feat: 1. 添加测试dns防火墙的测试例

2. 修改dns的openfile的镜像源, 解决源镜像无法下载问题

.gitlab-ci.yml

@@ -12,8 +12,6 @@ cache:
   before_script:
     - docker info
     - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
-  only:
-    - tags
   tags:
     - share
     
@@ -33,9 +31,6 @@ cache:
     - chmod +x ./ci/travis.sh
   tags:
   - share
-  only:
-    - tags
-
 
 images_build:
   stage: build
@@ -44,14 +39,17 @@ images_build:
     UNITTEST_IMAGE_TAG: unittest-tsg-diagnose:latest
     WPR_IMAGE_TAG: wpr-tsg-diagnose:latest
     BADSSL_IMAGE_TAG: badssl-tsg-diagnose:latest
+    DNS_IMAGES_TAGE: dns-server-diagnose:latest
   script:
     - mkdir -p images
     - docker build -t $UNITTEST_IMAGE_TAG -f ./unittest_python/Dockerfile ./unittest_python/
     - docker save $UNITTEST_IMAGE_TAG > images/unittest.tar
     - docker build -t $WPR_IMAGE_TAG -f ./wpr_golang/Dockerfile ./wpr_golang/
     - docker save $WPR_IMAGE_TAG > images/wpr.tar
-    - docker build -t $BADSSL_IMAGE_TAG -f ./badssl.com/Dockerfile ./badssl.com/
+    #- docker build -t $BADSSL_IMAGE_TAG -f ./badssl.com/Dockerfile ./badssl.com/
-    - docker save $BADSSL_IMAGE_TAG  > images/badssl.tar
+    #- docker save $BADSSL_IMAGE_TAG  > images/badssl.tar
+    - docker build -t $DNS_IMAGES_TAGE -f ./dnsmasq/Dockerfile ./dnsmasq
+    - docker save $DNS_IMAGES_TAGE > images/dns.tar
 
 
 rpm_build:

cmake/Package.cmake

@@ -25,6 +25,7 @@ install(FILES docker-compose/docker-compose.yml DESTINATION ./compose)
 install(FILES unittest_python/unittest/etc/tsg-diagnose.config DESTINATION ./etc)
 install(FILES wpr_golang/wpr/wpr_cert.pem DESTINATION ./etc)
 install(FILES docker-compose/tsg-diagnose.service DESTINATION /usr/lib/systemd/system)
+install(FILES dnsmasq/config/dnsmasq.conf DESTINATION /opt/tsg/tsg-diagnose/etc/)
 install(DIRECTORY images/ DESTINATION ./images)
 install(DIRECTORY deploy/ DESTINATION ./deploy)
 

cmake/PostInstall.in

@@ -3,7 +3,9 @@ if [ $1 == 2 ]; then
     docker rmi -f badssl-tsg-diagnose
     docker rmi -f unittest-tsg-diagnose
     docker rmi -f wpr-tsg-diagnose
+    docker rmi -f dns-server-diagnose
 fi
 docker load < /opt/tsg/tsg-diagnose/images/badssl.tar
 docker load < /opt/tsg/tsg-diagnose/images/unittest.tar
-docker load < /opt/tsg/tsg-diagnose/images/wpr.tar
+docker load < /opt/tsg/tsg-diagnose/images/wpr.tar
+docker load < /opt/tsg/tsg-diagnose/images/dns.tar

cmake/PostunInstall.in

@@ -2,4 +2,5 @@ if [ $1 == 0 ]; then
     docker rmi -f badssl-tsg-diagnose
     docker rmi -f unittest-tsg-diagnose
     docker rmi -f wpr-tsg-diagnose
-fi
+    docker rmi -f dns-server-diagnose
+fi

