| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
This change will print the log about DoT server establishing time
and disconnecting time in user-debug builds.
Also upgrade some logs so we can know the reason of a disconnection
from DoT server.
Test: atest
Change-Id: I247b6d6bc73edd9ed18a36f04a8c3682d2924e0a
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Clat/464xlat has to assume that it may need to translate
ipv4 fragments to ipv6. As such the clat overhead is 28
(40 ipv6 header size - 20 ipv4 header size + 8 ipv6 frag header)
and not 20.
This means on a minimum ipv6 mtu 1280 ipv6-only network,
the clat interfaces mtu is 1280 - 28 = 1252.
The ipv4 TCP MSS derived from that is 1252 - 20 ipv4 header
size - 20 tcp header size = 1212.
So, it's slightly safer to use an ipv4 advmss of 1212,
while we can use 1220 advmss for ipv6 (derived from
1280 ipv6 min guaranteed mtu - 40 ipv6 header - 20 tcp header)
While we're at it also slightly improve logging.
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Iff8d5af1057998648b5b383ccf6912c6af2cdacf
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Set the maximum segment size for outgoing TCP packets to a suitably low
value of 1220.
In some cases, such as in VPN networks, the TCP MSS value announced
could be too large, causing packets to be lost.
Bug: 246398088
Test: Manual test: Build, flash, boot.
Test: Connect to private dns, confirm announced MSS in tcpdump.
Change-Id: I4b72e27fe283951bc6f2bf44ee0fd802e133f812
|
| |
|
|
|
|
|
|
| |
They are already under the same namespace.
Test: presubmit
Bug: 219872355
Change-Id: Ibbd5dc4bed7779eee99f553f8dc3e7a8f0bec4bd
|
| |
|
|
|
|
| |
Bug: 196298216
Test: cd packages/modules/DnsResolver && atest
Change-Id: I581c282bba1527afd2be9daf925e9ec5bd2e5cd6
|
| |
|
|
|
|
|
|
|
|
|
| |
The failures of private DNS connection are common and sometimes
expected, such as firewall blocking, opportunistic private DNS
mode. It's not a DnsResolver bug, so downgrade the logging level
to Warning.
Bug: 181269159
Test: cd packages/modules/DnsResolver && mm
Change-Id: Ic56aaebce6cfa2c73dba9320119fdc9217905624
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When servers reply multiple DNS responses in one packet, DnsTlsSocket
handles only the first DNS response. The remaining DNS responses
are still in ssl buffer. This causes a bug that there will be at
least one DNS reponse in ssl buffer, which results in at least one
DNS request timeout.
This change fixes it by always consuming the data from ssl before
next poll.
Bug: 172778187
Bug: 168027339
Bug: 171413368
Test: cd packages/modules/DnsResolver && atest
Change-Id: I72807e43636a46d30df6a694bb906313a8de63f2
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Because DnsTlsServer is not freshed along with creating or
destroying a network, move the flag into Experiments class
so that a new value of the flag can take effect on
already-existing networks.
Bug: 149445907
Bug: 120182528
Test: cd packages/modules/DnsResolver && atest
Change-Id: I37afed9606765e7715ecb23e4946305ac79a21e3
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are some performance concerns about running connection handshake
on query threads (which are launched from DnsProxyListener):
- Until a handshake running on a query thread finishes, other
query threads get blocked from acquiring the lock, which
is hard to implement timeout.
- If the handshake fails, all of the waiting query threads can't
know it. Then, one of the them will do another handshake which
is likely to fail again.
This change introduces a flag which moves connection handshake from
query threads to DnsTlsSocket loop thread to address the concerns.
- Before a handshake finishes, query threads are waiting their
std::future result. This helps future implementation for query
timeout.
- If the handshake fails kMaxTries times, none of the waiting query
threads does another handshake to the same DoT server again.
They can either try next DoT server or falls back to Do53.
Besides, with the flag enabled, DnsTlsSocket can be aware of
shutdown request and instantly stop connection handshake if needed.
Bug: 149445907
Test: cd packages/modules/DnsResolver
set the flag on, ran atest
rebooted, set the flag off, ran atest
Change-Id: I6a0a4c962c9eaf78ca2796128018f7ba06897b16
|
| |
|
|
|
|
|
|
|
| |
The state diagram of DnsTlsSocket is simple and doesn't have
circular states.
Bug: 149445907
Test: cd packages/modules/DnsResolver && atest
Change-Id: I5088d3c6e3c9d3c148cfce4ffa97218bab7e0e78
|
| |
|
|
|
|
|
|
|
|
|
| |
errno might change after an error also happens in close(). errno
from close() is what we are not interested in.
Also refine some logging from LOG to PLOG.
Bug: 149445907
Test: cd packages/modules/DnsResolver && mm
Change-Id: I47ab70aa3ad937105cfdbcfd3e9ac49b895284ed
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This is a refactor change which separates the handshake code from
DnsTlsSocket::initialize(). The plan is that initialize() will
continue running on query threads but the code for connection
handshake will run on either query threads or loop threads depending
on a flag.
