Support DNS-over-TLS probes in NetworkDiagnostics
Probe DNS servers to see they support DNS-over-TLS. Use system CAs to verify whether the certificates sent by DNS servers are trusted or not. An error is thrown to cause the probe failed if DNS servers send untrusted certificates. Unlike the DnsResolver which doesn't verify the certificates in opportunistic mode, all of the DoT probes from NetworkDiagnostics check certificates. DoT probes apply to the DNS servers gotten from LinkProperties and the DoT servers gotten from PrivateDnsConfig whatever private DNS mode is. A common example in DNS strict mode: . DNS TLS dst{8.8.8.8} hostname{dns.google} src{192.168.43.2:48436} qtype{1} qname{815149-android-ds.metric.gstatic.com}: SUCCEEDED: 1/1 NOERROR (432ms) F DNS TLS dst{192.168.43.144} hostname{}: FAILED: java.net.ConnectException: failed to connect to /192.168.43.144 (port 853) from /192.168.43.2 (port 41770) after 2500ms: isConnected failed: ECONNREFUSED (Connection refused) (172ms) . DNS TLS dst{8.8.4.4} hostname{dns.google} src{192.168.43.2:37598} qtype{1} qname{759312-android-ds.metric.gstatic.com}: SUCCEEDED: 1/1 NOERROR (427ms) An example when the CA is not trusted: F DNS TLS dst{8.8.8.8} hostname{dns.google}: FAILED: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. (16ms) An example when TCP/TLS handshake timeout: F DNS TLS dst{8.8.8.8} hostname{dns.google}: FAILED: java.net.SocketTimeoutException: failed to connect to /8.8.8.8 (port 853) from /192.168.2.108 (port 45680) after 2500ms (2514ms) Bug: 132925257 Bug: 118369977 Test: atest FrameworksNetTests Original-Change: https://android-review.googlesource.com/1011670 Merged-In: I1b54abed0e931ca4b8a97149459cde54da1c3d6f Change-Id: I1b54abed0e931ca4b8a97149459cde54da1c3d6f
Loading
Please register or sign in to comment