summaryrefslogtreecommitdiffstats
path: root/bin/tests/system/rpzextra
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 15:59:48 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 15:59:48 +0000
commit3b9b6d0b8e7f798023c9d109c490449d528fde80 (patch)
tree2e1c188dd7b8d7475cd163de9ae02c428343669b /bin/tests/system/rpzextra
parentInitial commit. (diff)
downloadbind9-upstream/1%9.18.19.tar.xz
bind9-upstream/1%9.18.19.zip
Adding upstream version 1:9.18.19.upstream/1%9.18.19upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'bin/tests/system/rpzextra')
-rw-r--r--bin/tests/system/rpzextra/clean.sh21
-rw-r--r--bin/tests/system/rpzextra/ns2/allowed.db18
-rw-r--r--bin/tests/system/rpzextra/ns2/baddomain.db27
-rw-r--r--bin/tests/system/rpzextra/ns2/gooddomain.db27
-rw-r--r--bin/tests/system/rpzextra/ns2/named.conf.in57
-rw-r--r--bin/tests/system/rpzextra/ns2/rpz-external.local.db26
-rw-r--r--bin/tests/system/rpzextra/ns3/external-rpz.local.db29
-rw-r--r--bin/tests/system/rpzextra/ns3/first-rpz.local.db29
-rw-r--r--bin/tests/system/rpzextra/ns3/fourth-rpz-extra.local.db32
-rw-r--r--bin/tests/system/rpzextra/ns3/named.args1
-rw-r--r--bin/tests/system/rpzextra/ns3/named.conf.in147
-rw-r--r--bin/tests/system/rpzextra/ns3/root.db30
-rw-r--r--bin/tests/system/rpzextra/ns3/third-rpz-extra.local.db26
-rw-r--r--bin/tests/system/rpzextra/setup.sh21
-rw-r--r--bin/tests/system/rpzextra/tests_rpzextra.py143
15 files changed, 634 insertions, 0 deletions
diff --git a/bin/tests/system/rpzextra/clean.sh b/bin/tests/system/rpzextra/clean.sh
new file mode 100644
index 0000000..928ee8b
--- /dev/null
+++ b/bin/tests/system/rpzextra/clean.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f ns*/*.jnl
+rm -f ns*/named.conf
+rm -f ns*/named.lock
+rm -f ns*/named.memstats
+rm -f ns*/named.run
+rm -f ns*/rpz*.txt
+rm -rf __pycache__
+rm -f ns3/*-rpz-external.local.db
diff --git a/bin/tests/system/rpzextra/ns2/allowed.db b/bin/tests/system/rpzextra/ns2/allowed.db
new file mode 100644
index 0000000..57a733c
--- /dev/null
+++ b/bin/tests/system/rpzextra/ns2/allowed.db
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+
+@ IN SOA ns1 root.allowed. 2020040101 4h 1h 1w 60
+@ IN NS ns1
+ns1 IN A 10.53.0.2
+@ IN A 10.53.0.2
+www IN A 10.53.0.2
diff --git a/bin/tests/system/rpzextra/ns2/baddomain.db b/bin/tests/system/rpzextra/ns2/baddomain.db
new file mode 100644
index 0000000..3946da3
--- /dev/null
+++ b/bin/tests/system/rpzextra/ns2/baddomain.db
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+
+@ IN SOA ns1 root.baddomain. (
+ 2020040101
+ 4h
+ 1h
+ 1w
+ 60
+)
+
+ IN NS ns1
+
+ns1 IN A 10.53.0.2
+
+baddomain. IN A 10.53.0.2
+www IN A 10.53.0.3
diff --git a/bin/tests/system/rpzextra/ns2/gooddomain.db b/bin/tests/system/rpzextra/ns2/gooddomain.db
new file mode 100644
index 0000000..1fb720c
--- /dev/null
+++ b/bin/tests/system/rpzextra/ns2/gooddomain.db
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+
+@ IN SOA ns1 root.gooddomain. (
+ 2020040101
+ 4h
+ 1h
+ 1w
+ 60
+)
+
+ IN NS ns1
+
+ns1 IN A 10.53.0.2
+
+gooddomain. IN A 10.53.0.2
+www IN A 10.53.0.3
diff --git a/bin/tests/system/rpzextra/ns2/named.conf.in b/bin/tests/system/rpzextra/ns2/named.conf.in
new file mode 100644
