1 /* 2 * Copyright (C) 2018 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package com.android.server.connectivity; 18 19 import static android.net.ConnectivitySettingsManager.DNS_RESOLVER_MAX_SAMPLES; 20 import static android.net.ConnectivitySettingsManager.DNS_RESOLVER_MIN_SAMPLES; 21 import static android.net.ConnectivitySettingsManager.DNS_RESOLVER_SAMPLE_VALIDITY_SECONDS; 22 import static android.net.ConnectivitySettingsManager.DNS_RESOLVER_SUCCESS_THRESHOLD_PERCENT; 23 import static android.net.ConnectivitySettingsManager.PRIVATE_DNS_DEFAULT_MODE; 24 import static android.net.ConnectivitySettingsManager.PRIVATE_DNS_MODE; 25 import static android.net.ConnectivitySettingsManager.PRIVATE_DNS_MODE_OFF; 26 import static android.net.ConnectivitySettingsManager.PRIVATE_DNS_MODE_PROVIDER_HOSTNAME; 27 import static android.net.ConnectivitySettingsManager.PRIVATE_DNS_SPECIFIER; 28 import static android.net.resolv.aidl.IDnsResolverUnsolicitedEventListener.VALIDATION_RESULT_FAILURE; 29 import static android.net.resolv.aidl.IDnsResolverUnsolicitedEventListener.VALIDATION_RESULT_SUCCESS; 30 31 import android.annotation.NonNull; 32 import android.content.ContentResolver; 33 import android.content.Context; 34 import android.content.Intent; 35 import android.net.ConnectivityManager; 36 import android.net.ConnectivitySettingsManager; 37 import android.net.IDnsResolver; 38 import android.net.InetAddresses; 39 import android.net.LinkProperties; 40 import android.net.Network; 41 import android.net.ResolverParamsParcel; 42 import android.net.Uri; 43 import android.net.shared.PrivateDnsConfig; 44 import android.os.Binder; 45 import android.os.RemoteException; 46 import android.os.ServiceSpecificException; 47 import android.os.UserHandle; 48 import android.provider.Settings; 49 import android.text.TextUtils; 50 import android.util.Log; 51 import android.util.Pair; 52 53 import java.net.InetAddress; 54 import java.util.Arrays; 55 import java.util.Collection; 56 import java.util.Collections; 57 import java.util.HashMap; 58 import java.util.HashSet; 59 import java.util.Iterator; 60 import java.util.Map; 61 import java.util.Set; 62 import java.util.concurrent.ConcurrentHashMap; 63 import java.util.stream.Collectors; 64 65 /** 66 * Encapsulate the management of DNS settings for networks. 67 * 68 * This class it NOT designed for concurrent access. Furthermore, all non-static 69 * methods MUST be called from ConnectivityService's thread. However, an exceptional 70 * case is getPrivateDnsConfig(Network) which is exclusively for 71 * ConnectivityService#dumpNetworkDiagnostics() on a random binder thread. 72 * 73 * [ Private DNS ] 74 * The code handling Private DNS is spread across several components, but this 75 * seems like the least bad place to collect all the observations. 76 * 77 * Private DNS handling and updating occurs in response to several different 78 * events. Each is described here with its corresponding intended handling. 79 * 80 * [A] Event: A new network comes up. 81 * Mechanics: 82 * [1] ConnectivityService gets notifications from NetworkAgents. 