Bug: 149445907
Test: cd packages/modules/DnsResolver && atest
Change-Id: I262f978230fb1a01ca7963de03b64cb439a37eec
|
| |
|
|
|
|
|
|
| |
Explicitly specify AID_ROOT as the only uid that can inject certificate.
Bug: 150952393
Test: atest
Change-Id: If71c0171bc4347979e278752fc49877359f056b7
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The cppflags RESOLV_INJECT_CA_CERTIFICATE prevents test CA certificate
injection interface to be misused in production build. However, it will
also leads to resolv_integration_test fail while the resolver is built
for mainline release. Remove RESOLV_INJECT_CA_CERTIFICATE to get test
pass. The CA certificate injection interface is still protected by
permission check in DnsResolverService::setResolverConfiguration().
Bug: 147792436
Test: 1. build and install com.android.resolv from aml branch
2. atest resolv_integration_test
Change-Id: Id03566dcaceab0f8c78fe705cb8f6f6c806082ca
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Log the value of network mark as hexadecimal number rather than print
each bit/variable one by one. No functionality change.
Bug: 151895202
Test: enabled the resolver debugging and checked the logs
Change-Id: I448c6487e5787c6dd0466ac76c80900ccd3b7249
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Use the least 16 significant bits, which are supposed to represent
netId, of the network mark for resolver threads name. This is in
preparation for dropping Fwmark used in DnsResolver.
No naming rule change.
Bug: 151895202
Test: adb shell ps -AT $(adb shell pidof netd)
Change-Id: Ie1724dc5775cdeff6ee00a51b5f74e8f8a32d5d3
|
| |/
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes:
packages/modules/DnsResolver/DnsTlsSocket.cpp:216:5: error: the value returned by this function should be used [bugprone-unused-return-value,-warnings-as-errors]
bio.release();
^
packages/modules/DnsResolver/DnsTlsSocket.cpp:216:5: note: cast the expression to void to silence this warning
Test: builds
Bug: 153035880
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I683d13024ae70ff75d1e6d3c78c23a73ab9bc301
|
| |
|
|
|
|
|
|
|
|
| |
The caCertificate field in ResolverParamsParcel is documented as
being for testing only. Because setting it could have security
implications, don't allow the system server to pass it in.
Bug: 144475682
Test: existing tests pass
Change-Id: Ie0b826127cc48f18945a9de5f3579e47706462ee
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
RDNS on local cache
Function that performs RDNS on local cache. Takes
ip address and net id as input and gives domain
name as output.
Tag DNS query
Function that tags the uid and pid of the application
that sends DNS query.
Bug: 131051938
Test: build, flash, boot
Change-Id: I34abfc63d65f37e00dd813c9121ff483e4f85e7d
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It could take time to connect to a private DNS server if the system
allows 6 syn-retransmissions (net.ipv4.tcp_syn_retries = 6), which
can take time more than 2 minutes.
This change allows us to configure the timeout value via dnsresolver
binder service, and keep the default timeout value the same as the
original design.
Bug: 120182528
Bug: 141218721
Test: atest --include-subdirs packages/modules/DnsResolver
Test: m com.android.resolv
adb install com.android.resolv
rebooted
Change-Id: I8711a31172cfc671bf348191db363e7863831470
|
| |
|
|
|
|
|
|
|
|
| |
Tag with TAG_SYSTEM_DNS for dns packets so that apps know that
the traffic is not sent by them but is sent by the system on
their behalf.
Test: atest resolv_integration_test
Bug: 132125333
Change-Id: I581862f8884a0a9f6d3aa89c981d9b8066dc3ed8
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The threads in the resolver are renamed, including:
- Threads for lookup (name: Dns_<netId>_<appId>)
- Threads for private dns validation (name: TlsVerify_<netId>)
- Threads for NAT64 prefix discovery (name: Nat64Pfx_<netId>)
- Threads for communicating with private dns (name: TlsListen_<netId>)
- Threads for reconnecting private dns (name: TlsReconn_<netId>)
Example from ps -AT:
root 756 3418 1 2501400 7352 futex_wait_queue_me 0 S Dns_105_1073
root 756 3419 1 2501400 7352 do_sys_poll 0 S TlsVerify_105
root 756 3420 1 2501400 7352 do_sys_poll 0 S TlsVerify_105
root 756 3422 1 2501400 7352 do_sys_poll 0 S TlsVerify_105
root 756 3428 1 2501400 7352 do_sys_poll 0 S TlsListen_105
Also, reveal some logs for private dns validation status to facilitate
debugging analysis.
Example:
790 4364 W resolv : Validating DnsTlsServer on netId 100
790 4364 W resolv : Validation failed
790 4366 W resolv : Validating DnsTlsServer on netId 100
790 4366 W resolv : Validation success
Bug: 128404051
Test: atest --include-subdirs packages/modules/DnsResolver
Change-Id: Ide93b1099535552a8615c71353226c1aa70462e3
|
| |
|
|
|
|
|
|
|
|
| |
Inject a test Certificate authority for DNS-OVER-TLS test, and It
provides proper test coverage to TLS cerificate validation.