dnsmasq/Dockerfile

@@ -0,0 +1,19 @@
+FROM alpine:latest as builder
+RUN set -eux && sed -i 's/dl-cdn.alpinelinux.org/mirrors.ustc.edu.cn/g' /etc/apk/repositories
+LABEL maintainer="dev@jpillora.com"
+# webproc release settings
+ENV WEBPROC_VERSION 0.2.2
+ENV WEBPROC_URL https://github.com/jpillora/webproc/releases/download/$WEBPROC_VERSION/webproc_linux_amd64.gz
+# fetch dnsmasq and webproc binary
+RUN apk update \
+	&& apk --no-cache add dnsmasq \
+	&& apk add --no-cache --virtual .build-deps curl \
+	&& curl -sL $WEBPROC_URL | gzip -d - > /usr/local/bin/webproc \
+	&& chmod +x /usr/local/bin/webproc \
+	&& apk del .build-deps
+#configure dnsmasq
+RUN mkdir -p /etc/default/
+RUN echo -e "ENABLED=1\nIGNORE_RESOLVCONF=yes" > /etc/default/dnsmasq
+COPY dnsmasq.conf /etc/dnsmasq.conf
+#run!
+ENTRYPOINT ["webproc","--config","/etc/dnsmasq.conf","--","dnsmasq","--no-daemon"]

dnsmasq/README.md

@@ -0,0 +1,84 @@
+# docker-dnsmasq
+
+dnsmasq in a docker container, configurable via a [simple web UI](https://github.com/jpillora/webproc)
+
+[![Docker Pulls](https://img.shields.io/docker/pulls/jpillora/dnsmasq.svg)][dockerhub]
+[![Image Size](https://images.microbadger.com/badges/image/jpillora/dnsmasq.svg)][dockerhub]
+
+### Usage
+
+1. Create a [`/opt/dnsmasq.conf`](http://oss.segetech.com/intra/srv/dnsmasq.conf) file on the Docker host
+
+   ```ini
+   #dnsmasq config, for a complete example, see:
+   #  http://oss.segetech.com/intra/srv/dnsmasq.conf
+   #log all dns queries
+   log-queries
+   #dont use hosts nameservers
+   no-resolv
+   #use cloudflare as default nameservers, prefer 1^4
+   server=1.0.0.1
+   server=1.1.1.1
+   strict-order
+   #serve all .company queries using a specific nameserver
+   server=/company/10.0.0.1
+   #explicitly define host-ip mappings
+   address=/myhost.company/10.0.0.2
+   ```
+
+1. Run the container
+
+   ```
+   $ docker run \
+   	--name dnsmasq \
+   	-d \
+   	-p 53:53/udp \
+   	-p 5380:8080 \
+   	-v /opt/dnsmasq.conf:/etc/dnsmasq.conf \
+   	--log-opt "max-size=100m" \
+   	-e "HTTP_USER=foo" \
+   	-e "HTTP_PASS=bar" \
+   	--restart always \
+   	jpillora/dnsmasq
+   ```
+
+1. Visit `http://<docker-host>:5380`, authenticate with `foo/bar` and you should see
+
+   <img width="833" alt="screen shot 2017-10-15 at 1 41 21 am" src="https://user-images.githubusercontent.com/633843/31580966-baacba62-b1a9-11e7-8439-ca1ddfe828dd.png">
+
+1. Test it out with
+
+   ```
+   $ host myhost.company <docker-host>
+   Using domain server:
+   Name: <docker-host>
+   Address: <docker-host>#53
+   Aliases:
+
+   myhost.company has address 10.0.0.2
+   ```
+
+#### MIT License
+
+Copyright &copy; 2018 Jaime Pillora &lt;dev@jpillora.com&gt;
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+[dockerhub]: https://hub.docker.com/r/jpillora/dnsmasq/

dnsmasq/config/dnsmasq.conf

@@ -0,0 +1,10 @@
+#dns解析日志
+log-queries
+#域名与IP映射
+address=/www.1test-ipv4.com/10.1.2.3
+address=/www.2test-ipv4.com/20.1.2.3
+address=/www.3test-ipv4.com/30.1.2.3
+address=/www.1test-ipv6.com/11aa:11:22::33
+address=/www.2test-ipv6.com/22aa:11:22::33
+address=/www.3test-ipv6.com/33aa:11:22::33
+cname=www.1test-cname.com,www.1testanswer-cname.com

