def test_timeout(self): c = getdns.Context() t = 1 c.timeout = t self.assertEqual(c.timeout, t) del (c) del (t)
def test_limit_outstanding_queries(self): c = getdns.Context() l = 4 c.limit_outstanding_queries = l self.assertEqual(c.limit_outstanding_queries, l) del (c) del (l)
def test_resolution_type(self): c = getdns.Context() r = getdns.RESOLUTION_STUB c.resolution_type = r self.assertEqual(c.resolution_type, r) del (c) del (r)
def test_sync_service(self): c = getdns.Context() c.resolution_type = getdns.RESOLUTION_STUB r = c.service('_xmpp-server._tcp.jabber.org') self.assertEqual(r.status, getdns.RESPSTATUS_GOOD) del (c) del (r)
def main(): tls_name = '77fa5113ab6a532ce2e6901f3bd3351c0db5845e0b1b5fb09907808d._smimecert.getdnsapi.org' if len(sys.argv) == 2: tls_name = sys.argv[1] c = getdns.Context() extensions = {'dnssec_return_status': getdns.EXTENSION_TRUE} results = c.general(tls_name, request_type=getdns.RRTYPE_TLSA, extensions=extensions) if results.replies_full['status'] != getdns.RESPSTATUS_GOOD: print 'query status is {0}'.format(results.status) sys.exit(1) else: record = get_first_secure_response(results) cert_record = record['rdata']['certificate_association_data'] try: cert = x509.load_der_x509_certificate(bytes(cert_record), default_backend()) rsakey = cert.public_key() encrypted = rsakey.encrypt( "A chunk of text", padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA1()), algorithm=hashes.SHA1(), label=None)) print encrypted.encode('base64') except Exception as e: print('Error: {0}'.format(e.message)) sys.exit(1)
def main(): CLIENT_SUBNET_OPCODE = 8 address = '192.168.1.0' host = 'getdnsapi.net' source_len = 12 family = pack("!H", 1) # start building the edns option fields source_len = pack('!B', source_len) scope_len = pack('!B', 0) # # encoding the binary data in strings makes it really easy # to build packets by concatenating those strings # address = pack('!BBBB', 192, 168, 1, 0) payload = family + source_len + scope_len + address ext = { 'add_opt_parameters': { 'options': [{ 'option_code': CLIENT_SUBNET_OPCODE, 'option_data': payload }] } } c = getdns.Context() c.resolution_type = getdns.RESOLUTION_STUB response = c.address(host, extensions=ext) # do things with response ... print response
def main(): tls_name = '77fa5113ab6a532ce2e6901f3bd3351c0db5845e0b1b5fb09907808d._smimecert.getdnsapi.org' if len(sys.argv) == 2: tls_name = sys.argv[1] c = getdns.Context() extensions = {'dnssec_return_status': getdns.EXTENSION_TRUE} results = c.general(tls_name, request_type=getdns.RRTYPE_TLSA, extensions=extensions) if results.replies_full['status'] != getdns.RESPSTATUS_GOOD: print 'query status is {0}'.format(results.status) sys.exit(1) else: record = get_first_secure_response(results) cert = record['rdata']['certificate_association_data'] try: x509 = m2.X509.load_cert_der_string(cert) rsakey = x509.get_pubkey().get_rsa() encrypted = rsakey.public_encrypt("A chunk of text", RSA.pkcs1_oaep_padding) print encrypted.encode('base64') except: print 'Error: ', sys.exc_info()[0] sys.exit(1)
def test_sync_general(self): c = getdns.Context() c.resolution_type = getdns.RESOLUTION_STUB r = c.general('nlnetlabs.nl', request_type=getdns.RRTYPE_NS) self.assertEqual(r.status, getdns.RESPSTATUS_GOOD) del (c) del (r)
def test_tls_query_padding_blocksize(self): c = getdns.Context() b = 512 c.tls_query_padding_blocksize = b self.assertEqual(c.tls_query_padding_blocksize, b) del (c) del (b)
def test_tls_authentication(self): c = getdns.Context() t = getdns.AUTHENTICATION_NONE c.tls_authentication = t self.assertEqual(c.tls_authentication, t) del (c) del (t)