83 * [2] in updateNetworkInfo(), the first time the NetworkAgent goes into 84 * into CONNECTED state, the Private DNS configuration is retrieved, 85 * programmed, and strict mode hostname resolution (if applicable) is 86 * enqueued in NetworkAgent's NetworkMonitor, via a call to 87 * handlePerNetworkPrivateDnsConfig(). 88 * [3] Re-resolution of strict mode hostnames that fail to return any 89 * IP addresses happens inside NetworkMonitor; it sends itself a 90 * delayed CMD_EVALUATE_PRIVATE_DNS message in a simple backoff 91 * schedule. 92 * [4] Successfully resolved hostnames are sent to ConnectivityService 93 * inside an EVENT_PRIVATE_DNS_CONFIG_RESOLVED message. The resolved 94 * IP addresses are programmed into netd via: 95 * 96 * updatePrivateDns() -> updateDnses() 97 * 98 * both of which make calls into DnsManager. 99 * [5] Upon a successful hostname resolution NetworkMonitor initiates a 100 * validation attempt in the form of a lookup for a one-time hostname 101 * that uses Private DNS. 102 * 103 * [B] Event: Private DNS settings are changed. 104 * Mechanics: 105 * [1] ConnectivityService gets notifications from its SettingsObserver. 106 * [2] handlePrivateDnsSettingsChanged() is called, which calls 107 * handlePerNetworkPrivateDnsConfig() and the process proceeds 108 * as if from A.3 above. 109 * 110 * [C] Event: An application calls ConnectivityManager#reportBadNetwork(). 111 * Mechanics: 112 * [1] NetworkMonitor is notified and initiates a reevaluation, which 113 * always bypasses Private DNS. 114 * [2] Once completed, NetworkMonitor checks if strict mode is in operation 115 * and if so enqueues another evaluation of Private DNS, as if from 116 * step A.5 above. 117 * 118 * @hide 119 */ 120 public class DnsManager { 121 private static final String TAG = DnsManager.class.getSimpleName(); 122 private static final PrivateDnsConfig PRIVATE_DNS_OFF = new PrivateDnsConfig(); 123 124 /* Defaults for resolver parameters. */ 125 private static final int DNS_RESOLVER_DEFAULT_SAMPLE_VALIDITY_SECONDS = 1800; 126 private static final int DNS_RESOLVER_DEFAULT_SUCCESS_THRESHOLD_PERCENT = 25; 127 private static final int DNS_RESOLVER_DEFAULT_MIN_SAMPLES = 8; 128 private static final int DNS_RESOLVER_DEFAULT_MAX_SAMPLES = 64; 129 130 /** 131 * Get PrivateDnsConfig. 132 */ 133 public static PrivateDnsConfig getPrivateDnsConfig(Context context) { 134 final int mode = ConnectivitySettingsManager.getPrivateDnsMode(context); 135 136 final boolean useTls = mode != PRIVATE_DNS_MODE_OFF; 137 138 if (PRIVATE_DNS_MODE_PROVIDER_HOSTNAME == mode) { 139 final String specifier = getStringSetting(context.getContentResolver(), 140 PRIVATE_DNS_SPECIFIER); 141 return new PrivateDnsConfig(specifier, null); 142 } 143 144 return new PrivateDnsConfig(useTls); 145 } 146 147 public static Uri[] getPrivateDnsSettingsUris() { 148 return new Uri[]{ 149 Settings.Global.getUriFor(PRIVATE_DNS_DEFAULT_MODE), 150 Settings.Global.getUriFor(PRIVATE_DNS_MODE), 151 Settings.Global.getUriFor(PRIVATE_DNS_SPECIFIER), 152 }; 153 } 154 155 public static class PrivateDnsValidationUpdate { 156 public final int netId; 157 public final InetAddress ipAddress; 158 public final String hostname; 159 // Refer to IDnsResolverUnsolicitedEventListener.VALIDATION_RESULT_*. 