gfwleak/tsg-tsg-diagnose
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor:修改dns测试相关域名,因dns allow和deny策略冲突,删除dns allow相关的自检动作

Browse Source
This commit is contained in:
fumingwei
2021-09-08 10:13:08 +08:00
parent 4f803e8740
commit c43e24a981
3 changed files with 55 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
images_build/client/dign_client/bin/client.py
View File

@@ -134,6 +134,24 @@ URLSslFirewallAllow = "https://sha512.badssl.selftest.gdnt-cloud.websit
URLSslFirewallDenyDrop = "https://rsa2048.badssl.selftest.gdnt-cloud.website"
URLSslFirewallDenyRst = "https://rsa4096.badssl.selftest.gdnt-cloud.website"
HOST_DNS_ALLOW_A = "dnstest.allow-a-ipv4.selftest.gdnt-cloud.website"
HOST_DNS_DENY_REDIRECT_A = "dnstest.deny-redirect-a-ipv4.selftest.gdnt-cloud.website"
HOST_DNS_DENY_DORY = "dnstest.deny-drop-ipv4.selftest.gdnt-cloud.website"
HOST_DNS_DENY_REDIRECT_A_RTTL = "dnstest.deny-redirect-a-rttl-ipv4.selftest.gdnt-cloud.website"
HOST_DNS_ALLOW_AAAA = "dnstest.allow-4a-ipv6.selftest.gdnt-cloud.website"
HOST_DNS_DENY_REDIRECT_AAAA = "dnstest.deny-redirect-4a-ipv6.selftest.gdnt-cloud.website"
HOST_DNS_DENY_REDIRECT_AAAA_RTTL = "dnstest.deny-redirect-4a-rttl-ipv6.selftest.gdnt-cloud.website"
HOST_DNS_CNAME_QUERY = "dnstest.test-cname.selftest.gdnt-cloud.website"
HOST_DNS_CNAME_ANSWER = "dnstest.testanswer-cname.selftest.gdnt-cloud.website"
DNS_REDIRECT_IPV4_ADDR = "33.252.0.101"
DNS_REDIRECT_IPV6_ADDR = "2001:db8::1001"
DNS_ALLOW_A_ADDR = "233.252.0.1"
DNS_ALLOW_AAAA_ADDR = "2001:db8::1"
DNS_SERVER_ALLOW_TTL = 60
DNS_SERVER_REDIRECT_TTL = 333
DNS_SERVER_REDIRECT_RANGE_LOW = 400
@@ -307,7 +325,7 @@ class DNSCheckRequestBuild:
dns_resolver.lifetime = float(3)
try:
dns_answer = dns_resolver.query("www.3test-ipv4.com", 'A')
dns_answer = dns_resolver.query(HOST_DNS_DENY_DORY, 'A')
except dns.exception.DNSException as errorinfo:
if type(errorinfo) == dns.exception.Timeout:
raise Exception(DnsRequestFirewallDenyDrop)
@@ -323,7 +341,7 @@ class DNSCheckRequestBuild:
dns_resolver.lifetime = float(3)
try:
dns_answer = dns_resolver.query("www.2test-ipv4.com", 'A')
dns_answer = dns_resolver.query(HOST_DNS_DENY_REDIRECT_A, 'A')
except dns.exception.DNSException as errorinfo:
raise Exception("Error: The dns_action_deny_subaction_redirect_a check failure, code: %s" % errorinfo)
else: # drop-redirect and respond rdtype A ipv4
@@ -333,7 +351,7 @@ class DNSCheckRequestBuild:
for i in dns_answer.response.answer:
for j in i.items:
if j.rdtype == 1: #'rdtype is A: ipv4'
if j.address == "99.99.99.99":
if j.address == DNS_REDIRECT_IPV4_ADDR:
raise Exception(DnsARequestFireWallDenyRedirect)
else:
raise Exception("Error: The dns request rdtype A drop redirect check failure: respond value error")
@@ -347,7 +365,7 @@ class DNSCheckRequestBuild:
dns_resolver.lifetime = float(3)
try:
dns_answer = dns_resolver.query("www.2test-ipv6.com", 'AAAA')
dns_answer = dns_resolver.query(HOST_DNS_DENY_REDIRECT_AAAA, 'AAAA')
except dns.exception.DNSException as errorinfo:
raise Exception("Error: The dns_action_deny_subaction_redirect_aaaa check failure, code: %s" % errorinfo)
else: # drop-redirect and respond rdtype A ipv6
@@ -358,7 +376,7 @@ class DNSCheckRequestBuild:
for i in dns_answer.response.answer:
for j in i.items:
if j.rdtype == 28: #'rdtype is A: ipv6'
if j.address == "99:99::99:99":
if j.address == DNS_REDIRECT_IPV6_ADDR:
raise Exception(DnsAAAARequestFireWallDenyRedirect)
else:
raise Exception("Error: The dns request rdtype AAAA drop redirect check failure: respond value error")
@@ -372,7 +390,7 @@ class DNSCheckRequestBuild:
dns_resolver.lifetime = float(3)
try:
dns_answer = dns_resolver.query("www.4test-ipv4.com", 'A')
dns_answer = dns_resolver.query(HOST_DNS_DENY_REDIRECT_A_RTTL, 'A')
except dns.exception.DNSException as errorinfo:
raise Exception("Error: The dns_action_deny_subaction_redirect_a_rang_ttl check failure, code: %s" % errorinfo)