index 0000000..6317563
--- /dev/null
+++ b/bin/tests/system/rpzextra/ns2/named.conf.in
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+ inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+ query-source address 10.53.0.2;
+ notify-source 10.53.0.2;
+ transfer-source 10.53.0.2;
+ port @PORT@;
+ listen-on { 10.53.0.2; };
+ pid-file "named.pid";
+ notify no;
+ dnssec-validation no;
+ allow-query { any; };
+};
+
+zone "allowed" {
+ type primary;
+ file "allowed.db";
+ allow-transfer { none; };
+};
+
+zone "baddomain" {
+ type primary;
+ file "baddomain.db";
+ allow-transfer { none; };
+};
+
+zone "gooddomain" {
+ type primary;
+ file "gooddomain.db";
+ allow-transfer { none; };
+};
+
+zone "rpz-external.local" {
+ type primary;
+ file "rpz-external.local.db";
+ allow-transfer { any; };
+};
diff --git a/bin/tests/system/rpzextra/ns2/rpz-external.local.db b/bin/tests/system/rpzextra/ns2/rpz-external.local.db
new file mode 100644
index 0000000..b3ab69e
--- /dev/null
+++ b/bin/tests/system/rpzextra/ns2/rpz-external.local.db
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+
+@ IN SOA localhost.rpz-external.local root.rpz-external.local. (
+ 2020022500 ; serial number
+ 60 ; refresh every minute
+ 60 ; retry every minute
+ 432000 ; expire in 5 days
+ 60 ; negative caching ttl, 1 minute
+)
+
+
+ IN NS LOCALHOST.
+
+allowed IN CNAME .
+*.allowed IN CNAME .
diff --git a/bin/tests/system/rpzextra/ns3/external-rpz.local.db b/bin/tests/system/rpzextra/ns3/external-rpz.local.db
new file mode 100644
index 0000000..aad6b89
--- /dev/null
+++ b/bin/tests/system/rpzextra/ns3/external-rpz.local.db
@@ -0,0 +1,29 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+
+@ IN SOA localhost.rpz.local root.rpz.local. (
+ 2020022500 ; serial number
+ 60 ; refresh every minute
+ 60 ; retry every minute
+ 432000 ; expire in 5 days
+ 60 ; negative caching ttl, 1 minute
+)
+
+
+ IN NS LOCALHOST.
+
+allowed IN CNAME rpz-passthru.
+*.allowed IN CNAME rpz-passthru.
+
+gooddomain IN CNAME .
+*.gooddomain IN CNAME .
diff --git a/bin/tests/system/rpzextra/ns3/first-rpz.local.db b/bin/tests/system/rpzextra/ns3/first-rpz.local.db
new file mode 100644
index 0000000..4203ca1
--- /dev/null
+++ b/bin/tests/system/rpzextra/ns3/first-rpz.local.db
@@ -0,0 +1,29 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+
+@ IN SOA localhost.rpz.local root.rpz.local. (
+ 2020022500 ; serial number
+ 60 ; refresh every minute
+ 60 ; retry every minute
+ 432000 ; expire in 5 days
+ 60 ; negative caching ttl, 1 minute
+)
+
+
+ IN NS LOCALHOST.
+
+allowed IN CNAME rpz-passthru.
+*.allowed IN CNAME rpz-passthru.
+
+baddomain IN CNAME .
+*.baddomain IN CNAME .
diff --git a/bin/tests/system/rpzextra/ns3/fourth-rpz-extra.local.db b/bin/tests/system/rpzextra/ns3/fourth-rpz-extra.local.db
new file mode 100644
index 0000000..471030c
--- /dev/null
+++ b/bin/tests/system/rpzextra/ns3/fourth-rpz-extra.local.db
@@ -0,0 +1,32 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+
+@ IN SOA localhost.rpz-extra.local root.rpz-extra.local. (
+ 2020022500 ; serial number
+ 60 ; refresh every minute
+ 60 ; retry every minute
+ 432000 ; expire in 5 days
+ 60 ; negative caching ttl, 1 minute
+)
+
+
+ IN NS LOCALHOST.