Test: built, flashed, booted
atest pass
Change-Id: I32b8c743d991ba1f113b37165ff01f4b2acc9da2
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Current log does not specify that the SSL_connect error happened
in which network if there are multiple networks connected. Print
the socket mark for better debugging.
Sample log:
resolv : SSL_connect ssl error =5, 100, 1, 1, 3, 0: Connection timed out
Bug: 132925257
Test: atest resolv_integration_test
Change-Id: Id691b3590d89bed363aac70f2297d3a734e0a396
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently DNS lookups are all sent as AID_DNS. A seperate UID of the
app that sent the DNS lookup allows us to account for and route DNS
traffic differently from AID_DNS.
Also, currently DNS over TLS lookups are all sent as UID 0.
A seperate UID(AID_DNS) allows us to account for and route DNS over
TLS traffic differently from other UID 0 traffic.
Bug: 132125333
Test: system/netd && atest resolv_integration_test
Change-Id: I47a8d41d2a9bfd9af44efe291b56b46c7da9c346
Signed-off-by: Sehee Park <sehee32.park@samsung.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Change all the debug function to LOG(X) from ALOGx() for resolver module.
Bug: 134119725
Test: built, flashed, booted
Test: Checking logs for different level.
Test: Example:
Test: adb shell service call dnsresolver 10 i32 1 for DNS_RESOLVER_LOG_DEBUG
Change-Id: I20f8e284ffaf1cbeef8118b052686d3fa6fb8302
|
| |
|
|
|
|
|
|
|
| |
Set LOG_TAG to "resolv" on DNS resolver. Then, the log can be filtered
by "adb logcat [filterspecs]", such as "adb logcat *:S resolv:*", or
'grep'.
Test: resolv_integration_test pass
Change-Id: Ic4f97685d487257560ec3dfe62bab0d187bf9d93
|
| |
|
|
|
|
|
|
|
|
| |
The expression "!fd" calls the implicit conversion to int, but comparing
the raw fd against 0 does not work, since open() and other POSIX calls
returning a file descriptor use -1 to signal an error.
Test: m libnetd_resolv
Test: sync, then atest resolver_integration_test
Change-Id: I876fe64a5507a0863151b6807990fdfa72e2973e
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, DnsTlsSocket's destructor told the loop thread to
perform a clean shutdown by closing an IPC file descriptor.
However, the IPC file descriptor is now an eventfd, which does
not alert the listening thread when it is closed.
This change uses the eventfd counter's sign bit as an indication
that the destructor is requesting an immediate close.
Test: Includes regression test.
Bug: 123212403
Bug: 124058672
Change-Id: I6edc26bf504cbfbba7d055b1f8e52ac70e02c6e0
|
| |
|
|
|
|
| |
Test: m libnetd_resolv netd
Test: atest resolv_integration_test
Change-Id: Icae95641733abe7fe86b903dd3bcf69b08c83285
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Prior to this change, each outgoing query was copied only once,
on the DnsTlsSocket's loop thread. This could create a problem
if a misbehaving server sent an erroneous response with a
colliding ID number after the query was given to DnsTlsSocket
but before the copy was made. The erroneous response would
complete the query, causing the caller to deallocate the backing
buffer, resulting in a segfault on copy.
This change moves the copy earlier, onto the calling thread, thus
ensuring that the backing buffer cannot have been deallocated.
Instead of sending the network thread pointers to query buffers,
copies of queries are stored in a shared queue, and the network
thread is notified of new queries on an eventfd socket.
Bug: 122133500
Test: Integrations tests pass, manual tests good. No regression test.
Change-Id: Ia4e72da561aeef69a17e87bfdc7aa04340c12fd0
|
| |
|
|
|
|
|
|
|
|
| |
This change help reduce the libnetd_resolv dependency on non-updatable
code.
Bug: 113628807
Test: system/netd/tests/runtests.sh passed
Change-Id: I70b5336f00e5e9b506a76a3a68f5f149c78a89af
|
|
|
libnetddns is the library for DNS-over-TLS and is statically
linked to netd. Deprecate it and move them to libnetd_resolv
as a more general DNS library for netd.
This change comprises:
[1] Clean up netd/server/dns/*. Move all DnsTls* files to
netd/resolv/ to parts of libnetd_resolv library.
[2] Export DnsTls* classes being visible for netd. It will only
be temporary for a while.
[3] Remove the libssl dependency in netd. The relevant stuff is
moved to libnetd_resolv.
Note that DnsTls* classes are still required for DnsProxyListener
and ResolverController to manipulate private DNS servers even after
this change.
Bug: 113628807
Test: as follows
- built, flashed, booted
- system/netd/tests/runtests.sh
- DNS-over-TLS in live network passed
Change-Id: Ieac5889b4ebe737f876b3dcbe1a8da2b2b1b629d
|
