def test_timeout(self):
c = getdns.Context()
t = 1
c.timeout = t
self.assertEqual(c.timeout, t)
del (c)
del (t)
def test_limit_outstanding_queries(self):
c = getdns.Context()
l = 4
c.limit_outstanding_queries = l
self.assertEqual(c.limit_outstanding_queries, l)
del (c)
del (l)
def test_resolution_type(self):
c = getdns.Context()
r = getdns.RESOLUTION_STUB
c.resolution_type = r
self.assertEqual(c.resolution_type, r)
del (c)
del (r)
def test_sync_service(self):
c = getdns.Context()
c.resolution_type = getdns.RESOLUTION_STUB
r = c.service('_xmpp-server._tcp.jabber.org')
self.assertEqual(r.status, getdns.RESPSTATUS_GOOD)
del (c)
del (r)
def main():
tls_name = '77fa5113ab6a532ce2e6901f3bd3351c0db5845e0b1b5fb09907808d._smimecert.getdnsapi.org'
if len(sys.argv) == 2:
tls_name = sys.argv[1]
c = getdns.Context()
extensions = {'dnssec_return_status': getdns.EXTENSION_TRUE}
results = c.general(tls_name,
request_type=getdns.RRTYPE_TLSA,
extensions=extensions)
if results.replies_full['status'] != getdns.RESPSTATUS_GOOD:
print 'query status is {0}'.format(results.status)
sys.exit(1)
else:
record = get_first_secure_response(results)
cert_record = record['rdata']['certificate_association_data']
try:
cert = x509.load_der_x509_certificate(bytes(cert_record),
default_backend())
rsakey = cert.public_key()
encrypted = rsakey.encrypt(
"A chunk of text",
padding.OAEP(mgf=padding.MGF1(algorithm=hashes.SHA1()),
algorithm=hashes.SHA1(),
label=None))
print encrypted.encode('base64')
except Exception as e:
print('Error: {0}'.format(e.message))
sys.exit(1)
def main():
CLIENT_SUBNET_OPCODE = 8
address = '192.168.1.0'
host = 'getdnsapi.net'
source_len = 12
family = pack("!H", 1) # start building the edns option fields
source_len = pack('!B', source_len)
scope_len = pack('!B', 0)
#
# encoding the binary data in strings makes it really easy
# to build packets by concatenating those strings
#
address = pack('!BBBB', 192, 168, 1, 0)
payload = family + source_len + scope_len + address
ext = {
'add_opt_parameters': {
'options': [{
'option_code': CLIENT_SUBNET_OPCODE,
'option_data': payload
}]
}
}
c = getdns.Context()
c.resolution_type = getdns.RESOLUTION_STUB
response = c.address(host, extensions=ext)
# do things with response ...
print response
def main():
tls_name = '77fa5113ab6a532ce2e6901f3bd3351c0db5845e0b1b5fb09907808d._smimecert.getdnsapi.org'
if len(sys.argv) == 2:
tls_name = sys.argv[1]
c = getdns.Context()
extensions = {'dnssec_return_status': getdns.EXTENSION_TRUE}
results = c.general(tls_name,
request_type=getdns.RRTYPE_TLSA,
extensions=extensions)
if results.replies_full['status'] != getdns.RESPSTATUS_GOOD:
print 'query status is {0}'.format(results.status)
sys.exit(1)
else:
record = get_first_secure_response(results)
cert = record['rdata']['certificate_association_data']
try:
x509 = m2.X509.load_cert_der_string(cert)
rsakey = x509.get_pubkey().get_rsa()
encrypted = rsakey.public_encrypt("A chunk of text",
RSA.pkcs1_oaep_padding)
print encrypted.encode('base64')
except:
print 'Error: ', sys.exc_info()[0]
sys.exit(1)
def test_sync_general(self):
c = getdns.Context()
c.resolution_type = getdns.RESOLUTION_STUB
r = c.general('nlnetlabs.nl', request_type=getdns.RRTYPE_NS)
self.assertEqual(r.status, getdns.RESPSTATUS_GOOD)
del (c)
del (r)
def test_tls_query_padding_blocksize(self):
c = getdns.Context()
b = 512
c.tls_query_padding_blocksize = b
self.assertEqual(c.tls_query_padding_blocksize, b)
del (c)
del (b)
def test_tls_authentication(self):
c = getdns.Context()
t = getdns.AUTHENTICATION_NONE
c.tls_authentication = t
self.assertEqual(c.tls_authentication, t)
del (c)
del (t)
def validateDNSRecord(requestType, certPem):
# We assume that the common name of the certificate is the query name
queryName = getCNFromCert( certPem )
# We define a set of extensions
extensions = {
"dnssec_return_only_secure": getdns.EXTENSION_TRUE, # Will only return verified entries
"add_warning_for_bad_dns" : getdns.EXTENSION_TRUE, # FIXME: Not sure if necessary
"return_both_v4_and_v6" : getdns.EXTENSION_TRUE, # Handles IPv4 and IPv6
}
# We start filling up the context for our query. This context will always be
# the same in our use case as we only want to ensure that the certificate is
# in the DNS's database
ctx = getdns.Context()
ctx.dns_root_servers = DNS_ADDR
ctx.tls_authentication = getdns.AUTHENTICATION_REQUIRED
# We perform the query itself
results = ctx.general( name = queryName, request_type = requestType, extensions = extensions )
if results.status != getdns.RESPSTATUS_GOOD:
raise Exception("Error during DNSSEC query: " + str(results.status))
if CPP_LOG_LEVEL <= LOG_LEVEL_DEBUG:
