Source

Test suite to validate using one or multiple ciphers to protect DoH connection

Valid Source

Description

Configures a valid source with the expected minisign key and checks that everything works.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://remote.dns-server.crt
set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md
set service dns proxy source RD minisign-key 'RWQCEPgDV5K0EBUq3X3Pb7wVeg7KbAU83jd9ruOPz+UGW4Ur43ol/p1f'
set service dns proxy server-name rd-server

Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:

^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$

Show output

-- Logs begin at Mon 2024-02-26 19:14:19 UTC, end at Mon 2024-02-26 19:14:24 UTC. --
Feb 26 19:14:19.427341 osdx systemd-journald[1369]: Runtime journal (/run/log/journal/bb5e03885d754db09ee63ec3d68ce029) is 2.0M, max 16.0M, 14.0M free.
Feb 26 19:14:19.445200 osdx OSDxCLI[2572]: User 'admin' executed a new command: 'system journal clear'.
Feb 26 19:14:20.118472 osdx osdx-coredump[16854]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
Feb 26 19:14:20.130678 osdx OSDxCLI[2572]: User 'admin' executed a new command: 'system coredump delete all'.
Feb 26 19:14:21.197266 osdx OSDxCLI[2572]: User 'admin' entered the configuration menu.
Feb 26 19:14:21.323876 osdx OSDxCLI[2572]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 26 19:14:21.465307 osdx OSDxCLI[2572]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 26 19:14:21.619623 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Feb 26 19:14:21.741356 osdx cfgd[997]: [2572]Completed change to active configuration
Feb 26 19:14:21.796580 osdx OSDxCLI[2572]: User 'admin' committed the configuration.
Feb 26 19:14:21.847834 osdx OSDxCLI[2572]: User 'admin' left the configuration menu.
Feb 26 19:14:22.051598 osdx OSDxCLI[2572]: User 'admin' executed a new command: 'ping 10.215.168.1      count 1 size 56 timeout 1'.
Feb 26 19:14:22.349903 osdx OSDxCLI[2572]: User 'admin' entered the configuration menu.
Feb 26 19:14:22.473899 osdx OSDxCLI[2572]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Feb 26 19:14:22.593825 osdx OSDxCLI[2572]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'.
Feb 26 19:14:22.712602 osdx OSDxCLI[2572]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWQCEPgDV5K0EBUq3X3Pb7wVeg7KbAU83jd9ruOPz+UGW4Ur43ol/p1f''.
Feb 26 19:14:22.821795 osdx OSDxCLI[2572]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'.
Feb 26 19:14:22.977573 osdx ca-certificates[16984]: Updating certificates in /etc/ssl/certs...
Feb 26 19:14:23.776177 osdx ca-certificates[17968]: 1 added, 0 removed; done.
Feb 26 19:14:23.783854 osdx ca-certificates[17973]: Running hooks in /etc/ca-certificates/update.d...
Feb 26 19:14:23.789994 osdx ca-certificates[17976]: done.
Feb 26 19:14:23.868936 osdx systemd[1]: Started DNSCrypt client proxy.
Feb 26 19:14:23.872653 osdx cfgd[997]: [2572]Completed change to active configuration
Feb 26 19:14:23.881555 osdx OSDxCLI[2572]: User 'admin' committed the configuration.
Feb 26 19:14:23.906957 osdx dnscrypt-proxy[17980]: [2024-02-26 19:14:23] [NOTICE] dnscrypt-proxy 2.0.45
Feb 26 19:14:23.907548 osdx dnscrypt-proxy[17980]: [2024-02-26 19:14:23] [NOTICE] Network connectivity detected
Feb 26 19:14:23.908555 osdx dnscrypt-proxy[17980]: [2024-02-26 19:14:23] [NOTICE] Dropping privileges
Feb 26 19:14:23.911853 osdx dnscrypt-proxy[17980]: [2024-02-26 19:14:23] [NOTICE] Network connectivity detected
Feb 26 19:14:23.912088 osdx dnscrypt-proxy[17980]: [2024-02-26 19:14:23] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
Feb 26 19:14:23.912533 osdx dnscrypt-proxy[17980]: [2024-02-26 19:14:23] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
Feb 26 19:14:23.923309 osdx OSDxCLI[2572]: User 'admin' left the configuration menu.
Feb 26 19:14:23.981970 osdx dnscrypt-proxy[17980]: [2024-02-26 19:14:23] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-rrlpktbrg3k5peht.tmp: permission denied
Feb 26 19:14:23.981970 osdx dnscrypt-proxy[17980]: [2024-02-26 19:14:23] [NOTICE] Source [RD] loaded
Feb 26 19:14:23.981970 osdx dnscrypt-proxy[17980]: [2024-02-26 19:14:23] [WARNING] Missing stamp for server [server-name`]
Feb 26 19:14:23.981970 osdx dnscrypt-proxy[17980]: [2024-02-26 19:14:23] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1]
Feb 26 19:14:23.981970 osdx dnscrypt-proxy[17980]: [2024-02-26 19:14:23] [NOTICE] Firefox workaround initialized
Feb 26 19:14:23.981970 osdx dnscrypt-proxy[17980]: [2024-02-26 19:14:23] [NOTICE] Loading the set of cloaking rules from [/tmp/tmp2Ft6Oa]
Feb 26 19:14:24.146503 osdx dnscrypt-proxy[17980]: [2024-02-26 19:14:24] [NOTICE] [rd-server] OK (DoH) - rtt: 117ms
Feb 26 19:14:24.146503 osdx dnscrypt-proxy[17980]: [2024-02-26 19:14:24] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 117ms)
Feb 26 19:14:24.146503 osdx dnscrypt-proxy[17980]: [2024-02-26 19:14:24] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Feb 26 19:14:24.153595 osdx OSDxCLI[2572]: User 'admin' executed a new command: 'system journal show | cat'.

