Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md set service dns proxy source RD minisign-key 'RWQtoDCz5tJzQx9qhzYgdlMWarYrjdMb6tVdaW1TnhjIOBvBdei+teeL' set service dns proxy server-name rd-server
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
-- Logs begin at Tue 2024-04-09 09:49:08 UTC, end at Tue 2024-04-09 09:49:13 UTC. -- Apr 09 09:49:08.396354 osdx systemd-journald[1044]: Runtime journal (/run/log/journal/2dc26f94a9f34e56b62b3c0d209c4be0) is 2.0M, max 16.0M, 14.0M free. Apr 09 09:49:08.431220 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'system journal clear'. Apr 09 09:49:09.112662 osdx osdx-coredump[25217]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Apr 09 09:49:09.123630 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'system coredump delete all'. Apr 09 09:49:10.230063 osdx OSDxCLI[7130]: User 'admin' entered the configuration menu. Apr 09 09:49:10.414180 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 09 09:49:10.523912 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 09 09:49:10.685647 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Apr 09 09:49:10.804046 osdx cfgd[1120]: [7130]Completed change to active configuration Apr 09 09:49:10.856186 osdx OSDxCLI[7130]: User 'admin' committed the configuration. Apr 09 09:49:10.883457 osdx OSDxCLI[7130]: User 'admin' left the configuration menu. Apr 09 09:49:11.096459 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Apr 09 09:49:11.303592 osdx OSDxCLI[7130]: User 'admin' entered the configuration menu. Apr 09 09:49:11.421981 osdx zebra[1073]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Apr 09 09:49:11.450637 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Apr 09 09:49:11.618977 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Apr 09 09:49:11.739013 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWQtoDCz5tJzQx9qhzYgdlMWarYrjdMb6tVdaW1TnhjIOBvBdei+teeL''. Apr 09 09:49:11.860042 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Apr 09 09:49:12.019332 osdx ca-certificates[25327]: Updating certificates in /etc/ssl/certs... Apr 09 09:49:12.835198 osdx ca-certificates[26310]: 1 added, 0 removed; done. Apr 09 09:49:12.839784 osdx ca-certificates[26317]: Running hooks in /etc/ca-certificates/update.d... Apr 09 09:49:12.845297 osdx ca-certificates[26319]: done. Apr 09 09:49:12.907707 osdx systemd[1]: Started DNSCrypt client proxy. Apr 09 09:49:12.913603 osdx cfgd[1120]: [7130]Completed change to active configuration Apr 09 09:49:12.921962 osdx OSDxCLI[7130]: User 'admin' committed the configuration. Apr 09 09:49:12.941797 osdx dnscrypt-proxy[26323]: [2024-04-09 09:49:12] [NOTICE] dnscrypt-proxy 2.0.45 Apr 09 09:49:12.942177 osdx dnscrypt-proxy[26323]: [2024-04-09 09:49:12] [NOTICE] Network connectivity detected Apr 09 09:49:12.942395 osdx dnscrypt-proxy[26323]: [2024-04-09 09:49:12] [NOTICE] Dropping privileges Apr 09 09:49:12.947851 osdx dnscrypt-proxy[26323]: [2024-04-09 09:49:12] [NOTICE] Network connectivity detected Apr 09 09:49:12.947851 osdx dnscrypt-proxy[26323]: [2024-04-09 09:49:12] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Apr 09 09:49:12.947851 osdx dnscrypt-proxy[26323]: [2024-04-09 09:49:12] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Apr 09 09:49:12.949368 osdx dnscrypt-proxy[26323]: [2024-04-09 09:49:12] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-wnvddpmwdixm5oga.tmp: permission denied Apr 09 09:49:12.949368 osdx dnscrypt-proxy[26323]: [2024-04-09 09:49:12] [NOTICE] Source [RD] loaded Apr 09 09:49:12.949503 osdx dnscrypt-proxy[26323]: [2024-04-09 09:49:12] [WARNING] Missing stamp for server [server-name`] Apr 09 09:49:12.949503 osdx dnscrypt-proxy[26323]: [2024-04-09 09:49:12] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Apr 09 09:49:12.949503 osdx dnscrypt-proxy[26323]: [2024-04-09 09:49:12] [NOTICE] Firefox workaround initialized Apr 09 09:49:12.949503 osdx dnscrypt-proxy[26323]: [2024-04-09 09:49:12] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpJTLZCh] Apr 09 09:49:12.972711 osdx OSDxCLI[7130]: User 'admin' left the configuration menu. Apr 09 09:49:13.113393 osdx dnscrypt-proxy[26323]: [2024-04-09 09:49:13] [NOTICE] [rd-server] OK (DoH) - rtt: 117ms Apr 09 09:49:13.113393 osdx dnscrypt-proxy[26323]: [2024-04-09 09:49:13] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 117ms) Apr 09 09:49:13.113393 osdx dnscrypt-proxy[26323]: [2024-04-09 09:49:13] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md set service dns proxy source RD minisign-key 'RWQtoDCz5tJzQx9qhzYgdlMWarYrjdMb6tVdaW1TnhjIOBvBdei+teeL' set service dns proxy source RD prefix PRIVATE- set service dns proxy server-name PRIVATE-rd-server
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