+
+allowed IN CNAME rpz-passthru.
+*.allowed IN CNAME rpz-passthru.
+
+gooddomain IN CNAME .
+*.gooddomain IN CNAME .
+
+baddomain IN CNAME .
+*.baddomain IN CNAME .
diff --git a/bin/tests/system/rpzextra/ns3/named.args b/bin/tests/system/rpzextra/ns3/named.args
new file mode 100644
index 0000000..970fc22
--- /dev/null
+++ b/bin/tests/system/rpzextra/ns3/named.args
@@ -0,0 +1 @@
+ -m record -c named.conf -d 99 -D rpzextra-ns1 -X named.lock -U 4 -T maxcachesize=2097152
diff --git a/bin/tests/system/rpzextra/ns3/named.conf.in b/bin/tests/system/rpzextra/ns3/named.conf.in
new file mode 100644
index 0000000..cd459bc
--- /dev/null
+++ b/bin/tests/system/rpzextra/ns3/named.conf.in
@@ -0,0 +1,147 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+ query-source address 10.53.0.3;
+ notify-source 10.53.0.3;
+ transfer-source 10.53.0.3;
+ port @PORT@;
+ listen-on { 10.53.0.3; };
+ pid-file "named.pid";
+ notify no;
+ dnssec-validation no;
+ allow-query { any; };
+ recursion yes;
+ allow-recursion { any; };
+ empty-zones-enable false;
+ response-policy {
+ zone "rpz-extra.local";
+ };
+};
+
+logging {
+ channel rpz_passthru {
+ file "rpz_passthru.txt" versions 3 size 5m;
+ print-time yes;
+ print-category yes;
+ print-severity yes;
+ severity info;
+ };
+
+ channel rpz_log {
+ file "rpz.txt" versions 3 size 20m;
+ print-time yes;
+ print-category yes;
+ print-severity yes;
+ severity info;
+ };
+
+ category rpz { rpz_log; default_debug; };
+ category rpz-passthru { rpz_passthru; default_debug; };
+};
+
+view "first" {
+ match-clients { 10.53.0.1; };
+ zone "." {
+ type hint;
+ file "root.db";
+ };
+ zone "rpz.local" {
+ type primary;
+ file "first-rpz.local.db";
+ allow-transfer { none; };
+ allow-query { localhost; };
+ };
+ response-policy {
+ zone "rpz.local";
+ };
+};
+
+view "second" {
+ match-clients { 10.53.0.2; };
+ zone "." {
+ type hint;
+ file "root.db";
+ };
+ zone "rpz-external.local" {
+ type secondary;
+ primaries { 10.53.0.2; };
+ file "second-rpz-external.local.db";
+ allow-query { 10.53.0.2; };
+ };
+ response-policy {
+ zone "rpz-external.local";
+ };
+};
+
+view "third" {
+ match-clients { 10.53.0.3; };
+ zone "." {
+ type hint;
+ file "root.db";
+ };
+ zone "rpz-extra.local" {
+ type primary;
+ file "third-rpz-extra.local.db";
+ allow-transfer { none; };
+ allow-query { localhost; };
+ };
+};
+
+view "fourth" {
+ match-clients { 10.53.0.4; };
+ zone "." {
+ type hint;
+ file "root.db";
+ };
+ zone "rpz-extra.local" {
+ type primary;
+ file "fourth-rpz-extra.local.db";
+ allow-transfer { none; };
+ allow-query { localhost; };
+ };
+};
+
+view "external" {
+ match-clients { any; };
+ zone "." {
+ type hint;
+ file "root.db";
+ };
+ zone "rpz.local" {
+ type primary;
+ file "external-rpz.local.db";
+ allow-transfer { none; };
+ allow-query { localhost; };
+ };
+ zone "rpz-external.local" {
+ type secondary;
+ masterfile-format text;
+ primaries { 10.53.0.2; };
+ file "external-rpz-external.local.db";
+ allow-query { 10.53.0.5; };
+ };
+ response-policy {
+ zone "rpz-external.local";
+ zone "rpz.local";
+ };
+};
diff --git a/bin/tests/system/rpzextra/ns3/root.db b/bin/tests/system/rpzextra/ns3/root.db
new file mode 100644
index 0000000..ca49988
--- /dev/null
+++ b/bin/tests/system/rpzextra/ns3/root.db
@@ -0,0 +1,30 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+. IN SOA gson.nominum.com. a.root.servers.nil. (
+ 2000042100 ; serial
+ 600 ; refresh
+ 600 ; retry
+ 1200 ; expire
+ 600 ; minimum
+ )
+. NS ns1.allowed
+
+
+allowed. NS ns1.allowed.