---

Valid Source With Prefix

Description

Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://remote.dns-server.crt
set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md
set service dns proxy source RD minisign-key 'RWQCEPgDV5K0EBUq3X3Pb7wVeg7KbAU83jd9ruOPz+UGW4Ur43ol/p1f'
set service dns proxy source RD prefix PRIVATE-
set service dns proxy server-name PRIVATE-rd-server

Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:

^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$

Show output

-- Logs begin at Mon 2024-02-26 19:14:32 UTC, end at Mon 2024-02-26 19:14:37 UTC. --
Feb 26 19:14:32.428403 osdx systemd-journald[1369]: Runtime journal (/run/log/journal/bb5e03885d754db09ee63ec3d68ce029) is 2.0M, max 16.0M, 14.0M free.
Feb 26 19:14:32.446294 osdx OSDxCLI[2572]: User 'admin' executed a new command: 'system journal clear'.
Feb 26 19:14:33.120467 osdx osdx-coredump[19585]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
Feb 26 19:14:33.132437 osdx OSDxCLI[2572]: User 'admin' executed a new command: 'system coredump delete all'.
Feb 26 19:14:34.172090 osdx OSDxCLI[2572]: User 'admin' entered the configuration menu.
Feb 26 19:14:34.295533 osdx OSDxCLI[2572]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Feb 26 19:14:34.435445 osdx OSDxCLI[2572]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Feb 26 19:14:34.588940 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Feb 26 19:14:34.711851 osdx cfgd[997]: [2572]Completed change to active configuration
Feb 26 19:14:34.766559 osdx OSDxCLI[2572]: User 'admin' committed the configuration.
Feb 26 19:14:34.817558 osdx OSDxCLI[2572]: User 'admin' left the configuration menu.
Feb 26 19:14:35.021389 osdx OSDxCLI[2572]: User 'admin' executed a new command: 'ping 10.215.168.1      count 1 size 56 timeout 1'.
Feb 26 19:14:35.263760 osdx OSDxCLI[2572]: User 'admin' entered the configuration menu.
Feb 26 19:14:35.387057 osdx OSDxCLI[2572]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Feb 26 19:14:35.506555 osdx OSDxCLI[2572]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'.
Feb 26 19:14:35.624467 osdx OSDxCLI[2572]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWQCEPgDV5K0EBUq3X3Pb7wVeg7KbAU83jd9ruOPz+UGW4Ur43ol/p1f''.
Feb 26 19:14:35.734476 osdx OSDxCLI[2572]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'.
Feb 26 19:14:35.848739 osdx OSDxCLI[2572]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'.
Feb 26 19:14:35.999878 osdx ca-certificates[19716]: Updating certificates in /etc/ssl/certs...
Feb 26 19:14:36.783540 osdx ca-certificates[20700]: 1 added, 0 removed; done.
Feb 26 19:14:36.791177 osdx ca-certificates[20704]: Running hooks in /etc/ca-certificates/update.d...
Feb 26 19:14:36.798131 osdx ca-certificates[20708]: done.
Feb 26 19:14:36.878095 osdx systemd[1]: Started DNSCrypt client proxy.
Feb 26 19:14:36.881707 osdx cfgd[997]: [2572]Completed change to active configuration
