for host in self.ping_hosts: self.log.info("Pinging %s" % host) try: ping_result = self.dut.droid.httpPing(host) except: pass # Ping result should keep negative with invalid DNS, # so once it's positive we should break, and the test should fail if ping_result: break pcap_file = self._stop_tcp_dump(self.dut) self._verify_dns_queries_over_tls(pcap_file, True) wutils.reset_wifi(self.dut) return ping_result @test_tracker_info(uuid="2957e61c-d333-45fb-9ff9-2250c9c8535a") def test_private_dns_mode_off_wifi_ipv4_only_network(self): """Verify private dns mode off on ipv4 only network. Steps: 1. Set private dns mode off 2. Connect to wifi network. DNS server supports DNS/TLS 3. Run HTTP ping to amazon.com, facebook.com, netflix.com 4. Verify ping works to differnt hostnames 5. Verify that all queries go to port 53 """ self._test_private_dns_mode(self.dut, self.get_wifi_network(False), cconst.PRIVATE_DNS_MODE_OFF, False) @test_tracker_info(uuid="ea036d22-25af-4df0-b6cc-0027bc1efbe9") def test_private_dns_mode_off_wifi_ipv4_ipv6_network(self): """Verify private dns mode off on ipv4-ipv6 network. Steps: 1. Set private dns mode off 2. Connect to wifi network. DNS server supports DNS/TLS 3. Run HTTP ping to amazon.com, facebook.com, netflix.com 4. Verify ping works to differnt hostnames 5. Verify that all queries go to port 53 """ self._test_private_dns_mode(self.dut, self.get_wifi_network(True), cconst.PRIVATE_DNS_MODE_OFF, False) @test_tracker_info(uuid="4227abf4-0a75-4b4d-968c-dfc63052f5db") def test_private_dns_mode_opportunistic_wifi_ipv4_only_network(self): """Verify private dns mode opportunistic on ipv4 only network. Steps: 1. Set private dns to opportunistic mode 2. Connect to wifi network. DNS server supports DNS/TLS 3. Run HTTP ping to amazon.com, facebook.com, netflix.com 4. Verify ping works to differnt hostnames 5. Verify that all queries go to port 853 and encrypted """ self._test_private_dns_mode(self.dut, self.get_wifi_network(False), cconst.PRIVATE_DNS_MODE_OPPORTUNISTIC, True) @test_tracker_info(uuid="0c97cfef-4313-4346-b05b-395de63c5c3f") def test_private_dns_mode_opportunistic_wifi_ipv4_ipv6_network(self): """Verify private dns mode opportunistic on ipv4-ipv6 network. Steps: 1. Set private dns to opportunistic mode 2. Connect to wifi network. DNS server supports DNS/TLS 3. Run HTTP ping to amazon.com, facebook.com, netflix.com 4. Verify ping works to differnt hostnames 5. Verify that all queries go to port 853 """ self._test_private_dns_mode(self.dut, self.get_wifi_network(True), cconst.PRIVATE_DNS_MODE_OPPORTUNISTIC, True) @test_tracker_info(uuid="b70569f1-2613-49d0-be49-fd3464dde305") def test_private_dns_mode_strict_wifi_ipv4_only_network(self): """Verify private dns mode strict on ipv4 only network. Steps: 1. Set private dns to strict mode 2. Connect to wifi network. DNS server supports DNS/TLS 3. Run HTTP ping to amazon.com, facebook.com, netflix.com 4. Verify ping works to differnt hostnames 5. Verify that all queries go to port 853 and encrypted """ for dns in self.private_dns_servers: self._test_private_dns_mode(self.dut, self.get_wifi_network(False), cconst.PRIVATE_DNS_MODE_STRICT, True, dns) @test_tracker_info(uuid="85738b52-823b-4c59-a0d5-219e2fab2929") def test_private_dns_mode_strict_wifi_ipv4_ipv6_network(self): """Verify private dns mode strict on ipv4-ipv6 network. Steps: 1. Set private dns to strict mode 2. Connect to wifi network. DNS server supports DNS/TLS 3. Run HTTP ping to amazon.com, facebook.com, netflix.com 4. Verify ping works to differnt hostnames 5. Verify that all queries go to port 853 and encrypted """ for dns in self.private_dns_servers: self._test_private_dns_mode(self.dut, self.get_wifi_network(True), cconst.PRIVATE_DNS_MODE_STRICT, True, dns) @test_tracker_info(uuid="727e280a-d2bd-463f-b2a1-653d4b3f7f29") def test_private_dns_mode_off_vzw_carrier(self): """Verify private dns mode off on VZW network. Steps: 1. Set private dns mode off 2. Connect to wifi network. VZW doesn't support DNS/TLS 3. Run HTTP ping to amazon.com, facebook.com, netflix.com 4. Verify ping works to differnt hostnames 5. Verify that all queries go to port 53 """ carrier = get_operator_name(self.log, self.dut_b) asserts.skip_if(carrier != "vzw", "Carrier is not Verizon") self._test_private_dns_mode(self.dut_b, None, cconst.PRIVATE_DNS_MODE_OFF, False) @test_tracker_info(uuid="b16f6e2c-a24f-4efe-9003-2bfaf28b8d5e") def