diff options
| author | Suraj Krishnan <72937403+surajkrishnan14@users.noreply.github.com> | 2022-04-27 00:09:02 +0200 |
|---|---|---|
| committer | Luca Boccassi <luca.boccassi@gmail.com> | 2022-09-09 10:22:57 +0200 |
| commit | cb456374e096f0ebe9b70d7ddd98e16a4be24ee6 (patch) | |
| tree | 514bb0753834490ab81e8a21669abe28ba66205a /test/units/testsuite-75.sh | |
| parent | Merge pull request #24557 from yuwata/repart (diff) | |
| download | systemd-cb456374e096f0ebe9b70d7ddd98e16a4be24ee6.tar.xz systemd-cb456374e096f0ebe9b70d7ddd98e16a4be24ee6.zip | |
Implement DNS notifications from resolved via varlink
* The new varlink interface exposes a method to subscribe to DNS
resolutions on the system. The socket permissions are open for owner and
group only.
* Notifications are sent to subscriber(s), if any, after successful
resolution of A and AAAA records.
This feature could be used by applications for auditing/logging services
downstream of the resolver. It could also be used to asynchronously
update the firewall. For example, a system that has a tightly configured
firewall could open up connections selectively to known good hosts based
on a known allow-list of hostnames. Of course, updating the firewall
asynchronously will require other design considerations (such as
queueing packets in the user space while a verdict is made).
See also:
https://lists.freedesktop.org/archives/systemd-devel/2022-August/048202.html
https://lists.freedesktop.org/archives/systemd-devel/2022-February/047441.html
Diffstat (limited to '')
| -rwxr-xr-x | test/units/testsuite-75.sh | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/test/units/testsuite-75.sh b/test/units/testsuite-75.sh index 5158536f49..26ad109538 100755 --- a/test/units/testsuite-75.sh +++ b/test/units/testsuite-75.sh @@ -8,6 +8,8 @@ set -o pipefail : >/failed RUN_OUT="$(mktemp)" +NOTIFICATION_SUBSCRIPTION_SCRIPT="/tmp/subscribe.sh" +NOTIFICATION_LOGS="/tmp/notifications.txt" run() { "$@" |& tee "$RUN_OUT" @@ -34,10 +36,22 @@ DNSSEC=allow-downgrade DNS=10.0.0.1 EOF +# Script to dump DNS notifications to a txt file +cat >$NOTIFICATION_SUBSCRIPTION_SCRIPT <<EOF +#!/bin/sh +printf ' +{ + "method": "io.systemd.Resolve.Monitor.SubscribeDnsResolves", + "more": true +}\0' | nc -U /run/systemd/resolve/io.systemd.Resolve.Monitor > $NOTIFICATION_LOGS +EOF +chmod a+x $NOTIFICATION_SUBSCRIPTION_SCRIPT + { echo "FallbackDNS=" echo "DNSSEC=allow-downgrade" echo "DNSOverTLS=opportunistic" + echo "Monitor=yes" } >>/etc/systemd/resolved.conf ln -svf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf # Override the default NTA list, which turns off DNSSEC validation for (among @@ -78,6 +92,13 @@ networkctl status resolvectl status resolvectl log-level debug +# Verify that DNS notifications are enabled (Monitor=yes) +run busctl get-property org.freedesktop.resolve1 /org/freedesktop/resolve1 org.freedesktop.resolve1.Manager Monitor +grep -qF 'b true' "$RUN_OUT" + +# Start monitoring DNS notifications +systemd-run $NOTIFICATION_SUBSCRIPTION_SCRIPT + # We need to manually propagate the DS records of onlinesign.test. to the parent # zone, since they're generated online knotc zone-begin test. @@ -99,6 +120,7 @@ knotc reload # Sanity check run getent -s resolve hosts ns1.unsigned.test grep -qE "^10\.0\.0\.1\s+ns1\.unsigned\.test" "$RUN_OUT" +grep -aF "ns1.unsigned.test" $NOTIFICATION_LOGS | grep -qF "[10,0,0,1]" # Issue: https://github.com/systemd/systemd/issues/18812 # PR: https://github.com/systemd/systemd/pull/18896 @@ -191,6 +213,7 @@ grep -qF "; fully validated" "$RUN_OUT" run resolvectl query -t A cname-chain.signed.test grep -qF "follow14.final.signed.test IN A 10.0.0.14" "$RUN_OUT" grep -qF "authenticated: yes" "$RUN_OUT" +grep -aF "cname-chain.signed.test" $NOTIFICATION_LOGS | grep -qF "[10,0,0,14]" # Non-existing RR + CNAME chain run dig +dnssec AAAA cname-chain.signed.test grep -qF "status: NOERROR" "$RUN_OUT" @@ -226,6 +249,10 @@ run resolvectl query -t TXT this.should.be.authenticated.wild.onlinesign.test grep -qF 'this.should.be.authenticated.wild.onlinesign.test IN TXT "this is an onlinesign wildcard"' "$RUN_OUT" grep -qF "authenticated: yes" "$RUN_OUT" +# Resolve via dbus method +run busctl call org.freedesktop.resolve1 /org/freedesktop/resolve1 org.freedesktop.resolve1.Manager ResolveHostname 'isit' 0 secondsub.onlinesign.test 0 0 +grep -qF '10 0 0 134 "secondsub.onlinesign.test"' "$RUN_OUT" +grep -aF "secondsub.onlinesign.test" $NOTIFICATION_LOGS | grep -qF "[10,0,0,134]" : "--- ZONE: untrusted.test (DNSSEC without propagated DS records) ---" run dig +short untrusted.test @@ -244,6 +271,7 @@ grep -qF "authenticated: no" "$RUN_OUT" #run dig +dnssec this.does.not.exist.untrusted.test #grep -qF "status: NXDOMAIN" "$RUN_OUT" +cat $NOTIFICATION_LOGS touch /testok rm /failed |