else: # drop-redirect and respond rdtype A ipv4
@@ -383,7 +401,7 @@ class DNSCheckRequestBuild:
for i in dns_answer.response.answer:
for j in i.items:
if j.rdtype == 1: #'rdtype is A: ipv4'
if j.address == "99.99.99.99":
if j.address == DNS_REDIRECT_IPV4_ADDR:
raise Exception(DnsARequestFireWallDenyRedirectRangTTL)
else:
raise Exception("Error: The dns request rdtype A drop redirect range ttl check failure: respond value error")
@@ -397,7 +415,7 @@ class DNSCheckRequestBuild:
dns_resolver.lifetime = float(3)
try:
dns_answer = dns_resolver.query("www.4test-ipv6.com", 'AAAA')
dns_answer = dns_resolver.query(HOST_DNS_DENY_REDIRECT_AAAA_RTTL, 'AAAA')
except dns.exception.DNSException as errorinfo:
raise Exception("Error: The dns_action_deny_subaction_redirect_aaaa range ttl check failure, code: %s" % errorinfo)
else: # drop-redirect and respond rdtype A ipv6
@@ -408,7 +426,7 @@ class DNSCheckRequestBuild:
for i in dns_answer.response.answer:
for j in i.items:
if j.rdtype == 28: #'rdtype is A: ipv6'
if j.address == "99:99::99:99":
if j.address == DNS_REDIRECT_IPV6_ADDR:
raise Exception(DnsAAAARequestFireWallDenyRedirectRangTTL)
else:
raise Exception("Error: The dns request rdtype AAAA drop redirect check failure: respond value error")
@@ -424,7 +442,7 @@ class DNSCheckRequestBuild:
dns_resolver.lifetime = float(3)
try:
dns_answer = dns_resolver.query("www.1test-ipv4.com", 'A')
dns_answer = dns_resolver.query(HOST_DNS_ALLOW_A, 'A')
except dns.exception.DNSException as errorinfo:
raise Exception("Error: The dns request rdtype A allow check failure, code: %s" % errorinfo)
else:
@@ -435,7 +453,7 @@ class DNSCheckRequestBuild:
for i in dns_answer.response.answer:
for j in i.items:
if j.rdtype == 1: #'rdtype is A: ipv4'
if j.address == "10.1.2.3":
if j.address == DNS_ALLOW_A_ADDR:
raise Exception(DnsARequestFirewallAllow)
else:
raise Exception("Error: The dns request rdtype A allow check failure: respond value error")
@@ -450,7 +468,7 @@ class DNSCheckRequestBuild:
dns_resolver.lifetime = float(3)
try:
dns_answer = dns_resolver.query("www.1test-ipv6.com", 'AAAA')
dns_answer = dns_resolver.query(HOST_DNS_ALLOW_AAAA, 'AAAA')
except dns.exception.DNSException as errorinfo:
raise Exception("Error: The dns request rdtype AAAA allow check failure, code: %s" % errorinfo)
else:
@@ -461,7 +479,7 @@ class DNSCheckRequestBuild:
for i in dns_answer.response.answer:
for j in i.items:
if j.rdtype == 28: #'rdtype is AAAA: ipv6'
if j.address == "11aa:11:22::33":
if j.address == DNS_ALLOW_AAAA_ADDR:
raise Exception(DnsAAAARequestFirewallAllow)
else:
raise Exception("Error: The dns request rdtype AAAA allow check failure: respond value error")
@@ -475,7 +493,7 @@ class DNSCheckRequestBuild:
dns_resolver.lifetime = float(3)
try:
dns_answer = dns_resolver.query("www.1test-cname.com", 'CNAME')
dns_answer = dns_resolver.query(HOST_DNS_CNAME_QUERY, 'CNAME')
except dns.exception.DNSException as errorinfo:
raise Exception("Error: The dns request rdtype CNAME allow check failure, code: %s" % errorinfo)
else:
@@ -487,7 +505,7 @@ class DNSCheckRequestBuild:
for j in i.items:
if j.rdtype == 5: #'CNAME: tag(www.xxx.com)'
m=str(j)
if m == "www.1testanswer-cname.com.":
if m == (HOST_DNS_CNAME_ANSWER + '.'):
raise Exception(DnsCNAMERequestFirewallAllow)
else:
raise Exception("Error: The dns request rdtype CNAME allow check failure: respond value error")
@@ -1182,9 +1200,6 @@ class TsgDiagnose:
self._add_suite('test_dnsRequest_deny_redirect_aaaa')
self._add_suite('test_dnsRequest_deny_redirect_a_range_ttl')
self._add_suite('test_dnsRequest_deny_redirect_aaaa_range_ttl')
self._add_suite('test_dnsRequest_allow_rdtype_a')
self._add_suite('test_dnsRequest_allow_rdtype_aaaa')
self._add_suite('test_dnsRequest_allow_rdtype_cname')
def _dign_running(self):
print(format(("Test start time: " + time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())),'#^120s'))

