Merge "Support strict mode private DNS on VPNs that provide Internet." am: a56eab41a6

am: 549439cc92 Change-Id: I28cc679def7cdd4dc5187e65f4524c3998ebcafc
author: Chalard Jean <jchalard@google.com> 2019-05-10 04:33:43 -0700
committer: android-build-merger <android-build-merger@google.com> 2019-05-10 04:33:43 -0700
commit: e3af8a82c449e233fc76a80cbaba07d102ad090d (patch)
tree: 8676966b0acfcb4eea63bfb2de25fdbc3bfdc563
parent: b74a10b3a74c33a342d59043183256e3b7ab1f9a (diff)
parent: da4897101c5dc8388b9450f38195350cc78e30c1 (diff)
1 files changed, 17 insertions, 3 deletions
diff --git a/src/com/android/server/connectivity/NetworkMonitor.java b/src/com/android/server/connectivity/NetworkMonitor.java
index 7bdf396..8e9350d 100644
--- a/src/com/android/server/connectivity/NetworkMonitor.java
+++ b/src/com/android/server/connectivity/NetworkMonitor.java
@@ -520,6 +520,9 @@ public class NetworkMonitor extends StateMachine {
         return NetworkMonitorUtils.isValidationRequired(mNetworkCapabilities);
     }
 
+    private boolean isPrivateDnsValidationRequired() {
+        return NetworkMonitorUtils.isPrivateDnsValidationRequired(mNetworkCapabilities);
+    }
 
     private void notifyNetworkTested(int result, @Nullable String redirectUrl) {
         try {
@@ -607,7 +610,7 @@ public class NetworkMonitor extends StateMachine {
                     return HANDLED;
                 case CMD_PRIVATE_DNS_SETTINGS_CHANGED: {
                     final PrivateDnsConfig cfg = (PrivateDnsConfig) message.obj;
-                    if (!isValidationRequired() || cfg == null || !cfg.inStrictMode()) {
+                    if (!isPrivateDnsValidationRequired() || cfg == null || !cfg.inStrictMode()) {
                         // No DNS resolution required.
                         //
                         // We don't force any validation in opportunistic mode
@@ -843,9 +846,20 @@ public class NetworkMonitor extends StateMachine {
                     //    the network so don't bother validating here.  Furthermore sending HTTP
                     //    packets over the network may be undesirable, for example an extremely
                     //    expensive metered network, or unwanted leaking of the User Agent string.
+                    //
+                    // On networks that need to support private DNS in strict mode (e.g., VPNs, but
+                    // not networks that don't provide Internet access), we still need to perform
+                    // private DNS server resolution.
                     if (!isValidationRequired()) {
-                        validationLog("Network would not satisfy default request, not validating");
-                        transitionTo(mValidatedState);
+                        if (isPrivateDnsValidationRequired()) {
+                            validationLog("Network would not satisfy default request, "
+                                    + "resolving private DNS");
+                            transitionTo(mEvaluatingPrivateDnsState);
+                        } else {
+                            validationLog("Network would not satisfy default request, "
+                                    + "not validating");
+                            transitionTo(mValidatedState);
+                        }
                         return HANDLED;
                     }
                     mEvaluateAttempts++;
author	Chalard Jean <jchalard@google.com>	2019-05-10 04:33:43 -0700
committer	android-build-merger <android-build-merger@google.com>	2019-05-10 04:33:43 -0700
commit	e3af8a82c449e233fc76a80cbaba07d102ad090d (patch)
tree	8676966b0acfcb4eea63bfb2de25fdbc3bfdc563
parent	b74a10b3a74c33a342d59043183256e3b7ab1f9a (diff)
parent	da4897101c5dc8388b9450f38195350cc78e30c1 (diff)