dnsmasq/dnsmasq.conf

@@ -0,0 +1,17 @@
+#dns解析日志
+log-queries
+#域名与IP映射
+address=/www.1test-ipv4.com/10.1.2.3
+address=/www.2test-ipv4.com/20.1.2.3
+address=/www.3test-ipv4.com/30.1.2.3
+address=/www.4test-ipv4.com/40.1.2.3
+address=/www.5test-ipv4.com/50.1.2.3
+address=/www.1test-ipv6.com/11aa:11:22::33
+address=/www.2test-ipv6.com/22aa:11:22::33
+address=/www.3test-ipv6.com/33aa:11:22::33
+address=/www.4test-ipv6.com/44aa:11:22::33
+address=/www.5test-ipv6.com/55aa:11:22::33
+cname=www.1test-cname.com,www.1testanswer-cname.com
+
+#设置time-to-live的时间,如果未设置返回0
+local-ttl=60

docker-compose/docker-compose.yml

@@ -45,13 +45,37 @@ services:
         arp -i eth0 -s 192.0.2.3 02:42:C0:A8:FD:03
         /root/wpr/wpr replay --http_port=80 --https_port=443 --host=0.0.0.0 --quiet_mode /root/wpr/archive.wprgo & 
         tail -f /dev/null
-        
+
+  dns_server:
+      image: "dns-server-diagnose:latest"
+      container_name: "dns-server-diagnose"
+      tty: true
+      privileged: true
+      networks:
+        vlan_ssl_net:
+          ipv4_address: 192.0.2.135
+          ipv6_address: fd00:a1bf:2c3d:ef5a:1e2f:3d4c:56ab:1015
+        bridge_net:
+          ipv4_address: 192.51.100.5
+      volumes:
+        - /etc/localtime:/etc/localtime:ro
+      entrypoint: /bin/sh
+      command:
+        - -c 
+        - |
+          ifconfig eth0 hw ether 02:42:C0:A8:FD:85
+          arp -i eth0 -s 192.0.2.3 02:42:C0:A8:FD:03
+          echo 66.66.66.66  www.1testanswer-cname.com >> /etc/hosts
+          webproc --config /etc/dnsmasq.conf -- dnsmasq --no-daemon &
+          tail -f /dev/null
+
   unittest_client:
     image: "unittest-tsg-diagnose:latest"
     container_name: "unittest_tsg-diagnose"
     depends_on: 
       - badssl_server
       - wpr_server
+      - dns_server
     tty: true
     privileged: true
     networks:
@@ -74,6 +98,7 @@ services:
         ifconfig eth0 hw ether 02:42:C0:A8:FD:03
         arp -i eth0 -s 192.0.2.130 02:42:c0:a8:fd:82
         arp -i eth0 -s 192.0.2.131 02:42:C0:A8:FD:83
+        arp -i eth0 -s 192.0.2.135 02:42:C0:A8:FD:85
         mkdir -p /root/result_tsg_diagnose/unittest
         mkdir -p /root/result_tsg_diagnose/conn_traffic_status
         cp -rf /root/cafile_dict/certs/sets/current/gen/crt/ca-root.crt /usr/local/share/ca-certificates
@@ -83,6 +108,7 @@ services:
         echo '0      2       *       *       *       /usr/local/bin/python /root/unittest/clear_file_timeout.py -d /root/result_tsg_diagnose/conn_traffic_status' > /etc/crontabs/root
         crond
         python /root/unittest/tsg_diagnose.py -l -w NEZHA
+        tail -f /dev/null
 
 
 networks: 
@@ -99,7 +125,7 @@ networks:
     driver: macvlan
     enable_ipv6: true
     driver_opts: 
-      parent: enp1s1
+      parent: eth_vf_dign_s
     ipam: 
       config: 
         - subnet: 192.0.2.0/24
@@ -114,7 +140,7 @@ networks:
     driver: macvlan
     enable_ipv6: true
     driver_opts:
-      parent: ens1f1
+      parent: eth_vf_dign_c
     ipam:
       config:
         - subnet: 192.0.2.0/24

unittest_python/Dockerfile

@@ -10,7 +10,8 @@ RUN sed -i s@/dl-cdn.alpinelinux.org/@/mirrors.ustc.edu.cn/@g /etc/apk/repositor
         && pip3 install pycurl \
         && pip3 install httpstat \
         && pip3 install CIUnitTest \
-        && pip3 install pytelegraf
+        && pip3 install pytelegraf \
+        && pip3 install dnspython
 	