24
images_build/client/dign_client/etc/client.conf
View File

@@ -32,20 +32,20 @@ conn_timeout = 3
max_recv_speed_large = 6553600
[test_dnsRequest_allow_rdtype_a]
enabled = 1
conn_timeout = 3
max_recv_speed_large = 6553600
#[test_dnsRequest_allow_rdtype_a]
#enabled = 1
#conn_timeout = 3
#max_recv_speed_large = 6553600
[test_dnsRequest_allow_rdtype_aaaa]
enabled = 1
conn_timeout = 3
max_recv_speed_large = 6553600
#[test_dnsRequest_allow_rdtype_aaaa]
#enabled = 1
#conn_timeout = 3
#max_recv_speed_large = 6553600
[test_dnsRequest_allow_rdtype_cname]
enabled = 1
conn_timeout = 3
max_recv_speed_large = 6553600
#[test_dnsRequest_allow_rdtype_cname]
#enabled = 1
#conn_timeout = 3
#max_recv_speed_large = 6553600
[test_securityPolicy_intercept]
enabled = 1

21
images_build/server_dns/dnsmasq.conf
View File

@@ -1,17 +1,16 @@
#dns解析日志
log-queries
#域名与IP映射
address=/www.1test-ipv4.com/10.1.2.3
address=/www.2test-ipv4.com/20.1.2.3
address=/www.3test-ipv4.com/30.1.2.3
address=/www.4test-ipv4.com/40.1.2.3
address=/www.5test-ipv4.com/50.1.2.3
address=/www.1test-ipv6.com/11aa:11:22::33
address=/www.2test-ipv6.com/22aa:11:22::33
address=/www.3test-ipv6.com/33aa:11:22::33
address=/www.4test-ipv6.com/44aa:11:22::33
address=/www.5test-ipv6.com/55aa:11:22::33
cname=www.1test-cname.com,www.1testanswer-cname.com
address=/dnstest.allow-a-ipv4.selftest.gdnt-cloud.website/233.252.0.1
address=/dnstest.deny-redirect-a-ipv4.selftest.gdnt-cloud.website/233.252.0.2
address=/dnstest.deny-drop-ipv4.selftest.gdnt-cloud.website/233.252.0.3
address=/dnstest.deny-redirect-a-rttl-ipv4.selftest.gdnt-cloud.website/233.252.0.4
address=/dnstest.reserved-ipv4.selftest.gdnt-cloud.website/233.252.0.5
address=/dnstest.allow-4a-ipv6.selftest.gdnt-cloud.website/2001:db8::1
address=/dnstest.deny-redirect-4a-ipv6.selftest.gdnt-cloud.website/2001:db8::2
address=/dnstest.deny-redirect-4a-rttl-ipv6.selftest.gdnt-cloud.website/2001:db8::3
address=/dnstest.reserved-ipv6.selftest.gdnt-cloud.website/2001:db8::4
cname=dnstest.test-cname.selftest.gdnt-cloud.website,dnstest.testanswer-cname.selftest.gdnt-cloud.website
#设置time-to-live的时间,如果未设置返回0
local-ttl=60