def validateDNSRecord(requestType, certPem): # We assume that the common name of the certificate is the query name queryName = getCNFromCert( certPem ) # We define a set of extensions extensions = { "dnssec_return_only_secure": getdns.EXTENSION_TRUE, # Will only return verified entries "add_warning_for_bad_dns" : getdns.EXTENSION_TRUE, # FIXME: Not sure if necessary "return_both_v4_and_v6" : getdns.EXTENSION_TRUE, # Handles IPv4 and IPv6 } # We start filling up the context for our query. This context will always be # the same in our use case as we only want to ensure that the certificate is # in the DNS's database ctx = getdns.Context() ctx.dns_root_servers = DNS_ADDR ctx.tls_authentication = getdns.AUTHENTICATION_REQUIRED # We perform the query itself results = ctx.general( name = queryName, request_type = requestType, extensions = extensions ) if results.status != getdns.RESPSTATUS_GOOD: raise Exception("Error during DNSSEC query: " + str(results.status)) if CPP_LOG_LEVEL <= LOG_LEVEL_DEBUG: # This might be too verbose, even for debug mode... pprint.pprint(results.replies_full) # We use a for loop here, but there should only be two entries, one for the # RRSIG, which we don't need to check as it's already checked by getdns. We # check the other one though for item in results.replies_tree[0]['answer']: if item['type'] == requestType: # We perform the digest of the certificate using the same algorithm # as the one used by the server digestOfCertLocal = getCertDigestLocal( certPem, item ) # We now extract and properly decode the digest of the certificate # obtained from the DNSSEC server if requestType == getdns.RRTYPE_CERT: digestOfCertServer = getCertDigestFromServerCert(item) elif requestType == getdns.RRTYPE_TLSA: digestOfCertServer = getCertDigestFromServerTlsa(item) else: raise Exception("Unsupported RRTYPE can not decode digest from record") # Both values should now be equal. Otherwise, we express both as a # hex sequence to help debugging. if digestOfCertLocal != digestOfCertServer: print("Computed digest: " + digestOfCertLocal.hex()) print("Digest from DNS: " + digestOfCertServer.hex()) raise Exception("The digest of the client certificate doesn't match the DNSSEC record") else: log( LOG_LEVEL_NOTICE, "Certificate with CN '" + queryName + "' was validated by the DNSSEC" ) return True # Shouldn't reach this point return False
def test_dns_transport_list(self): c = getdns.Context() transports = [ getdns.TRANSPORT_TLS, getdns.TRANSPORT_UDP, getdns.TRANSPORT_TCP ] c.dns_transport_list = transports self.assertEqual(c.dns_transport_list, transports) del (c)
def test_sync_address(self): c = getdns.Context() c.resolution_type = getdns.RESOLUTION_STUB r = c.address('www.getdnsapi.net') self.assertEqual(r.status, getdns.RESPSTATUS_GOOD) self.assertTrue('185.49.141.37' in [x['address_data'] for x in r.just_address_answers]) del (c) del (r)
def get_addresses(hostname): extensions = {"return_both_v4_and_v6": getdns.EXTENSION_TRUE} ctx = getdns.Context() try: results = ctx.address(name=hostname, extensions=extensions) except getdns.error, e: print(str(e)) sys.exit(1)
def test_sync_hostname(self): c = getdns.Context() c.resolution_type = getdns.RESOLUTION_STUB r = c.hostname({ 'address_type': 'IPv4', 'address_data': '185.49.141.37' }) self.assertEqual(r.status, getdns.RESPSTATUS_GOOD) del (c) del (r)
class MyResolver: # Setup Context cntx = getdns.Context() extensions = {} desired_addr_type = "IPv4" # Setup Upstream to cloudflare DNS on TLS upstream = [{ 'address_data': '1.1.1.1', 'address_type': 'IPv4', 'tls_pubkey_pinset': ['pin-sha256="yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc="'] }] cntx.resolution_type = getdns.RESOLUTION_STUB cntx.dns_transport_list = [getdns.TRANSPORT_TLS] cntx.upstream_recursive_servers = upstream def get_rrtype(self, qtype): try: rrtype = eval("getdns.RRTYPE_%s" % qtype.upper()) except AttributeError: print("Unknown DNS record type: {0}".format(qtype)) sys.exit(1) else: return rrtype def resolve(self, request, handler): reply = request.reply() name = str(DNSLabel(request.q.qname)) qtype = self.get_rrtype(QTYPE[request.q.qtype]) try: results = self.cntx.address(name=name, extensions=self.extensions) except getdns.error as e: print(str(e)) sys.exit(1) status = results.status # Parse results for A record (can be extended for other record types too) if status == getdns.RESPSTATUS_GOOD: for address in results.just_address_answers: if address['address_type'] == self.desired_addr_type: addr = address['address_data'] zone = "{name} {qtype} {addr}".format( name=name, qtype=request.q.qtype, addr=addr) reply.add_answer(RR(name, QTYPE.A, rdata=A(addr), ttl=60)) return reply
