Source

Test suite to validate using one or multiple ciphers to protect DoH connection

Valid Source

Description

Configures a valid source with the expected minisign key and checks that everything works.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://remote.dns-server.crt
set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md
set service dns proxy source RD minisign-key 'RWQS3zT4PzYhYypCui1x/fjTnYcfF6K8uPJSGST/mizbDy5qioJVIiQ/'
set service dns proxy server-name rd-server

Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:

^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$

Show output

-- Logs begin at Mon 2024-12-02 20:10:00 UTC, end at Mon 2024-12-02 20:10:07 UTC. --
Dec 02 20:10:00.419006 osdx systemd-journald[31677]: Runtime journal (/run/log/journal/1d07d1333cb24d498692b025d3740112) is 2.0M, max 16.0M, 14.0M free.
Dec 02 20:10:00.452375 osdx OSDxCLI[727]: User 'admin' executed a new command: 'system journal clear'.
Dec 02 20:10:01.539591 osdx osdx-coredump[28147]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
Dec 02 20:10:01.573989 osdx OSDxCLI[727]: User 'admin' executed a new command: 'system coredump delete all'.
Dec 02 20:10:02.970967 osdx OSDxCLI[727]: User 'admin' entered the configuration menu.
Dec 02 20:10:03.158604 osdx OSDxCLI[727]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Dec 02 20:10:03.253461 osdx OSDxCLI[727]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Dec 02 20:10:03.470769 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Dec 02 20:10:03.675035 osdx cfgd[1120]: [727]Completed change to active configuration
Dec 02 20:10:03.772049 osdx OSDxCLI[727]: User 'admin' committed the configuration.
Dec 02 20:10:03.813232 osdx OSDxCLI[727]: User 'admin' left the configuration menu.
Dec 02 20:10:04.081979 osdx OSDxCLI[727]: User 'admin' executed a new command: 'ping 10.215.168.1      count 1 size 56 timeout 1'.
Dec 02 20:10:04.422446 osdx OSDxCLI[727]: User 'admin' entered the configuration menu.
Dec 02 20:10:04.659279 osdx OSDxCLI[727]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Dec 02 20:10:04.844893 osdx OSDxCLI[727]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'.
Dec 02 20:10:04.951800 osdx OSDxCLI[727]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWQS3zT4PzYhYypCui1x/fjTnYcfF6K8uPJSGST/mizbDy5qioJVIiQ/''.
Dec 02 20:10:05.124162 osdx OSDxCLI[727]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'.
Dec 02 20:10:05.439459 osdx ca-certificates[28287]: Updating certificates in /etc/ssl/certs...
Dec 02 20:10:06.697638 osdx ca-certificates[29269]: 1 added, 0 removed; done.
Dec 02 20:10:06.703235 osdx ca-certificates[29277]: Running hooks in /etc/ca-certificates/update.d...
Dec 02 20:10:06.709424 osdx ca-certificates[29279]: done.
Dec 02 20:10:06.802775 osdx systemd[1]: Started DNSCrypt client proxy.
Dec 02 20:10:06.803471 osdx systemd[1]: Reached target Host and Network Name Lookups.
Dec 02 20:10:06.806318 osdx cfgd[1120]: [727]Completed change to active configuration
Dec 02 20:10:06.811421 osdx OSDxCLI[727]: User 'admin' committed the configuration.
Dec 02 20:10:06.853239 osdx OSDxCLI[727]: User 'admin' left the configuration menu.
Dec 02 20:10:07.112061 osdx OSDxCLI[727]: User 'admin' executed a new command: 'system journal show | cat'.
Dec 02 20:10:07.274223 osdx dnscrypt-proxy[29283]: [2024-12-02 20:10:07] [NOTICE] dnscrypt-proxy 2.0.45
Dec 02 20:10:07.274633 osdx dnscrypt-proxy[29283]: [2024-12-02 20:10:07] [NOTICE] Network connectivity detected
Dec 02 20:10:07.274855 osdx dnscrypt-proxy[29283]: [2024-12-02 20:10:07] [NOTICE] Dropping privileges
Dec 02 20:10:07.285456 osdx dnscrypt-proxy[29283]: [2024-12-02 20:10:07] [NOTICE] Network connectivity detected
Dec 02 20:10:07.285456 osdx dnscrypt-proxy[29283]: [2024-12-02 20:10:07] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
Dec 02 20:10:07.285456 osdx dnscrypt-proxy[29283]: [2024-12-02 20:10:07] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
Dec 02 20:10:07.307783 osdx dnscrypt-proxy[29283]: [2024-12-02 20:10:07] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-paw4o2jahrqcmg7m.tmp: permission denied
Dec 02 20:10:07.307783 osdx dnscrypt-proxy[29283]: [2024-12-02 20:10:07] [NOTICE] Source [RD] loaded
Dec 02 20:10:07.307965 osdx dnscrypt-proxy[29283]: [2024-12-02 20:10:07] [WARNING] Missing stamp for server [server-name`]
Dec 02 20:10:07.307965 osdx dnscrypt-proxy[29283]: [2024-12-02 20:10:07] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1]
Dec 02 20:10:07.307965 osdx dnscrypt-proxy[29283]: [2024-12-02 20:10:07] [NOTICE] Firefox workaround initialized
Dec 02 20:10:07.307965 osdx dnscrypt-proxy[29283]: [2024-12-02 20:10:07] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpdoaXXS]
Dec 02 20:10:07.435092 osdx OSDxCLI[727]: User 'admin' executed a new command: 'system journal show | cat'.
Dec 02 20:10:07.512475 osdx dnscrypt-proxy[29283]: [2024-12-02 20:10:07] [NOTICE] [rd-server] OK (DoH) - rtt: 141ms
Dec 02 20:10:07.512475 osdx dnscrypt-proxy[29283]: [2024-12-02 20:10:07] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 141ms)
Dec 02 20:10:07.512475 osdx dnscrypt-proxy[29283]: [2024-12-02 20:10:07] [NOTICE] dnscrypt-proxy is ready - live servers: 1