 WORKDIR /root/unittest
 

unittest_python/unittest/etc/tsg-diagnose.config

@@ -6,6 +6,47 @@ conn_timeout = 1
 #max_recv_speed_large  byte/s
 max_recv_speed_large = 6553600
 
+[test_dnsRequest_deny_drop]
+enabled = 1
+conn_timeout = 3
+max_recv_speed_large = 6553600
+
+[test_dnsRequest_deny_redirect_a]
+enabled = 1
+conn_timeout = 3
+max_recv_speed_large = 6553600
+
+[test_dnsRequest_deny_redirect_aaaa]
+enabled = 1
+conn_timeout = 3
+max_recv_speed_large = 6553600
+
+[test_dnsRequest_deny_redirect_a_range_ttl]
+enabled = 1
+conn_timeout = 3
+max_recv_speed_large = 6553600
+
+[test_dnsRequest_deny_redirect_aaaa_range_ttl]
+enabled = 1
+conn_timeout = 3
+max_recv_speed_large = 6553600
+
+
+[test_dnsRequest_allow_rdtype_a]
+enabled = 1
+conn_timeout = 3
+max_recv_speed_large = 6553600
+
+[test_dnsRequest_allow_rdtype_aaaa]
+enabled = 1
+conn_timeout = 3
+max_recv_speed_large = 6553600
+
+[test_dnsRequest_allow_rdtype_cname]
+enabled = 1
+conn_timeout = 3
+max_recv_speed_large = 6553600
+
 [test_securityPolicy_intercept]
 enabled = 1
 conn_timeout = 1

unittest_python/unittest/tsg_diagnose.py

@@ -13,9 +13,20 @@ from telegraf.client import TelegrafClient
 import hashlib
 from configparser import ConfigParser
 import random
+import dns.exception
+import dns.resolver
+import sys
 
 
 suite_test_config_dict = {'test_securityPolicy_bypass': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_dnsRequest_deny_drop': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_dnsRequest_deny_redirect_a': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_dnsRequest_deny_redirect_aaaa': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_dnsRequest_deny_redirect_a_range_ttl': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_dnsRequest_deny_redirect_aaaa_range_ttl': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_dnsRequest_allow_rdtype_a': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_dnsRequest_allow_rdtype_aaaa': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
+                        'test_dnsRequest_allow_rdtype_cname': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
                         'test_securityPolicy_intercept': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
                         'test_securityPolicy_intercept_certerrExpired': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
                         'test_securityPolicy_intercept_certerrSelf_signed': {'enabled':1,'conn_timeout':1,'max_recv_speed_large':6553600},
@@ -123,6 +134,215 @@ URLSslFirewallAllow          = "https://sha512.badssl.self-test.geedge.net"
 URLSslFirewallDenyDrop       = "https://rsa2048.badssl.self-test.geedge.net"
 URLSslFirewallDenyRst        = "https://rsa4096.badssl.self-test.geedge.net"
 