Feb 26 19:14:36.890995 osdx OSDxCLI[2572]: User 'admin' committed the configuration.
Feb 26 19:14:36.915735 osdx dnscrypt-proxy[20712]: [2024-02-26 19:14:36] [NOTICE] dnscrypt-proxy 2.0.45
Feb 26 19:14:36.916317 osdx dnscrypt-proxy[20712]: [2024-02-26 19:14:36] [NOTICE] Network connectivity detected
Feb 26 19:14:36.917076 osdx dnscrypt-proxy[20712]: [2024-02-26 19:14:36] [NOTICE] Dropping privileges
Feb 26 19:14:36.923851 osdx OSDxCLI[2572]: User 'admin' left the configuration menu.
Feb 26 19:14:36.925049 osdx dnscrypt-proxy[20712]: [2024-02-26 19:14:36] [NOTICE] Network connectivity detected
Feb 26 19:14:36.925257 osdx dnscrypt-proxy[20712]: [2024-02-26 19:14:36] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
Feb 26 19:14:36.925379 osdx dnscrypt-proxy[20712]: [2024-02-26 19:14:36] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
Feb 26 19:14:36.927343 osdx dnscrypt-proxy[20712]: [2024-02-26 19:14:36] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-gqq3o337emci2vkf.tmp: permission denied
Feb 26 19:14:36.927472 osdx dnscrypt-proxy[20712]: [2024-02-26 19:14:36] [NOTICE] Source [RD] loaded
Feb 26 19:14:36.927617 osdx dnscrypt-proxy[20712]: [2024-02-26 19:14:36] [WARNING] Missing stamp for server [PRIVATE-server-name`]
Feb 26 19:14:36.927748 osdx dnscrypt-proxy[20712]: [2024-02-26 19:14:36] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1]
Feb 26 19:14:36.927868 osdx dnscrypt-proxy[20712]: [2024-02-26 19:14:36] [NOTICE] Firefox workaround initialized
Feb 26 19:14:36.927980 osdx dnscrypt-proxy[20712]: [2024-02-26 19:14:36] [NOTICE] Loading the set of cloaking rules from [/tmp/tmp1UOsVm]
Feb 26 19:14:37.142717 osdx OSDxCLI[2572]: User 'admin' executed a new command: 'system journal show | cat'.
Feb 26 19:14:37.180510 osdx dnscrypt-proxy[20712]: [2024-02-26 19:14:37] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 204ms
Feb 26 19:14:37.180510 osdx dnscrypt-proxy[20712]: [2024-02-26 19:14:37] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 204ms)
Feb 26 19:14:37.180510 osdx dnscrypt-proxy[20712]: [2024-02-26 19:14:37] [NOTICE] dnscrypt-proxy is ready - live servers: 1

---

Invalid Source

Description

Configures an invalid source with a random minisign key and expects it to fail.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://remote.dns-server.crt
set service dns proxy log level 0
set service dns proxy source RD url http://10.215.168.1/~robot/invalid-source
set service dns proxy source RD minisign-key 'yzLNghWghGv1HPf9TxFzvVh9'
set service dns proxy server-name rd-server

---

Invalid Minisign Key

Description

Configures a valid source but with an incorrect minisign key, which should fail.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://remote.dns-server.crt
set service dns proxy log level 0
set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md
set service dns proxy source RD minisign-key 'InvalidMinisignKey=='
set service dns proxy server-name rd-server

---