160 public final int validationResult; 161 162 public PrivateDnsValidationUpdate(int netId, InetAddress ipAddress, 163 String hostname, int validationResult) { 164 this.netId = netId; 165 this.ipAddress = ipAddress; 166 this.hostname = hostname; 167 this.validationResult = validationResult; 168 } 169 } 170 171 private static class PrivateDnsValidationStatuses { 172 enum ValidationStatus { 173 IN_PROGRESS, 174 FAILED, 175 SUCCEEDED 176 } 177 178 // Validation statuses of <hostname, ipAddress> pairs for a single netId 179 // Caution : not thread-safe. As mentioned in the top file comment, all 180 // methods of this class must only be called on ConnectivityService's thread. 181 private Map<Pair<String, InetAddress>, ValidationStatus> mValidationMap; 182 183 private PrivateDnsValidationStatuses() { 184 mValidationMap = new HashMap<>(); 185 } 186 187 private boolean hasValidatedServer() { 188 for (ValidationStatus status : mValidationMap.values()) { 189 if (status == ValidationStatus.SUCCEEDED) { 190 return true; 191 } 192 } 193 return false; 194 } 195 196 private void updateTrackedDnses(String[] ipAddresses, String hostname) { 197 Set<Pair<String, InetAddress>> latestDnses = new HashSet<>(); 198 for (String ipAddress : ipAddresses) { 199 try { 200 latestDnses.add(new Pair(hostname, 201 InetAddresses.parseNumericAddress(ipAddress))); 202 } catch (IllegalArgumentException e) {} 203 } 204 // Remove <hostname, ipAddress> pairs that should not be tracked. 205 for (Iterator<Map.Entry<Pair<String, InetAddress>, ValidationStatus>> it = 206 mValidationMap.entrySet().iterator(); it.hasNext(); ) { 207 Map.Entry<Pair<String, InetAddress>, ValidationStatus> entry = it.next(); 208 if (!latestDnses.contains(entry.getKey())) { 209 it.remove(); 210 } 211 } 212 // Add new <hostname, ipAddress> pairs that should be tracked. 213 for (Pair<String, InetAddress> p : latestDnses) { 214 if (!mValidationMap.containsKey(p)) { 215 mValidationMap.put(p, ValidationStatus.IN_PROGRESS); 216 } 217 } 218 } 219 220 private void updateStatus(PrivateDnsValidationUpdate update) { 221 Pair<String, InetAddress> p = new Pair(update.hostname, 222 update.ipAddress); 223 if (!mValidationMap.containsKey(p)) { 224 return; 225 } 226 if (update.validationResult == VALIDATION_RESULT_SUCCESS) { 227 mValidationMap.put(p, ValidationStatus.SUCCEEDED); 228 } else if (update.validationResult == VALIDATION_RESULT_FAILURE) { 229 mValidationMap.put(p, ValidationStatus.FAILED); 230 } else { 231 Log.e(TAG, "Unknown private dns validation operation=" 232 + update.validationResult); 233 } 234 } 235 236 private LinkProperties fillInValidatedPrivateDns(LinkProperties lp) { 237 lp.setValidatedPrivateDnsServers(Collections.EMPTY_LIST); 238 mValidationMap.forEach((key, value) -> { 239 if (value == ValidationStatus.SUCCEEDED) { 240 lp.addValidatedPrivateDnsServer(key.second); 241 } 242 }); 243 return lp; 244 } 245 } 246 247 private final Context mContext; 248 private final ContentResolver mContentResolver; 249 private final IDnsResolver mDnsResolver; 250 private final ConcurrentHashMap<Integer, PrivateDnsConfig> mPrivateDnsMap; 251 // TODO: Replace the Map with SparseArrays. 