+DNS_SERVER_ALLOW_TTL = 60
+DNS_SERVER_REDIRECT_TTL = 333
+DNS_SERVER_REDIRECT_RANGE_LOW = 400
+DNS_SERVER_REDIRECT_RANGE_HIGH = 500
+DNS_SERVER_IP = ["192.0.2.135"]
+DnsRequestFirewallDenyDrop          = "Dns request timeout is deny drop sucess"   
+DnsARequestFireWallDenyRedirect     = "Dns rdtype A request is deny reidrect sucess"   
+DnsAAAARequestFireWallDenyRedirect  = "Dns rdtype AAAA request is deny redirect sucess"
+DnsARequestFireWallDenyRedirectRangTTL    = "Dns rdtype A request is deny reidrect and range ttl sucess"   
+DnsAAAARequestFireWallDenyRedirectRangTTL = "Dns rdtype AAAA request is deny redirect and range ttl sucess"
+DnsARequestFirewallAllow            = "Dns rdtype A request data is sucess"        
+DnsAAAARequestFirewallAllow         = "Dns rdtype AAAA request data is sucess"     
+DnsCNAMERequestFirewallAllow        = "Dns rdtype CNAME request data is sucess"    
+
+
+class DNSCheckRequestBuild:
+    def dns_action_deny_subaction_drop(self): 
+        dns_resolver=dns.resolver.Resolver()
+        dns_resolver.nameservers = DNS_SERVER_IP
+        dns_resolver.timeout = float(3)
+        dns_resolver.lifetime = float(3)
+
+        try:
+            dns_answer = dns_resolver.query("www.3test-ipv4.com", 'A')
+        except dns.exception.DNSException as errorinfo:
+            if type(errorinfo) == dns.exception.Timeout:
+                raise Exception(DnsRequestFirewallDenyDrop)
+            else:            
+                raise Exception("Error: The dns_action_deny_subaction_drop check failure, code: %s" % errorinfo)
+        else:   
+            raise Exception("Error: The dns_action_deny_subaction_drop test deny drop failure" )
+
+    def dns_action_deny_subaction_redirect_a(self):
+        dns_resolver=dns.resolver.Resolver()
+        dns_resolver.nameservers = DNS_SERVER_IP
+        dns_resolver.timeout = float(3)
+        dns_resolver.lifetime = float(3)
+
+        try:
+            dns_answer = dns_resolver.query("www.2test-ipv4.com", 'A')
+        except dns.exception.DNSException as errorinfo:
+            raise Exception("Error: The dns_action_deny_subaction_redirect_a check failure, code: %s" % errorinfo)
+        else:   # drop-redirect and respond rdtype A ipv4
+           if dns_answer.rrset.ttl != DNS_SERVER_REDIRECT_TTL:                                                                                                  
+                raise Exception("Error: The dns_action_deny_subaction_redirect_a check failure: ttl(%s) is not DNS_SERVER_REDIRECT_TTL(%d)"%(dns_answer.rrset.ttl, DNS_SERVER_REDIRECT_TTL))
+                return    
+           for i in dns_answer.response.answer:
+               for j in i.items:
+                   if j.rdtype == 1: #'rdtype is A: ipv4'
+                       if j.address == "99.99.99.99":
+                           raise Exception(DnsARequestFireWallDenyRedirect)
+                       else:
+                           raise Exception("Error: The dns request rdtype A drop redirect check failure: respond value error")
+                   else:
+                       raise Exception("Error: The dns request rdtype A drop redirect check failure: respond rdtype error")
+
+    def dns_action_deny_subaction_redirect_aaaa(self):                                                                                            
+        dns_resolver=dns.resolver.Resolver()                                                                                                 
+        dns_resolver.nameservers = DNS_SERVER_IP
+        dns_resolver.timeout = float(3)                                                                                                      
+        dns_resolver.lifetime = float(3)                                                                                                     
+                                                                                                                                             
+        try:                                                                                                                                 
+            dns_answer = dns_resolver.query("www.2test-ipv6.com", 'AAAA')                                                                    
+        except dns.exception.DNSException as errorinfo:                                                                                      
+            raise Exception("Error: The dns_action_deny_subaction_redirect_aaaa check failure, code: %s" % errorinfo)                                 
+        else:   # drop-redirect and respond rdtype A ipv6                                                                                    
+           if dns_answer.rrset.ttl != DNS_SERVER_REDIRECT_TTL:                                                                                                  
+                raise Exception("Error: The dns_action_deny_subaction_redirect_aaaa check failure: ttl(%s) is not DNS_SERVER_REDIRECT_TTL(%d)"%(dns_answer.rrset.ttl, DNS_SERVER_REDIRECT_TTL))                  
+                return    
+
