summaryrefslogtreecommitdiffstats
path: root/bin/tests/system/rpzextra/tests_rpzextra.py
diff options
context:
space:
mode:
Diffstat (limited to 'bin/tests/system/rpzextra/tests_rpzextra.py')
-rw-r--r--bin/tests/system/rpzextra/tests_rpzextra.py143
1 files changed, 143 insertions, 0 deletions
diff --git a/bin/tests/system/rpzextra/tests_rpzextra.py b/bin/tests/system/rpzextra/tests_rpzextra.py
new file mode 100644
index 0000000..ab5da45
--- /dev/null
+++ b/bin/tests/system/rpzextra/tests_rpzextra.py
@@ -0,0 +1,143 @@
+#!/usr/bin/python3
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import time
+import os
+
+import pytest
+
+pytest.importorskip("dns", minversion="2.0.0")
+import dns.resolver
+
+
+def wait_for_transfer(ip, port, client_ip, name, rrtype):
+ resolver = dns.resolver.Resolver()
+ resolver.nameservers = [ip]
+ resolver.port = port
+
+ for _ in range(10):
+ try:
+ resolver.resolve(name, rrtype, source=client_ip)
+ except dns.resolver.NoNameservers:
+ time.sleep(1)
+ else:
+ break
+ else:
+ raise RuntimeError(
+ "zone transfer failed: "
+ f"client {client_ip} got NXDOMAIN for {name} {rrtype} from @{ip}:{port}"
+ )
+
+
+def test_rpz_multiple_views(named_port):
+ resolver = dns.resolver.Resolver()
+ resolver.nameservers = ["10.53.0.3"]
+ resolver.port = named_port
+
+ wait_for_transfer("10.53.0.3", named_port, "10.53.0.2", "rpz-external.local", "SOA")
+ wait_for_transfer("10.53.0.3", named_port, "10.53.0.5", "rpz-external.local", "SOA")
+
+ # For 10.53.0.1 source IP:
+ # - baddomain.com isn't allowed (CNAME .), should return NXDOMAIN
+ # - gooddomain.com is allowed
+ # - allowed. is allowed
+ with pytest.raises(dns.resolver.NXDOMAIN):
+ resolver.resolve("baddomain.", "A", source="10.53.0.1")
+
+ ans = resolver.resolve("gooddomain.", "A", source="10.53.0.1")
+ assert ans[0].address == "10.53.0.2"
+
+ ans = resolver.resolve("allowed.", "A", source="10.53.0.1")
+ assert ans[0].address == "10.53.0.2"
+
+ # For 10.53.0.2 source IP:
+ # - allowed.com isn't allowed (CNAME .), should return NXDOMAIN
+ # - baddomain.com is allowed
+ # - gooddomain.com is allowed
+ ans = resolver.resolve("baddomain.", "A", source="10.53.0.2")
+ assert ans[0].address == "10.53.0.2"
+
+ ans = resolver.resolve("gooddomain.", "A", source="10.53.0.2")
+ assert ans[0].address == "10.53.0.2"
+
+ with pytest.raises(dns.resolver.NXDOMAIN):
+ resolver.resolve("allowed.", "A", source="10.53.0.2")
+
+ # For 10.53.0.3 source IP:
+ # - gooddomain.com is allowed
+ # - baddomain.com is allowed
+ # - allowed. is allowed
+ ans = resolver.resolve("baddomain.", "A", source="10.53.0.3")
+ assert ans[0].address == "10.53.0.2"
+
+ ans = resolver.resolve("gooddomain.", "A", source="10.53.0.3")
+ assert ans[0].address == "10.53.0.2"
+
+ ans = resolver.resolve("allowed.", "A", source="10.53.0.3")
+ assert ans[0].address == "10.53.0.2"
+
+ # For 10.53.0.4 source IP:
+ # - gooddomain.com isn't allowed (CNAME .), should return NXDOMAIN
+ # - baddomain.com isn't allowed (CNAME .), should return NXDOMAIN
+ # - allowed. is allowed
+ with pytest.raises(dns.resolver.NXDOMAIN):
+ resolver.resolve("baddomain.", "A", source="10.53.0.4")
+
+ with pytest.raises(dns.resolver.NXDOMAIN):
+ resolver.resolve("gooddomain.", "A", source="10.53.0.4")
+
+ ans = resolver.resolve("allowed.", "A", source="10.53.0.4")
+ assert ans[0].address == "10.53.0.2"
+
+ # For 10.53.0.5 (any) source IP:
+ # - baddomain.com is allowed
+ # - gooddomain.com isn't allowed (CNAME .), should return NXDOMAIN
+ # - allowed.com isn't allowed (CNAME .), should return NXDOMAIN
+ ans = resolver.resolve("baddomain.", "A", source="10.53.0.5")
+ assert ans[0].address == "10.53.0.2"
+
+ with pytest.raises(dns.resolver.NXDOMAIN):
+ resolver.resolve("gooddomain.", "A", source="10.53.0.5")
+
+ with pytest.raises(dns.resolver.NXDOMAIN):
+ resolver.resolve("allowed.", "A", source="10.53.0.5")
+
+
+def test_rpz_passthru_logging(named_port):
+ resolver = dns.resolver.Resolver()
+ resolver.nameservers = ["10.53.0.3"]
+ resolver.port = named_port
+
+ # Should generate a log entry into rpz_passthru.txt
+ ans = resolver.resolve("allowed.", "A", source="10.53.0.1")
+ assert ans[0].address == "10.53.0.2"
+
+ # baddomain.com isn't allowed (CNAME .), should return NXDOMAIN
+ # Should generate a log entry into rpz.txt
+ with pytest.raises(dns.resolver.NXDOMAIN):
+ resolver.resolve("baddomain.", "A", source="10.53.0.1")
+
+ rpz_passthru_logfile = os.path.join("ns3", "rpz_passthru.txt")
+ rpz_logfile = os.path.join("ns3", "rpz.txt")
+
+ assert os.path.isfile(rpz_passthru_logfile)
+ assert os.path.isfile(rpz_logfile)
+
+ with open(rpz_passthru_logfile, encoding="utf-8") as log_file:
+ line = log_file.read()
+ assert "rpz QNAME PASSTHRU rewrite allowed/A/IN" in line
+
+ with open(rpz_logfile, encoding="utf-8") as log_file:
+ line = log_file.read()
+ assert "rpz QNAME PASSTHRU rewrite allowed/A/IN" not in line
+ assert "rpz QNAME NXDOMAIN rewrite baddomain/A/IN" in line