252 private final Map<Integer, PrivateDnsValidationStatuses> mPrivateDnsValidationMap; 253 private final Map<Integer, LinkProperties> mLinkPropertiesMap; 254 private final Map<Integer, int[]> mTransportsMap; 255 256 private int mSampleValidity; 257 private int mSuccessThreshold; 258 private int mMinSamples; 259 private int mMaxSamples; 260 261 public DnsManager(Context ctx, IDnsResolver dnsResolver) { 262 mContext = ctx; 263 mContentResolver = mContext.getContentResolver(); 264 mDnsResolver = dnsResolver; 265 mPrivateDnsMap = new ConcurrentHashMap<>(); 266 mPrivateDnsValidationMap = new HashMap<>(); 267 mLinkPropertiesMap = new HashMap<>(); 268 mTransportsMap = new HashMap<>(); 269 270 // TODO: Create and register ContentObservers to track every setting 271 // used herein, posting messages to respond to changes. 272 } 273 274 public PrivateDnsConfig getPrivateDnsConfig() { 275 return getPrivateDnsConfig(mContext); 276 } 277 278 public void removeNetwork(Network network) { 279 mPrivateDnsMap.remove(network.getNetId()); 280 mPrivateDnsValidationMap.remove(network.getNetId()); 281 mTransportsMap.remove(network.getNetId()); 282 mLinkPropertiesMap.remove(network.getNetId()); 283 } 284 285 // This is exclusively called by ConnectivityService#dumpNetworkDiagnostics() which 286 // is not on the ConnectivityService handler thread. 287 public PrivateDnsConfig getPrivateDnsConfig(@NonNull Network network) { 288 return mPrivateDnsMap.getOrDefault(network.getNetId(), PRIVATE_DNS_OFF); 289 } 290 291 public PrivateDnsConfig updatePrivateDns(Network network, PrivateDnsConfig cfg) { 292 Log.w(TAG, "updatePrivateDns(" + network + ", " + cfg + ")"); 293 return (cfg != null) 294 ? mPrivateDnsMap.put(network.getNetId(), cfg) 295 : mPrivateDnsMap.remove(network.getNetId()); 296 } 297 298 public void updatePrivateDnsStatus(int netId, LinkProperties lp) { 299 // Use the PrivateDnsConfig data pushed to this class instance 300 // from ConnectivityService. 301 final PrivateDnsConfig privateDnsCfg = mPrivateDnsMap.getOrDefault(netId, 302 PRIVATE_DNS_OFF); 303 304 final boolean useTls = privateDnsCfg.useTls; 305 final PrivateDnsValidationStatuses statuses = 306 useTls ? mPrivateDnsValidationMap.get(netId) : null; 307 final boolean validated = (null != statuses) && statuses.hasValidatedServer(); 308 final boolean strictMode = privateDnsCfg.inStrictMode(); 309 final String tlsHostname = strictMode ? privateDnsCfg.hostname : null; 310 final boolean usingPrivateDns = strictMode || validated; 311 312 lp.setUsePrivateDns(usingPrivateDns); 313 lp.setPrivateDnsServerName(tlsHostname); 314 if (usingPrivateDns && null != statuses) { 315 statuses.fillInValidatedPrivateDns(lp); 316 } else { 317 lp.setValidatedPrivateDnsServers(Collections.EMPTY_LIST); 318 } 319 } 320 321 public void updatePrivateDnsValidation(PrivateDnsValidationUpdate update) { 322 final PrivateDnsValidationStatuses statuses = mPrivateDnsValidationMap.get(update.netId); 323 if (statuses == null) return; 324 statuses.updateStatus(update); 325 } 326 327 /** 328 * When creating a new network or transport types are changed in a specific network, 329 * transport types are always saved to a hashMap before update dns config. 330 * When destroying network, the specific network will be removed from the hashMap. 331 * The hashMap is always accessed on the same thread. 