-- Logs begin at Tue 2024-04-09 09:49:21 UTC, end at Tue 2024-04-09 09:49:26 UTC. -- Apr 09 09:49:21.539176 osdx systemd-journald[1044]: Runtime journal (/run/log/journal/2dc26f94a9f34e56b62b3c0d209c4be0) is 2.0M, max 16.0M, 14.0M free. Apr 09 09:49:21.568522 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'system journal clear'. Apr 09 09:49:22.408527 osdx osdx-coredump[27931]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Apr 09 09:49:22.417154 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'system coredump delete all'. Apr 09 09:49:23.498972 osdx OSDxCLI[7130]: User 'admin' entered the configuration menu. Apr 09 09:49:23.648498 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Apr 09 09:49:23.804878 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Apr 09 09:49:24.032074 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Apr 09 09:49:24.124308 osdx cfgd[1120]: [7130]Completed change to active configuration Apr 09 09:49:24.184469 osdx OSDxCLI[7130]: User 'admin' committed the configuration. Apr 09 09:49:24.226105 osdx OSDxCLI[7130]: User 'admin' left the configuration menu. Apr 09 09:49:24.433545 osdx OSDxCLI[7130]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Apr 09 09:49:24.663226 osdx OSDxCLI[7130]: User 'admin' entered the configuration menu. Apr 09 09:49:24.793677 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Apr 09 09:49:24.929253 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Apr 09 09:49:25.069881 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWQtoDCz5tJzQx9qhzYgdlMWarYrjdMb6tVdaW1TnhjIOBvBdei+teeL''. Apr 09 09:49:25.195346 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Apr 09 09:49:25.299416 osdx OSDxCLI[7130]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Apr 09 09:49:25.457457 osdx ca-certificates[28042]: Updating certificates in /etc/ssl/certs... Apr 09 09:49:26.004334 osdx zebra[1073]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Apr 09 09:49:26.193095 osdx ca-certificates[29027]: 1 added, 0 removed; done. Apr 09 09:49:26.197850 osdx ca-certificates[29033]: Running hooks in /etc/ca-certificates/update.d... Apr 09 09:49:26.202420 osdx ca-certificates[29035]: done. Apr 09 09:49:26.278585 osdx systemd[1]: Started DNSCrypt client proxy. Apr 09 09:49:26.280699 osdx cfgd[1120]: [7130]Completed change to active configuration Apr 09 09:49:26.284447 osdx OSDxCLI[7130]: User 'admin' committed the configuration. Apr 09 09:49:26.317182 osdx dnscrypt-proxy[29039]: [2024-04-09 09:49:26] [NOTICE] dnscrypt-proxy 2.0.45 Apr 09 09:49:26.317525 osdx dnscrypt-proxy[29039]: [2024-04-09 09:49:26] [NOTICE] Network connectivity detected Apr 09 09:49:26.317709 osdx dnscrypt-proxy[29039]: [2024-04-09 09:49:26] [NOTICE] Dropping privileges Apr 09 09:49:26.322650 osdx dnscrypt-proxy[29039]: [2024-04-09 09:49:26] [NOTICE] Network connectivity detected Apr 09 09:49:26.322650 osdx dnscrypt-proxy[29039]: [2024-04-09 09:49:26] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Apr 09 09:49:26.322650 osdx dnscrypt-proxy[29039]: [2024-04-09 09:49:26] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Apr 09 09:49:26.323749 osdx dnscrypt-proxy[29039]: [2024-04-09 09:49:26] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-x5pak3ce7ajboxcp.tmp: permission denied Apr 09 09:49:26.323749 osdx dnscrypt-proxy[29039]: [2024-04-09 09:49:26] [NOTICE] Source [RD] loaded Apr 09 09:49:26.323749 osdx dnscrypt-proxy[29039]: [2024-04-09 09:49:26] [WARNING] Missing stamp for server [PRIVATE-server-name`] Apr 09 09:49:26.323749 osdx dnscrypt-proxy[29039]: [2024-04-09 09:49:26] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Apr 09 09:49:26.323749 osdx dnscrypt-proxy[29039]: [2024-04-09 09:49:26] [NOTICE] Firefox workaround initialized Apr 09 09:49:26.323749 osdx dnscrypt-proxy[29039]: [2024-04-09 09:49:26] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpwWB2lG] Apr 09 09:49:26.323372 osdx OSDxCLI[7130]: User 'admin' left the configuration menu. Apr 09 09:49:26.496159 osdx dnscrypt-proxy[29039]: [2024-04-09 09:49:26] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 134ms Apr 09 09:49:26.496159 osdx dnscrypt-proxy[29039]: [2024-04-09 09:49:26] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 134ms) Apr 09 09:49:26.496159 osdx dnscrypt-proxy[29039]: [2024-04-09 09:49:26] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy log level 0 set service dns proxy source RD url http://10.215.168.1/~robot/invalid-source set service dns proxy source RD minisign-key 'foiu6i0BDs8WfzdwzeMxkTU4' set service dns proxy server-name rd-server
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy log level 0 set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md set service dns proxy source RD minisign-key 'InvalidMinisignKey==' set service dns proxy server-name rd-server