---

Valid Source With Prefix

Description

Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://remote.dns-server.crt
set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md
set service dns proxy source RD minisign-key 'RWQS3zT4PzYhYypCui1x/fjTnYcfF6K8uPJSGST/mizbDy5qioJVIiQ/'
set service dns proxy source RD prefix PRIVATE-
set service dns proxy server-name PRIVATE-rd-server

Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:

^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$

Show output

-- Logs begin at Mon 2024-12-02 20:10:16 UTC, end at Mon 2024-12-02 20:10:21 UTC. --
Dec 02 20:10:16.473524 osdx systemd-journald[31677]: Runtime journal (/run/log/journal/1d07d1333cb24d498692b025d3740112) is 2.0M, max 16.0M, 14.0M free.
Dec 02 20:10:16.503755 osdx OSDxCLI[727]: User 'admin' executed a new command: 'system journal clear'.
Dec 02 20:10:17.254286 osdx osdx-coredump[30899]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
Dec 02 20:10:17.266099 osdx OSDxCLI[727]: User 'admin' executed a new command: 'system coredump delete all'.
Dec 02 20:10:18.292760 osdx OSDxCLI[727]: User 'admin' entered the configuration menu.
Dec 02 20:10:18.451653 osdx OSDxCLI[727]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Dec 02 20:10:18.589096 osdx OSDxCLI[727]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Dec 02 20:10:18.831924 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Dec 02 20:10:19.025363 osdx cfgd[1120]: [727]Completed change to active configuration
Dec 02 20:10:19.097295 osdx OSDxCLI[727]: User 'admin' committed the configuration.
Dec 02 20:10:19.148823 osdx OSDxCLI[727]: User 'admin' left the configuration menu.
Dec 02 20:10:19.395746 osdx OSDxCLI[727]: User 'admin' executed a new command: 'ping 10.215.168.1      count 1 size 56 timeout 1'.
Dec 02 20:10:19.691879 osdx OSDxCLI[727]: User 'admin' entered the configuration menu.
Dec 02 20:10:19.830273 osdx OSDxCLI[727]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Dec 02 20:10:19.966286 osdx OSDxCLI[727]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'.
Dec 02 20:10:20.072578 osdx OSDxCLI[727]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWQS3zT4PzYhYypCui1x/fjTnYcfF6K8uPJSGST/mizbDy5qioJVIiQ/''.
Dec 02 20:10:20.203758 osdx OSDxCLI[727]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'.
Dec 02 20:10:20.363093 osdx OSDxCLI[727]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'.
Dec 02 20:10:20.562860 osdx ca-certificates[31035]: Updating certificates in /etc/ssl/certs...
Dec 02 20:10:21.363776 osdx ca-certificates[32023]: 1 added, 0 removed; done.
Dec 02 20:10:21.372227 osdx ca-certificates[32029]: Running hooks in /etc/ca-certificates/update.d...
Dec 02 20:10:21.379311 osdx ca-certificates[32032]: done.
Dec 02 20:10:21.464131 osdx systemd[1]: Started DNSCrypt client proxy.
Dec 02 20:10:21.467214 osdx cfgd[1120]: [727]Completed change to active configuration