# This might be too verbose, even for debug mode...
pprint.pprint(results.replies_full)
# We use a for loop here, but there should only be two entries, one for the
# RRSIG, which we don't need to check as it's already checked by getdns. We
# check the other one though
for item in results.replies_tree[0]['answer']:
if item['type'] == requestType:
# We perform the digest of the certificate using the same algorithm
# as the one used by the server
digestOfCertLocal = getCertDigestLocal( certPem, item )
# We now extract and properly decode the digest of the certificate
# obtained from the DNSSEC server
if requestType == getdns.RRTYPE_CERT:
digestOfCertServer = getCertDigestFromServerCert(item)
elif requestType == getdns.RRTYPE_TLSA:
digestOfCertServer = getCertDigestFromServerTlsa(item)
else:
raise Exception("Unsupported RRTYPE can not decode digest from record")
# Both values should now be equal. Otherwise, we express both as a
# hex sequence to help debugging.
if digestOfCertLocal != digestOfCertServer:
print("Computed digest: " + digestOfCertLocal.hex())
print("Digest from DNS: " + digestOfCertServer.hex())
raise Exception("The digest of the client certificate doesn't match the DNSSEC record")
else:
log( LOG_LEVEL_NOTICE, "Certificate with CN '" + queryName + "' was validated by the DNSSEC" )
return True
# Shouldn't reach this point
return False
def test_dns_transport_list(self):
c = getdns.Context()
transports = [
getdns.TRANSPORT_TLS, getdns.TRANSPORT_UDP, getdns.TRANSPORT_TCP
]
c.dns_transport_list = transports
self.assertEqual(c.dns_transport_list, transports)
del (c)
def test_sync_address(self):
c = getdns.Context()
c.resolution_type = getdns.RESOLUTION_STUB
r = c.address('www.getdnsapi.net')
self.assertEqual(r.status, getdns.RESPSTATUS_GOOD)
self.assertTrue('185.49.141.37' in
[x['address_data'] for x in r.just_address_answers])
del (c)
del (r)
def get_addresses(hostname):
extensions = {"return_both_v4_and_v6": getdns.EXTENSION_TRUE}
ctx = getdns.Context()
try:
results = ctx.address(name=hostname, extensions=extensions)
except getdns.error, e:
print(str(e))
sys.exit(1)
def test_sync_hostname(self):
c = getdns.Context()
c.resolution_type = getdns.RESOLUTION_STUB
r = c.hostname({
'address_type': 'IPv4',
'address_data': '185.49.141.37'
})
self.assertEqual(r.status, getdns.RESPSTATUS_GOOD)
del (c)
del (r)
class MyResolver:
# Setup Context
cntx = getdns.Context()
extensions = {}
desired_addr_type = "IPv4"
# Setup Upstream to cloudflare DNS on TLS
upstream = [{
'address_data':
'1.1.1.1',
'address_type':
'IPv4',
'tls_pubkey_pinset':
['pin-sha256="yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc="']
}]
cntx.resolution_type = getdns.RESOLUTION_STUB
cntx.dns_transport_list = [getdns.TRANSPORT_TLS]
cntx.upstream_recursive_servers = upstream
def get_rrtype(self, qtype):
try:
rrtype = eval("getdns.RRTYPE_%s" % qtype.upper())
except AttributeError:
print("Unknown DNS record type: {0}".format(qtype))
sys.exit(1)
else:
return rrtype
def resolve(self, request, handler):
reply = request.reply()
name = str(DNSLabel(request.q.qname))
qtype = self.get_rrtype(QTYPE[request.q.qtype])
try:
results = self.cntx.address(name=name, extensions=self.extensions)
except getdns.error as e:
print(str(e))
sys.exit(1)
status = results.status
# Parse results for A record (can be extended for other record types too)
if status == getdns.RESPSTATUS_GOOD:
for address in results.just_address_answers:
if address['address_type'] == self.desired_addr_type:
addr = address['address_data']
zone = "{name} {qtype} {addr}".format(
name=name, qtype=request.q.qtype, addr=addr)
reply.add_answer(RR(name, QTYPE.A, rdata=A(addr), ttl=60))
return reply
def get_tlsa(port, proto, hostname):
extensions = {
"dnssec_return_only_secure": getdns.EXTENSION_TRUE,
}
qname = "_%d._%s.%s" % (port, proto, hostname)
ctx = getdns.Context()
try:
results = ctx.general(name=qname,
request_type=getdns.RRTYPE_TLSA,
extensions=extensions)
except getdns.error, e:
print(str(e))
sys.exit(1)