+           for i in dns_answer.response.answer:                                                                                             
+               for j in i.items:                                                                                                            
+                   if j.rdtype == 28: #'rdtype is A: ipv6'                                                                                  
+                       if j.address == "99:99::99:99":                                                                                      
+                           raise Exception(DnsAAAARequestFireWallDenyRedirect)                                                 
+                       else:                                                                                              
+                           raise Exception("Error: The dns request rdtype AAAA drop redirect check failure: respond value error")
+                   else:                                                                                                  
+                       raise Exception("Error: The dns request rdtype AAAA drop redirect check failure: respond rdtype error") 
+
+    def dns_action_deny_subaction_redirect_a_rang_ttl(self):
+        dns_resolver=dns.resolver.Resolver()
+        dns_resolver.nameservers = DNS_SERVER_IP
+        dns_resolver.timeout = float(3)
+        dns_resolver.lifetime = float(3)
+
+        try:
+            dns_answer = dns_resolver.query("www.4test-ipv4.com", 'A')
+        except dns.exception.DNSException as errorinfo:
+            raise Exception("Error: The dns_action_deny_subaction_redirect_a_rang_ttl check failure, code: %s" % errorinfo)
+        else:   # drop-redirect and respond rdtype A ipv4
+            if DNS_SERVER_REDIRECT_RANGE_LOW > dns_answer.rrset.ttl or dns_answer.rrset.ttl > DNS_SERVER_REDIRECT_RANGE_HIGH:
+                raise Exception("Error: The dns_action_deny_subaction_redirect_a_rang_ttl check failure: ttl(%d) is not DNS_SERVER_REDIRECT_RANG_TTL(%d-%d)"%(dns_answer.rrset.ttl,DNS_SERVER_REDIRECT_RANGE_LOW, DNS_SERVER_REDIRECT_RANGE_HIGH))                  
+                return    
+
+            for i in dns_answer.response.answer:
+                for j in i.items:
+                    if j.rdtype == 1: #'rdtype is A: ipv4'
+                        if j.address == "99.99.99.99":
+                            raise Exception(DnsARequestFireWallDenyRedirectRangTTL)
+                        else:
+                            raise Exception("Error: The dns request rdtype A drop redirect range ttl check failure: respond value error")
+                    else:
+                        raise Exception("Error: The dns request rdtype A drop redirect range ttl check failure: respond rdtype error")
+
+    def dns_action_deny_subaction_redirect_aaaa_rang_ttl(self):                                                                                            
+        dns_resolver=dns.resolver.Resolver()                                                                                                 
+        dns_resolver.nameservers = DNS_SERVER_IP
+        dns_resolver.timeout = float(3)                                                                                                      
+        dns_resolver.lifetime = float(3)                                                                                                     
+                                                                                                                                             
+        try:                                                                                                                                 
+            dns_answer = dns_resolver.query("www.4test-ipv6.com", 'AAAA')                                                                    
+        except dns.exception.DNSException as errorinfo:                                                                                      
+            raise Exception("Error: The dns_action_deny_subaction_redirect_aaaa range ttl check failure, code: %s" % errorinfo)                                 
+        else:   # drop-redirect and respond rdtype A ipv6                                                                                    
+           if DNS_SERVER_REDIRECT_RANGE_LOW > dns_answer.rrset.ttl or dns_answer.rrset.ttl > DNS_SERVER_REDIRECT_RANGE_HIGH:
+               raise Exception("Error: The dns_action_deny_subaction_redirect_aaaa_rang_ttl check failure: ttl(%d) is not DNS_SERVER_REDIRECT_RANG_TTL(%d-%d)"%(dns_answer.rrset.ttl, DNS_SERVER_REDIRECT_RANGE_LOW, DNS_SERVER_REDIRECT_RANGE_HIGH))                  
+               return    
+
+           for i in dns_answer.response.answer:                                                                                             
+               for j in i.items:                                                                                                            
+                   if j.rdtype == 28: #'rdtype is A: ipv6'                                                                                  