Dec 02 20:10:21.480967 osdx OSDxCLI[727]: User 'admin' committed the configuration.
Dec 02 20:10:21.501493 osdx dnscrypt-proxy[32036]: [2024-12-02 20:10:21] [NOTICE] dnscrypt-proxy 2.0.45
Dec 02 20:10:21.501493 osdx dnscrypt-proxy[32036]: [2024-12-02 20:10:21] [NOTICE] Network connectivity detected
Dec 02 20:10:21.502499 osdx dnscrypt-proxy[32036]: [2024-12-02 20:10:21] [NOTICE] Dropping privileges
Dec 02 20:10:21.516828 osdx dnscrypt-proxy[32036]: [2024-12-02 20:10:21] [NOTICE] Network connectivity detected
Dec 02 20:10:21.516951 osdx dnscrypt-proxy[32036]: [2024-12-02 20:10:21] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
Dec 02 20:10:21.516951 osdx dnscrypt-proxy[32036]: [2024-12-02 20:10:21] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
Dec 02 20:10:21.518426 osdx dnscrypt-proxy[32036]: [2024-12-02 20:10:21] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-rnf3o5bnvils7eol.tmp: permission denied
Dec 02 20:10:21.518426 osdx dnscrypt-proxy[32036]: [2024-12-02 20:10:21] [NOTICE] Source [RD] loaded
Dec 02 20:10:21.518549 osdx dnscrypt-proxy[32036]: [2024-12-02 20:10:21] [WARNING] Missing stamp for server [PRIVATE-server-name`]
Dec 02 20:10:21.518549 osdx dnscrypt-proxy[32036]: [2024-12-02 20:10:21] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1]
Dec 02 20:10:21.518549 osdx dnscrypt-proxy[32036]: [2024-12-02 20:10:21] [NOTICE] Firefox workaround initialized
Dec 02 20:10:21.518549 osdx dnscrypt-proxy[32036]: [2024-12-02 20:10:21] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpcJpnz6]
Dec 02 20:10:21.538698 osdx OSDxCLI[727]: User 'admin' left the configuration menu.
Dec 02 20:10:21.750758 osdx dnscrypt-proxy[32036]: [2024-12-02 20:10:21] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 146ms
Dec 02 20:10:21.750758 osdx dnscrypt-proxy[32036]: [2024-12-02 20:10:21] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 146ms)
Dec 02 20:10:21.750758 osdx dnscrypt-proxy[32036]: [2024-12-02 20:10:21] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Dec 02 20:10:21.753650 osdx OSDxCLI[727]: User 'admin' executed a new command: 'system journal show | cat'.

---

Invalid Source

Description

Configures an invalid source with a random minisign key and expects it to fail.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://remote.dns-server.crt
set service dns proxy log level 0
set service dns proxy source RD url http://10.215.168.1/~robot/invalid-source
set service dns proxy source RD minisign-key 'mGIOqwdGafvwGrWJY0ZTU9hr'
set service dns proxy server-name rd-server

---

Invalid Minisign Key

Description

Configures a valid source but with an incorrect minisign key, which should fail.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://remote.dns-server.crt
set service dns proxy log level 0
set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md
set service dns proxy source RD minisign-key 'InvalidMinisignKey=='
set service dns proxy server-name rd-server

---