def test_extensions(self):
c = getdns.Context()
e = {
'dnssec_return_status': getdns.EXTENSION_TRUE,
'dnssec_return_only_secure': getdns.EXTENSION_TRUE,
'dnssec_return_validation_chain': getdns.EXTENSION_TRUE,
'return_both_v4_and_v6': getdns.EXTENSION_TRUE,
'add_warning_for_bad_dns': getdns.EXTENSION_TRUE,
'return_call_reporting': getdns.EXTENSION_TRUE,
'specify_class': getdns.RRCLASS_IN
}
f = c.address('www.getdnsapi.net', extensions=e)
self.assertEqual(f.status, getdns.RESPSTATUS_GOOD)
del (c)
del (e)
def test_advanced_upstream_recursive(self):
c = getdns.Context()
c.resolution_type = getdns.RESOLUTION_STUB
u = [{
'address_data': '185.49.141.37',
'address_type': 'IPv4',
'tsig_algorithm': 'hmac-md5.sig-alg.reg.int',
'tsig_name': 'hmac-md5.tsigs.getdnsapi.net',
'tsig_secret': base64.b64decode('16G69OTeXW6xSQ==')
}]
c.upstream_recursive_servers = u
f = c.general('getdnsapi.net', request_type=getdns.RRTYPE_SOA)
self.assertEqual(f.replies_tree[0]['tsig_status'],
getdns.DNSSEC_SECURE)
del (c)
del (u)
del (f)
def resolve_dnssec(domain: str):
ctx = getdns.Context()
extensions = {"return_both_v4_and_v6":
getdns.EXTENSION_TRUE,
"dnssec_return_status":
getdns.EXTENSION_TRUE}
results = ctx.address(name=domain,
extensions=extensions)
adresses = []
statuses = []
if results.status == getdns.RESPSTATUS_GOOD:
for addr in results.just_address_answers:
adresses.append(addr["address_data"])
for result in results.replies_tree:
if "dnssec_status" in result.keys():
if results.status != getdns.RESPSTATUS_NO_NAME:
statuses.append(result["dnssec_status"])
return adresses, statuses
def __init__(self):
self.ctx = getdns.Context()
self.recursive_servers = [
[{
"address_type": "IPv4",
"address_data": '8.8.8.8'
}],
[{
"address_type": "IPv4",
"address_data": '9.9.9.9'
}],
[{
"address_type": "IPv4",
"address_data": '1.1.1.1'
}],
]
self.result_extension = {
"dnssec_return_status": getdns.EXTENSION_TRUE,
}
self.ctx.resolution_type = getdns.RESOLUTION_STUB
self.request_type = 2
self.result = {}
def test_upstream_recursive_servers(self):
c = getdns.Context()
g = [
{
'address_data': '8.8.8.8',
'address_type': 'IPv4'
},
{
'address_data': '8.8.4.4',
'address_type': 'IPv4'
},
{
'address_data': '2001:4860:4860::8888',
'address_type': 'IPv6'
},
{
'address_data': '2001:4860:4860::8844',
'address_type': 'IPv6'
},
]
c.upstream_recursive_servers = g
self.assertEqual(c.upstream_recursive_servers, g)
del (c)
del (g)
#!/usr/bin/env python
import getdns, sys
hostname = sys.argv[1]
ctx = getdns.Context()
ctx.resolution_type = getdns.RESOLUTION_STUB
extensions = {"return_both_v4_and_v6": getdns.EXTENSION_TRUE}
ctx.resolver_type = getdns.RESOLUTION_STUB
try:
results = ctx.address(name=hostname, extensions=extensions)
except getdns.error, e:
print(str(e))
sys.exit(1)
if results.status == getdns.RESPSTATUS_GOOD:
for addr in results.just_address_answers:
print addr["address_data"]
else:
print "getdns.address() returned an error: %d" % results["status"]
def __init__(self, debug=False):
self.context = getdns.Context()
self.extensions = {"dnssec_return_status": getdns.EXTENSION_TRUE}
self.context.edns_do_bit = 1
self.debug = debug
self.count = 0
def test_dnssec_allowed_skew(self):
c = getdns.Context()
skew = 5
c.dnssec_allowed_skew = skew
self.assertEqual(c.dnssec_allowed_skew, skew)
del (c)
def test_edns_version(self):
c = getdns.Context()
v = 2
c.edns_version = v
self.assertEqual(c.edns_version, v)
del (c)
def test_edns_maximum_udp_payload_size(self):
c = getdns.Context()
s = 1024
c.edns_maximum_udp_payload_size = s
self.assertEqual(c.edns_maximum_udp_payload_size, s)
del (c)
def test_edns_extended_rcode(self):
c = getdns.Context()
r = 127
c.edns_extended_rcode = r
self.assertEqual(c.edns_extended_rcode, r)
del (c)
def test_edns_do_bit(self):
c = getdns.Context()
do = 1
c.edns_do_bit = do
self.assertEqual(c.edns_do_bit, do)
del (c)
def test_edns_client_subnet_private(self):
c = getdns.Context()
p = 1
c.edns_client_subnet_private = p
self.assertEqual(c.edns_client_subnet_private, p)
del (c)