test_private_dns_mode_off_tmo_carrier(self): """Verify private dns mode off on TMO network. Steps: 1. Set private dns to off mode 2. Connect to wifi network. TMO supports DNS/TLS 3. Run HTTP ping to amazon.com, facebook.com, netflix.com 4. Verify ping works to differnt hostnames 5. Verify that all queries go to port 53 """ carrier = get_operator_name(self.log, self.dut) asserts.skip_if(carrier != "tmo", "Carrier is not T-mobile") self._test_private_dns_mode(self.dut, None, cconst.PRIVATE_DNS_MODE_OFF, False) @test_tracker_info(uuid="edfa7bfe-3e52-46b4-9d72-7c6c300b3680") def test_private_dns_mode_opportunistic_vzw_carrier(self): """Verify private dns mode opportunistic on VZW network. Steps: 1. Set private dns mode opportunistic 2. Connect to wifi network. VZW doesn't support DNS/TLS 3. Run HTTP ping to amazon.com, facebook.com, netflix.com 4. Verify ping works to differnt hostnames 5. Verify that all queries go to port 53 """ carrier = get_operator_name(self.log, self.dut_b) asserts.skip_if(carrier != "vzw", "Carrier is not Verizon") self._test_private_dns_mode(self.dut_b, None, cconst.PRIVATE_DNS_MODE_OPPORTUNISTIC, False) @test_tracker_info(uuid="41c3f2c4-11b7-4bb8-a3c9-fac63f6822f6") def test_private_dns_mode_opportunistic_tmo_carrier(self): """Verify private dns mode opportunistic on TMO network. Steps: 1. Set private dns mode opportunistic 2. Connect to wifi network. TMP supports DNS/TLS 3. Run HTTP ping to amazon.com, facebook.com, netflix.com 4. Verify ping works to differnt hostnames 5. Verify that all queries go to port 853 and encrypted """ carrier = get_operator_name(self.log, self.dut) asserts.skip_if(carrier != "tmo", "Carrier is not T-mobile") self._test_private_dns_mode(self.dut, None, cconst.PRIVATE_DNS_MODE_OPPORTUNISTIC, True) @test_tracker_info(uuid="65fd2052-f0c0-4446-b353-7ed2273e6c95") def test_private_dns_mode_strict_vzw_carrier(self): """Verify private dns mode strict on VZW network. Steps: 1. Set private dns mode strict 2. Connect to wifi network. VZW doesn't support DNS/TLS 3. Run HTTP ping to amazon.com, facebook.com, netflix.com 4. Verify ping works to differnt hostnames 5. Verify that all queries go to port 853 and encrypted """ carrier = get_operator_name(self.log, self.dut_b) asserts.skip_if(carrier != "vzw", "Carrier is not Verizon") for dns in self.private_dns_servers: self._test_private_dns_mode(self.dut_b, None, cconst.PRIVATE_DNS_MODE_STRICT, True, dns) @test_tracker_info(uuid="bca141f7-06c9-4e44-854e-4bdb9443b2da") def test_private_dns_mode_strict_tmo_carrier(self): """Verify private dns mode strict on TMO network. Steps: 1. Set private dns mode strict 2. Connect to wifi network. TMO supports DNS/TLS 3. Run HTTP ping to amazon.com, facebook.com, netflix.com 4. Verify ping works to differnt hostnames 5. Verify that all queries go to port 853 and encrypted """ carrier = get_operator_name(self.log, self.dut) asserts.skip_if(carrier != "tmo", "Carrier is not T-mobile") for dns in self.private_dns_servers: self._test_private_dns_mode(self.dut, None, cconst.PRIVATE_DNS_MODE_STRICT, True, dns) @test_tracker_info(uuid="7d977987-d9e3-4be1-b8fc-e5a84050ed48") def test_private_dns_mode_opportunistic_connectivity_toggle_networks(self): """Verify private DNS opportunistic mode connectivity by toggling networks. Steps: 1. Set private DNS opportunistic mode 2. DUT is connected to mobile network 3. Verify connectivity and DNS queries going to port 853 for TMO and port 53 for VZW 4. Switch to wifi network set with private DNS server 5. Verify connectivity and DNS queries going to port 853 6. Switch back to mobile network 7. Verify connectivity and DNS queries going to port 853 for TMO and port 53 for VZW 8. Repeat steps 1-7 for TMO, VZW and different private DNS servers """ for ad in self.android_devices: carrier = get_operator_name(self.log, ad) self.log.info("Carrier is: %s" % carrier) use_tls = True if carrier == "tmo" else False for dns in self.private_dns_servers: self.log.info("Setting opportunistic private dns mode") # set private dns mode cutils.set_private_dns(ad, cconst.PRIVATE_DNS_MODE_OPPORTUNISTIC) # verify dns over tls on mobile network self._test_private_dns_mode( self.dut, None, None, use_tls, dns) # verify dns over tls on wifi network self._test_private_dns_mode( self.dut, self.ipv4_ipv6_network, None, True, dns) # verify dns over tls on mobile network wutils.reset_wifi(self.dut) self._test_private_dns_mode( self.dut, None, None, use_tls, dns) @test_tracker_info(uuid="bc2f228f-e288-4539-a4b9-c02968209985") def