+                       if j.address == "99:99::99:99":                                                                                      
+                           raise Exception(DnsAAAARequestFireWallDenyRedirectRangTTL)                                                 
+                       else:                                                                                              
+                           raise Exception("Error: The dns request rdtype AAAA drop redirect check failure: respond value error")
+                   else:                                                                                                  
+                       raise Exception("Error: The dns request rdtype AAAA drop redirect check failure: respond rdtype error") 
+
+
+
+    def dns_action_allow_rdtype_a(self):
+        dns_resolver=dns.resolver.Resolver()
+        dns_resolver.nameservers = DNS_SERVER_IP
+        dns_resolver.timeout = float(3)
+        dns_resolver.lifetime = float(3)
+
+        try:
+            dns_answer = dns_resolver.query("www.1test-ipv4.com", 'A')
+        except dns.exception.DNSException as errorinfo:
+            raise Exception("Error: The dns request rdtype A allow check failure, code: %s" % errorinfo)
+        else:
+            if dns_answer.rrset.ttl != DNS_SERVER_ALLOW_TTL:                                                                                                  
+                raise Exception("Error: The dns request rdtype A allow check failure: ttl(%d) is not DNS_SERVER_ALLOW_TTL(%d)"%(dns_answer.rrset.ttl, DNS_SERVER_ALLOW_TTL))                  
+                return 
+
+            for i in dns_answer.response.answer:
+                for j in i.items:
+                    if j.rdtype == 1: #'rdtype is A: ipv4'
+                        if j.address == "10.1.2.3": 
+                            raise Exception(DnsARequestFirewallAllow)
+                        else:
+                            raise Exception("Error: The dns request rdtype A allow check failure: respond value error")
+
+                    else:
+                        raise Exception("Error: The dns request rdtype A allow check failure: respond rdtype error")
+ 
+    def dns_action_allow_rdtype_aaaa(self):
+        dns_resolver=dns.resolver.Resolver()
+        dns_resolver.nameservers = DNS_SERVER_IP
+        dns_resolver.timeout = float(3)
+        dns_resolver.lifetime = float(3)
+
+        try:
+            dns_answer = dns_resolver.query("www.1test-ipv6.com", 'AAAA')
+        except dns.exception.DNSException as errorinfo:
+            raise Exception("Error: The dns request rdtype AAAA allow check failure, code: %s" % errorinfo)
+        else:
+            if dns_answer.rrset.ttl != DNS_SERVER_ALLOW_TTL:                                                                                                  
+                raise Exception("Error: The dns request rdtype A allow check failure: ttl(%d) is not DNS_SERVER_ALLOW_TTL(%d)"%(dns_answer.rrset.ttl, DNS_SERVER_ALLOW_TTL))                  
+                return 
+
+            for i in dns_answer.response.answer:
+                for j in i.items: 
+                    if j.rdtype == 28: #'rdtype is AAAA: ipv6'
+                        if j.address == "11aa:11:22::33": 
+                            raise Exception(DnsAAAARequestFirewallAllow)
+                        else:
+                            raise Exception("Error: The dns request rdtype AAAA allow check failure: respond value error")
+                    else:
+                        raise Exception("Error: The dns request rdtype AAAA allow check failure: response rdtype error")
+ 
+    def dns_action_allow_rdtype_cname(self):
+        dns_resolver=dns.resolver.Resolver()
+        dns_resolver.nameservers = DNS_SERVER_IP
+        dns_resolver.timeout = float(3)
+        dns_resolver.lifetime = float(3)
+
+        try:
+            dns_answer = dns_resolver.query("www.1test-cname.com", 'CNAME')
+        except dns.exception.DNSException as errorinfo:
+            raise Exception("Error: The dns request rdtype CNAME allow check failure, code: %s" % errorinfo)
+        else:
+            if dns_answer.rrset.ttl != DNS_SERVER_ALLOW_TTL:                                                                                                  
+                raise Exception("Error: The dns request rdtype A allow check failure: ttl(%d) is not DNS_SERVER_ALLOW_TTL(%d)"%(dns_answer.rrset.ttl, DNS_SERVER_ALLOW_TTL))                  
+                return 
+
+            for i in dns_answer.response.answer:
+                for j in i.items:
+                    if j.rdtype == 5: #'CNAME: tag(www.xxx.com)' 
+                        m=str(j)
+                        if m == "www.1testanswer-cname.com.":
+                            raise Exception(DnsCNAMERequestFirewallAllow)
+                        else:
+                            raise Exception("Error: The dns request rdtype CNAME allow check failure: respond value error")
+                    else:
+                        raise Exception("Error: The dns request rdtype CNAME allow check failure: respond rdtype error")
 