332 */ 333 public void updateTransportsForNetwork(int netId, @NonNull int[] transportTypes) { 334 mTransportsMap.put(netId, transportTypes); 335 sendDnsConfigurationForNetwork(netId); 336 } 337 338 /** 339 * When {@link LinkProperties} are changed in a specific network, they are 340 * always saved to a hashMap before update dns config. 341 * When destroying network, the specific network will be removed from the hashMap. 342 * The hashMap is always accessed on the same thread. 343 */ 344 public void noteDnsServersForNetwork(int netId, @NonNull LinkProperties lp) { 345 mLinkPropertiesMap.put(netId, lp); 346 sendDnsConfigurationForNetwork(netId); 347 } 348 349 /** 350 * Send dns configuration parameters to resolver for a given network. 351 */ 352 public void sendDnsConfigurationForNetwork(int netId) { 353 final LinkProperties lp = mLinkPropertiesMap.get(netId); 354 final int[] transportTypes = mTransportsMap.get(netId); 355 if (lp == null || transportTypes == null) return; 356 updateParametersSettings(); 357 final ResolverParamsParcel paramsParcel = new ResolverParamsParcel(); 358 359 // We only use the PrivateDnsConfig data pushed to this class instance 360 // from ConnectivityService because it works in coordination with 361 // NetworkMonitor to decide which networks need validation and runs the 362 // blocking calls to resolve Private DNS strict mode hostnames. 363 // 364 // At this time we do not attempt to enable Private DNS on non-Internet 365 // networks like IMS. 366 final PrivateDnsConfig privateDnsCfg = mPrivateDnsMap.getOrDefault(netId, 367 PRIVATE_DNS_OFF); 368 final boolean useTls = privateDnsCfg.useTls; 369 final boolean strictMode = privateDnsCfg.inStrictMode(); 370 371 paramsParcel.netId = netId; 372 paramsParcel.sampleValiditySeconds = mSampleValidity; 373 paramsParcel.successThreshold = mSuccessThreshold; 374 paramsParcel.minSamples = mMinSamples; 375 paramsParcel.maxSamples = mMaxSamples; 376 paramsParcel.servers = makeStrings(lp.getDnsServers()); 377 paramsParcel.domains = getDomainStrings(lp.getDomains()); 378 paramsParcel.tlsName = strictMode ? privateDnsCfg.hostname : ""; 379 paramsParcel.tlsServers = 380 strictMode ? makeStrings( 381 Arrays.stream(privateDnsCfg.ips) 382 .filter((ip) -> lp.isReachable(ip)) 383 .collect(Collectors.toList())) 384 : useTls ? paramsParcel.servers // Opportunistic 385 : new String[0]; // Off 386 paramsParcel.transportTypes = transportTypes; 387 // Prepare to track the validation status of the DNS servers in the 388 // resolver config when private DNS is in opportunistic or strict mode. 389 if (useTls) { 390 if (!mPrivateDnsValidationMap.containsKey(netId)) { 391 mPrivateDnsValidationMap.put(netId, new PrivateDnsValidationStatuses()); 392 } 393 mPrivateDnsValidationMap.get(netId).updateTrackedDnses(paramsParcel.tlsServers, 394 paramsParcel.tlsName); 395 } else { 396 mPrivateDnsValidationMap.remove(netId); 397 } 398 399 Log.d(TAG, String.format("sendDnsConfigurationForNetwork(%d, %s, %s, %d, %d, %d, %d, " 400 + "%d, %d, %s, %s)", paramsParcel.netId, Arrays.toString(paramsParcel.servers), 401 Arrays.toString(paramsParcel.domains), paramsParcel.sampleValiditySeconds, 402 paramsParcel.successThreshold, paramsParcel.minSamples, 403 paramsParcel.maxSamples, paramsParcel.baseTimeoutMsec, 404 paramsParcel.retryCount, paramsParcel.tlsName, 405 Arrays.toString(paramsParcel.tlsServers))); 406 407 try { 408 mDnsResolver.setResolverConfiguration(paramsParcel); 409 } catch (RemoteException | ServiceSpecificException e) { 410 Log.e(TAG, "Error setting DNS configuration: " + e); 411 return; 412 } 413 } 414 415 /** 416 * Flush DNS caches and events work before boot has completed. 