+ns1.allowed. A 10.53.0.2
+
+baddomain. NS ns1.baddomain.
+ns1.baddomain. A 10.53.0.2
+
+gooddomain. NS ns1.gooddomain.
+ns1.gooddomain. A 10.53.0.2
diff --git a/bin/tests/system/rpzextra/ns3/third-rpz-extra.local.db b/bin/tests/system/rpzextra/ns3/third-rpz-extra.local.db
new file mode 100644
index 0000000..a8b46fa
--- /dev/null
+++ b/bin/tests/system/rpzextra/ns3/third-rpz-extra.local.db
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+
+@ IN SOA localhost.rpz-extra.local root.rpz-extra.local. (
+ 2020022500 ; serial number
+ 60 ; refresh every minute
+ 60 ; retry every minute
+ 432000 ; expire in 5 days
+ 60 ; negative caching ttl, 1 minute
+)
+
+
+ IN NS LOCALHOST.
+
+allowed IN CNAME rpz-passthru.
+*.allowed IN CNAME rpz-passthru.
diff --git a/bin/tests/system/rpzextra/setup.sh b/bin/tests/system/rpzextra/setup.sh
new file mode 100644
index 0000000..2dbb388
--- /dev/null
+++ b/bin/tests/system/rpzextra/setup.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# touch dnsrps-off to not test with DNSRPS
+
+set -e
+
+. ../conf.sh
+
+copy_setports ns2/named.conf.in ns2/named.conf
+copy_setports ns3/named.conf.in ns3/named.conf
diff --git a/bin/tests/system/rpzextra/tests_rpzextra.py b/bin/tests/system/rpzextra/tests_rpzextra.py
new file mode 100644
index 0000000..ab5da45
--- /dev/null
+++ b/bin/tests/system/rpzextra/tests_rpzextra.py
@@ -0,0 +1,143 @@
+#!/usr/bin/python3
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import time
+import os
+
+import pytest
+
+pytest.importorskip("dns", minversion="2.0.0")
+import dns.resolver
+
+
+def wait_for_transfer(ip, port, client_ip, name, rrtype):
+ resolver = dns.resolver.Resolver()
+ resolver.nameservers = [ip]
+ resolver.port = port
+
+ for _ in range(10):
+ try:
+ resolver.resolve(name, rrtype, source=client_ip)
+ except dns.resolver.NoNameservers:
+ time.sleep(1)
+ else:
+ break
+ else:
+ raise RuntimeError(
+ "zone transfer failed: "
+ f"client {client_ip} got NXDOMAIN for {name} {rrtype} from @{ip}:{port}"
+ )
+
+
+def test_rpz_multiple_views(named_port):
+ resolver = dns.resolver.Resolver()
+ resolver.nameservers = ["10.53.0.3"]
+ resolver.port = named_port
+
+ wait_for_transfer("10.53.0.3", named_port, "10.53.0.2", "rpz-external.local", "SOA")
+ wait_for_transfer("10.53.0.3", named_port, "10.53.0.5", "rpz-external.local", "SOA")
+
+ # For 10.53.0.1 source IP:
+ # - baddomain.com isn't allowed (CNAME .), should return NXDOMAIN
+ # - gooddomain.com is allowed
+ # - allowed. is allowed
+ with pytest.raises(dns.resolver.NXDOMAIN):
+ resolver.resolve("baddomain.", "A", source="10.53.0.1")
+
+ ans = resolver.resolve("gooddomain.", "A", source="10.53.0.1")
+ assert ans[0].address == "10.53.0.2"
+
+ ans = resolver.resolve("allowed.", "A", source="10.53.0.1")
+ assert ans[0].address == "10.53.0.2"
+
+ # For 10.53.0.2 source IP:
+ # - allowed.com isn't allowed (CNAME .), should return NXDOMAIN