test_private_dns_mode_strict_connectivity_toggle_networks(self): """Verify private DNS strict mode connectivity by toggling networks. Steps: 1. Set private DNS strict mode 2. DUT is connected to mobile network 3. Verify connectivity and DNS queries going to port 853 4. Switch to wifi network 5. Verify connectivity and DNS queries going to port 853 6. Switch back to mobile network 7. Verify connectivity and DNS queries going to port 853 8. Repeat steps 1-7 for TMO, VZW and different private DNS servers """ for ad in self.android_devices: self.log.info("Carrier is: %s" % get_operator_name(self.log, ad)) for dns in self.private_dns_servers: self.log.info("Setting strict mode private dns: %s" % dns) # set private dns mode cutils.set_private_dns(ad, cconst.PRIVATE_DNS_MODE_STRICT, dns) # verify dns over tls on mobile network self._test_private_dns_mode( self.dut, None, None, True, dns) # verify dns over tls on wifi network self._test_private_dns_mode( self.dut, self.ipv4_ipv6_network, None, True, dns) # verify dns over tls on mobile network wutils.reset_wifi(self.dut) self._test_private_dns_mode( self.dut, None, None, True, dns) @test_tracker_info(uuid="1426673a-7728-4df7-8de5-dfb3529ada62") def test_dns_server_link_properties_strict_mode(self): """Verify DNS server in the link properties when set in strict mode. Steps: 1. Set DNS server hostname in Private DNS settings (stict mode) 2. Verify that DNS server set in settings is in link properties 3. Verify for WiFi as well as LTE """ # start tcpdump on device self._start_tcp_dump(self.dut) # set private DNS to strict mode cutils.set_private_dns( self.dut, cconst.PRIVATE_DNS_MODE_STRICT, cconst.DNS_GOOGLE_HOSTNAME) # connect DUT to wifi network wutils.start_wifi_connection_scan_and_ensure_network_found( self.dut, self.ipv4_ipv6_network[SSID]) wutils.wifi_connect(self.dut, self.ipv4_ipv6_network) for host in self.ping_hosts: wutils.validate_connection(self.dut, host) # DNS server in link properties for wifi network link_prop = self.dut.droid.connectivityGetActiveLinkProperties() wifi_dns_servers = link_prop["PrivateDnsServerName"] self.log.info("Link prop: %s" % wifi_dns_servers) # DUT is on LTE data wutils.reset_wifi(self.dut) time.sleep(1) # wait till lte network becomes active for host in self.ping_hosts: wutils.validate_connection(self.dut, host) # DNS server in link properties for cell network link_prop = self.dut.droid.connectivityGetActiveLinkProperties() lte_dns_servers = link_prop["PrivateDnsServerName"] self.log.info("Link prop: %s" % lte_dns_servers) # stop tcpdump on device pcap_file = self._stop_tcp_dump(self.dut) # Verify DNS server in link properties asserts.assert_true(cconst.DNS_GOOGLE_HOSTNAME in wifi_dns_servers, "Hostname not in link properties - wifi network") asserts.assert_true(cconst.DNS_GOOGLE_HOSTNAME in lte_dns_servers, "Hostname not in link properites - cell network") @test_tracker_info(uuid="525a6f2d-9751-474e-a004-52441091e427") def test_dns_over_tls_no_reset_packets(self): """Verify there are no TCP packets with RST flags on port 853. Steps: 1. Enable opportunistic or strict mode 2. Ping hosts and verify that there are TCP pkts with RST flags """ # start tcpdump on device self._start_tcp_dump(self.dut) # set private DNS to opportunistic mode cutils.set_private_dns(self.dut, cconst.PRIVATE_DNS_MODE_OPPORTUNISTIC) # connect DUT to wifi network wutils.start_wifi_connection_scan_and_ensure_network_found( self.dut, self.ipv4_ipv6_network[SSID]) wutils.wifi_connect(self.dut, self.ipv4_ipv6_network) for host in self.ping_hosts: wutils.validate_connection(self.dut, host) # stop tcpdump on device pcap_file = self._stop_tcp_dump(self.dut) # check that there no RST TCP packets self._verify_no_rst_packets_port_853(pcap_file) @test_tracker_info(uuid="af6e34f1-3ad5-4ab0-b3b9-53008aa08294") def test_private_dns_mode_strict_invalid_hostnames(self): """Verify that invalid hostnames are not able to ping for strict mode. Steps: 1. Set private DNS to strict mode with invalid hostname 2. Verify that invalid hostname is not saved """ invalid_hostnames = ["!%@&!*", "12093478129", "9.9.9.9", "sdkfjhasdf"] for dns_hostname in invalid_hostnames: ping_result = self._test_invalid_private_dns( self.get_wifi_network(False), cconst.PRIVATE_DNS_MODE_STRICT, dns_hostname) asserts.assert_false(ping_result, "Ping success with invalid DNS.")