 
 class SSLCheckRequestBuild:
@@ -548,6 +768,46 @@ class SslFirewallActionBuild:
 
 class SslUnitTest(unittest.TestCase):
 
+    def test_dnsRequest_deny_drop(self):
+        dnsHandler = DNSCheckRequestBuild()
+        with self.assertRaisesRegex(Exception, DnsRequestFirewallDenyDrop):
+            dnsHandler.dns_action_deny_subaction_drop() 
+
+    def test_dnsRequest_deny_redirect_a(self):
+        dnsHandler = DNSCheckRequestBuild()
+        with self.assertRaisesRegex(Exception, DnsARequestFireWallDenyRedirect):
+            dnsHandler.dns_action_deny_subaction_redirect_a()
+
+    def test_dnsRequest_deny_redirect_aaaa(self):
+        dnsHandler = DNSCheckRequestBuild()
+        with self.assertRaisesRegex(Exception, DnsAAAARequestFireWallDenyRedirect):
+            dnsHandler.dns_action_deny_subaction_redirect_aaaa()
+
+    def test_dnsRequest_deny_redirect_a_range_ttl(self):
+        dnsHandler = DNSCheckRequestBuild()
+        with self.assertRaisesRegex(Exception, DnsARequestFireWallDenyRedirectRangTTL):
+            dnsHandler.dns_action_deny_subaction_redirect_a_rang_ttl()
+
+    def test_dnsRequest_deny_redirect_aaaa_range_ttl(self):
+        dnsHandler = DNSCheckRequestBuild()
+        with self.assertRaisesRegex(Exception, DnsAAAARequestFireWallDenyRedirectRangTTL):
+            dnsHandler.dns_action_deny_subaction_redirect_aaaa_rang_ttl()
+
+    def test_dnsRequest_allow_rdtype_a(self):
+        dnsHandler = DNSCheckRequestBuild()
+        with self.assertRaisesRegex(Exception, DnsARequestFirewallAllow):
+            dnsHandler.dns_action_allow_rdtype_a() 
+
+    def test_dnsRequest_allow_rdtype_aaaa(self):
+        dnsHandler = DNSCheckRequestBuild()
+        with self.assertRaisesRegex(Exception, DnsAAAARequestFirewallAllow):
+            dnsHandler.dns_action_allow_rdtype_aaaa() 
+
+    def test_dnsRequest_allow_rdtype_cname(self):
+        dnsHandler = DNSCheckRequestBuild()
+        with self.assertRaisesRegex(Exception, DnsCNAMERequestFirewallAllow):
+            dnsHandler.dns_action_allow_rdtype_cname()
+
     def test_securityPolicy_bypass(self):
         sslHandler = SSLCheckRequestBuild()
         with self.assertRaisesRegex(Exception, ssl_bypass_info_re):
@@ -764,6 +1024,14 @@ class TsgDiagnoseRun:
     def _init_suite(self):
         self.suite = unittest.TestSuite()
         self.suite._cleanup = False
+        self._add_suite('test_dnsRequest_deny_drop')
+        self._add_suite('test_dnsRequest_deny_redirect_a')
+        self._add_suite('test_dnsRequest_deny_redirect_aaaa')
+        self._add_suite('test_dnsRequest_deny_redirect_a_range_ttl')
+        self._add_suite('test_dnsRequest_deny_redirect_aaaa_range_ttl')
+        self._add_suite('test_dnsRequest_allow_rdtype_a')
+        self._add_suite('test_dnsRequest_allow_rdtype_aaaa')
+        self._add_suite('test_dnsRequest_allow_rdtype_cname')
         self._add_suite('test_securityPolicy_bypass')
         self._add_suite('test_securityPolicy_intercept')
         self._add_suite('test_securityPolicy_intercept_certerrExpired')
@@ -887,4 +1155,4 @@ class TsgDiagnoseRun:
 
 if __name__ == '__main__':
     tsg_diagnose_run = TsgDiagnoseRun()
-    tsg_diagnose_run.execute_suite_tsg_diagnose()
+    tsg_diagnose_run.execute_suite_tsg_diagnose()