+ # - baddomain.com is allowed
+ # - gooddomain.com is allowed
+ ans = resolver.resolve("baddomain.", "A", source="10.53.0.2")
+ assert ans[0].address == "10.53.0.2"
+
+ ans = resolver.resolve("gooddomain.", "A", source="10.53.0.2")
+ assert ans[0].address == "10.53.0.2"
+
+ with pytest.raises(dns.resolver.NXDOMAIN):
+ resolver.resolve("allowed.", "A", source="10.53.0.2")
+
+ # For 10.53.0.3 source IP:
+ # - gooddomain.com is allowed
+ # - baddomain.com is allowed
+ # - allowed. is allowed
+ ans = resolver.resolve("baddomain.", "A", source="10.53.0.3")
+ assert ans[0].address == "10.53.0.2"
+
+ ans = resolver.resolve("gooddomain.", "A", source="10.53.0.3")
+ assert ans[0].address == "10.53.0.2"
+
+ ans = resolver.resolve("allowed.", "A", source="10.53.0.3")
+ assert ans[0].address == "10.53.0.2"
+
+ # For 10.53.0.4 source IP:
+ # - gooddomain.com isn't allowed (CNAME .), should return NXDOMAIN
+ # - baddomain.com isn't allowed (CNAME .), should return NXDOMAIN
+ # - allowed. is allowed
+ with pytest.raises(dns.resolver.NXDOMAIN):
+ resolver.resolve("baddomain.", "A", source="10.53.0.4")
+
+ with pytest.raises(dns.resolver.NXDOMAIN):
+ resolver.resolve("gooddomain.", "A", source="10.53.0.4")
+
+ ans = resolver.resolve("allowed.", "A", source="10.53.0.4")
+ assert ans[0].address == "10.53.0.2"
+
+ # For 10.53.0.5 (any) source IP:
+ # - baddomain.com is allowed
+ # - gooddomain.com isn't allowed (CNAME .), should return NXDOMAIN
+ # - allowed.com isn't allowed (CNAME .), should return NXDOMAIN
+ ans = resolver.resolve("baddomain.", "A", source="10.53.0.5")
+ assert ans[0].address == "10.53.0.2"
+
+ with pytest.raises(dns.resolver.NXDOMAIN):
+ resolver.resolve("gooddomain.", "A", source="10.53.0.5")
+
+ with pytest.raises(dns.resolver.NXDOMAIN):
+ resolver.resolve("allowed.", "A", source="10.53.0.5")
+
+
+def test_rpz_passthru_logging(named_port):
+ resolver = dns.resolver.Resolver()
+ resolver.nameservers = ["10.53.0.3"]
+ resolver.port = named_port
+
+ # Should generate a log entry into rpz_passthru.txt
+ ans = resolver.resolve("allowed.", "A", source="10.53.0.1")
+ assert ans[0].address == "10.53.0.2"
+
+ # baddomain.com isn't allowed (CNAME .), should return NXDOMAIN
+ # Should generate a log entry into rpz.txt
+ with pytest.raises(dns.resolver.NXDOMAIN):
+ resolver.resolve("baddomain.", "A", source="10.53.0.1")
+
+ rpz_passthru_logfile = os.path.join("ns3", "rpz_passthru.txt")
+ rpz_logfile = os.path.join("ns3", "rpz.txt")
+
+ assert os.path.isfile(rpz_passthru_logfile)
+ assert os.path.isfile(rpz_logfile)
+
+ with open(rpz_passthru_logfile, encoding="utf-8") as log_file:
+ line = log_file.read()
+ assert "rpz QNAME PASSTHRU rewrite allowed/A/IN" in line
+
+ with open(rpz_logfile, encoding="utf-8") as log_file:
+ line = log_file.read()
+ assert "rpz QNAME PASSTHRU rewrite allowed/A/IN" not in line
+ assert "rpz QNAME NXDOMAIN rewrite baddomain/A/IN" in line