417 */ 418 public void flushVmDnsCache() { 419 /* 420 * Tell the VMs to toss their DNS caches 421 */ 422 final Intent intent = new Intent(ConnectivityManager.ACTION_CLEAR_DNS_CACHE); 423 intent.addFlags(Intent.FLAG_RECEIVER_REPLACE_PENDING); 424 /* 425 * Connectivity events can happen before boot has completed ... 426 */ 427 intent.addFlags(Intent.FLAG_RECEIVER_REGISTERED_ONLY_BEFORE_BOOT); 428 final long ident = Binder.clearCallingIdentity(); 429 try { 430 mContext.sendBroadcastAsUser(intent, UserHandle.ALL); 431 } finally { 432 Binder.restoreCallingIdentity(ident); 433 } 434 } 435 436 private void updateParametersSettings() { 437 mSampleValidity = getIntSetting( 438 DNS_RESOLVER_SAMPLE_VALIDITY_SECONDS, 439 DNS_RESOLVER_DEFAULT_SAMPLE_VALIDITY_SECONDS); 440 if (mSampleValidity < 0 || mSampleValidity > 65535) { 441 Log.w(TAG, "Invalid sampleValidity=" + mSampleValidity + ", using default=" 442 + DNS_RESOLVER_DEFAULT_SAMPLE_VALIDITY_SECONDS); 443 mSampleValidity = DNS_RESOLVER_DEFAULT_SAMPLE_VALIDITY_SECONDS; 444 } 445 446 mSuccessThreshold = getIntSetting( 447 DNS_RESOLVER_SUCCESS_THRESHOLD_PERCENT, 448 DNS_RESOLVER_DEFAULT_SUCCESS_THRESHOLD_PERCENT); 449 if (mSuccessThreshold < 0 || mSuccessThreshold > 100) { 450 Log.w(TAG, "Invalid successThreshold=" + mSuccessThreshold + ", using default=" 451 + DNS_RESOLVER_DEFAULT_SUCCESS_THRESHOLD_PERCENT); 452 mSuccessThreshold = DNS_RESOLVER_DEFAULT_SUCCESS_THRESHOLD_PERCENT; 453 } 454 455 mMinSamples = getIntSetting(DNS_RESOLVER_MIN_SAMPLES, DNS_RESOLVER_DEFAULT_MIN_SAMPLES); 456 mMaxSamples = getIntSetting(DNS_RESOLVER_MAX_SAMPLES, DNS_RESOLVER_DEFAULT_MAX_SAMPLES); 457 if (mMinSamples < 0 || mMinSamples > mMaxSamples || mMaxSamples > 64) { 458 Log.w(TAG, "Invalid sample count (min, max)=(" + mMinSamples + ", " + mMaxSamples 459 + "), using default=(" + DNS_RESOLVER_DEFAULT_MIN_SAMPLES + ", " 460 + DNS_RESOLVER_DEFAULT_MAX_SAMPLES + ")"); 461 mMinSamples = DNS_RESOLVER_DEFAULT_MIN_SAMPLES; 462 mMaxSamples = DNS_RESOLVER_DEFAULT_MAX_SAMPLES; 463 } 464 } 465 466 private int getIntSetting(String which, int dflt) { 467 return Settings.Global.getInt(mContentResolver, which, dflt); 468 } 469 470 /** 471 * Create a string array of host addresses from a collection of InetAddresses 472 * 473 * @param addrs a Collection of InetAddresses 474 * @return an array of Strings containing their host addresses 475 */ 476 private String[] makeStrings(Collection<InetAddress> addrs) { 477 String[] result = new String[addrs.size()]; 478 int i = 0; 479 for (InetAddress addr : addrs) { 480 result[i++] = addr.getHostAddress(); 481 } 482 return result; 483 } 484 485 private static String getStringSetting(ContentResolver cr, String which) { 486 return Settings.Global.getString(cr, which); 487 } 488 489 private static String[] getDomainStrings(String domains) { 490 return (TextUtils.isEmpty(domains)) ? new String[0] : domains.split(" "); 491 } 492 } 493