def get_tlsa(port, proto, hostname): extensions = { "dnssec_return_only_secure": getdns.EXTENSION_TRUE, } qname = "_%d._%s.%s" % (port, proto, hostname) ctx = getdns.Context() try: results = ctx.general(name=qname, request_type=getdns.RRTYPE_TLSA, extensions=extensions) except getdns.error, e: print(str(e)) sys.exit(1)
def test_extensions(self): c = getdns.Context() e = { 'dnssec_return_status': getdns.EXTENSION_TRUE, 'dnssec_return_only_secure': getdns.EXTENSION_TRUE, 'dnssec_return_validation_chain': getdns.EXTENSION_TRUE, 'return_both_v4_and_v6': getdns.EXTENSION_TRUE, 'add_warning_for_bad_dns': getdns.EXTENSION_TRUE, 'return_call_reporting': getdns.EXTENSION_TRUE, 'specify_class': getdns.RRCLASS_IN } f = c.address('www.getdnsapi.net', extensions=e) self.assertEqual(f.status, getdns.RESPSTATUS_GOOD) del (c) del (e)
def test_advanced_upstream_recursive(self): c = getdns.Context() c.resolution_type = getdns.RESOLUTION_STUB u = [{ 'address_data': '185.49.141.37', 'address_type': 'IPv4', 'tsig_algorithm': 'hmac-md5.sig-alg.reg.int', 'tsig_name': 'hmac-md5.tsigs.getdnsapi.net', 'tsig_secret': base64.b64decode('16G69OTeXW6xSQ==') }] c.upstream_recursive_servers = u f = c.general('getdnsapi.net', request_type=getdns.RRTYPE_SOA) self.assertEqual(f.replies_tree[0]['tsig_status'], getdns.DNSSEC_SECURE) del (c) del (u) del (f)
def resolve_dnssec(domain: str): ctx = getdns.Context() extensions = {"return_both_v4_and_v6": getdns.EXTENSION_TRUE, "dnssec_return_status": getdns.EXTENSION_TRUE} results = ctx.address(name=domain, extensions=extensions) adresses = [] statuses = [] if results.status == getdns.RESPSTATUS_GOOD: for addr in results.just_address_answers: adresses.append(addr["address_data"]) for result in results.replies_tree: if "dnssec_status" in result.keys(): if results.status != getdns.RESPSTATUS_NO_NAME: statuses.append(result["dnssec_status"]) return adresses, statuses
def __init__(self): self.ctx = getdns.Context() self.recursive_servers = [ [{ "address_type": "IPv4", "address_data": '8.8.8.8' }], [{ "address_type": "IPv4", "address_data": '9.9.9.9' }], [{ "address_type": "IPv4", "address_data": '1.1.1.1' }], ] self.result_extension = { "dnssec_return_status": getdns.EXTENSION_TRUE, } self.ctx.resolution_type = getdns.RESOLUTION_STUB self.request_type = 2 self.result = {}
def test_upstream_recursive_servers(self): c = getdns.Context() g = [ { 'address_data': '8.8.8.8', 'address_type': 'IPv4' }, { 'address_data': '8.8.4.4', 'address_type': 'IPv4' }, { 'address_data': '2001:4860:4860::8888', 'address_type': 'IPv6' }, { 'address_data': '2001:4860:4860::8844', 'address_type': 'IPv6' }, ] c.upstream_recursive_servers = g self.assertEqual(c.upstream_recursive_servers, g) del (c) del (g)
#!/usr/bin/env python import getdns, sys hostname = sys.argv[1] ctx = getdns.Context() ctx.resolution_type = getdns.RESOLUTION_STUB extensions = {"return_both_v4_and_v6": getdns.EXTENSION_TRUE} ctx.resolver_type = getdns.RESOLUTION_STUB try: results = ctx.address(name=hostname, extensions=extensions) except getdns.error, e: print(str(e)) sys.exit(1) if results.status == getdns.RESPSTATUS_GOOD: for addr in results.just_address_answers: print addr["address_data"] else: print "getdns.address() returned an error: %d" % results["status"]
def __init__(self, debug=False): self.context = getdns.Context() self.extensions = {"dnssec_return_status": getdns.EXTENSION_TRUE} self.context.edns_do_bit = 1 self.debug = debug self.count = 0
def test_dnssec_allowed_skew(self): c = getdns.Context() skew = 5 c.dnssec_allowed_skew = skew self.assertEqual(c.dnssec_allowed_skew, skew) del (c)
def test_edns_version(self): c = getdns.Context() v = 2 c.edns_version = v self.assertEqual(c.edns_version, v) del (c)
def test_edns_maximum_udp_payload_size(self): c = getdns.Context() s = 1024 c.edns_maximum_udp_payload_size = s self.assertEqual(c.edns_maximum_udp_payload_size, s) del (c)
def test_edns_extended_rcode(self): c = getdns.Context() r = 127 c.edns_extended_rcode = r self.assertEqual(c.edns_extended_rcode, r) del (c)
def test_edns_do_bit(self): c = getdns.Context() do = 1 c.edns_do_bit = do self.assertEqual(c.edns_do_bit, do) del (c)
def test_edns_client_subnet_private(self): c = getdns.Context() p = 1 c.edns_client_subnet_private = p self.assertEqual(c.edns_client_subnet_private, p) del (c)