3.6 KiB
Overview
This folder contains a test application for RIOT's sock-based DNS over DTLS client.
How to test with native
Setting up a tap interface
-
Create a tap interface with a valid IPv6 address
$ sudo ip tuntap add dev tap0 mode tap user $(id -u -n) $ sudo ip a a 2001:db8::1/64 dev tap0 $ sudo ip link set up dev tap0 $ ip addr show dev tap0 4: tap0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000 link/ether e2:bc:7d:6b:8b:08 brd ff:ff:ff:ff:ff:ff inet6 2001:db8::1/64 scope global valid_lft forever preferred_lft forever inet6 fe80::e0bc:7dff:fe6b:8b08/64 scope link valid_lft forever preferred_lft forever
Note down the link-local address.
-
Run the test application
$ make flash -j term
And copy the link-local address using
ifconfig
:> ifconfig ifconfig Iface 5 HWaddr: E2:BC:7D:6B:8B:09 L2-PDU:1500 MTU:1500 HL:64 Source address length: 6 Link type: wired inet6 addr: fe80::e0bc:7dff:fe6b:8b09 scope: link VAL inet6 group: ff02::1 inet6 group: ff02::1:ff6b:8b09
-
Use it to configure a route to the
native
device (replace2001:db8::/64
if you used a different prefix in 1.):$ sudo ip route add 2001:db8::/64 via fe80::e0bc:7dff:fe6b:8b09 dev tap0
-
Run
make term
again to configure the global address for thenative
device and the route to the host from thenative
device:> ifconfig 5 add 2001:db8::2 ifconfig 5 add 2001:db8::2 success: added 2001:db8::2/64 to interface 5 > nib route add 5 default fe80::e0bc:7dff:fe6b:8b08 nib route add 5 default fe80::e0bc:7dff:fe6b:8b08
Keep the
native
instance open for 2.3
Install and run a test server
-
In a new terminal install
aiodnsprox
as your test server:$ sudo pip install git+https://github.com/anr-bmbf-pivot/aiodnsprox/
-
Provide a minimal configuration file containing the
TLS_PSK_WITH_AES_128_CCM_8
pre-shared key credentials for the DTLS server:$ cat << EOF > test.yaml dtls_credentials: client_identity: Client_identity psk: secretPSK EOF
-
Run the DNS server with a DTLS transport bound to the
tap0
interface (-d 2001:db8::1
; replace the address if you used a different one in 2.1's step 1), using a public DNS server as upstream (-U 9.9.9.9
).sudo
is required to be able to bind to the DNS over DTLS port 853:$ sudo aiodns-proxy -C test.yaml -U 9.9.9.9 -d 2001:db8::1
Configure DNS over DTLS client and query a name
Use the RIOT shell you kept open in 2.1 to configure the DNS over
DTLS server and request example.org
from it
-
Provide the DNS over DTLS server address, port (optional), credential tag (5853),
TLS_PSK_WITH_AES_128_CCM_8
client identity (Client_identity
) andTLS_PSK_WITH_AES_128_CCM_8
secret key (secretPSK
) to the DNS over DTLS client:> dodtls server [2001:db8::1]:853 5853 Client_identity secretPSK > dodtls server DNS over DTLS server: [2001:db8::1]:853
-
Now you should be able to query a name:
> dodtls request example.org inet6 dodtls request example.org inet6 example.org resolves to 2606:2800:220:1:248:1893:25c8:1946 > dodtls request example.org inet dodtls request example.org inet example.org resolves to 93.184.216.34