Source

Test suite to validate using one or multiple ciphers to protect DoH connection

Valid Source

Description

Configures a valid source with the expected minisign key and checks that everything works.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://remote.dns-server.crt
set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md
set service dns proxy source RD minisign-key 'RWSSmg3x+TiYvBGTwN7asokmWz42IUegUfZCvd4zIefo1C0t+KngIRGg'
set service dns proxy server-name rd-server

Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:

^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$

Show output

-- Logs begin at Wed 2024-05-22 08:15:33 UTC, end at Wed 2024-05-22 08:15:37 UTC. --
May 22 08:15:33.383327 osdx systemd-journald[1514]: Runtime journal (/run/log/journal/99893f06e2ec475e9e852fdd13370208) is 2.0M, max 16.0M, 14.0M free.
May 22 08:15:33.399200 osdx OSDxCLI[18676]: User 'admin' executed a new command: 'system journal clear'.
May 22 08:15:33.972511 osdx osdx-coredump[20654]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
May 22 08:15:33.980620 osdx OSDxCLI[18676]: User 'admin' executed a new command: 'system coredump delete all'.
May 22 08:15:34.862122 osdx OSDxCLI[18676]: User 'admin' entered the configuration menu.
May 22 08:15:34.870078 osdx zebra[1078]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]):
May 22 08:15:34.991048 osdx OSDxCLI[18676]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 22 08:15:35.099250 osdx OSDxCLI[18676]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 22 08:15:35.249882 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
May 22 08:15:35.360545 osdx cfgd[1125]: [18676]Completed change to active configuration
May 22 08:15:35.418805 osdx OSDxCLI[18676]: User 'admin' committed the configuration.
May 22 08:15:35.454270 osdx OSDxCLI[18676]: User 'admin' left the configuration menu.
May 22 08:15:35.653803 osdx OSDxCLI[18676]: User 'admin' executed a new command: 'ping 10.215.168.1      count 1 size 56 timeout 1'.
May 22 08:15:35.838657 osdx OSDxCLI[18676]: User 'admin' entered the configuration menu.
May 22 08:15:35.933255 osdx OSDxCLI[18676]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 22 08:15:36.035027 osdx OSDxCLI[18676]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'.
May 22 08:15:36.124844 osdx OSDxCLI[18676]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWSSmg3x+TiYvBGTwN7asokmWz42IUegUfZCvd4zIefo1C0t+KngIRGg''.
May 22 08:15:36.213414 osdx OSDxCLI[18676]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'.
May 22 08:15:36.385346 osdx ca-certificates[20764]: Updating certificates in /etc/ssl/certs...
May 22 08:15:37.112527 osdx ca-certificates[21750]: 1 added, 0 removed; done.
May 22 08:15:37.118739 osdx ca-certificates[21758]: Running hooks in /etc/ca-certificates/update.d...
May 22 08:15:37.124943 osdx ca-certificates[21760]: done.
May 22 08:15:37.200430 osdx systemd[1]: Started DNSCrypt client proxy.
May 22 08:15:37.203011 osdx cfgd[1125]: [18676]Completed change to active configuration
May 22 08:15:37.207407 osdx OSDxCLI[18676]: User 'admin' committed the configuration.
May 22 08:15:37.254011 osdx OSDxCLI[18676]: User 'admin' left the configuration menu.
May 22 08:15:37.432529 osdx OSDxCLI[18676]: User 'admin' executed a new command: 'system journal show | cat'.
May 22 08:15:37.488101 osdx dnscrypt-proxy[21764]: [2024-05-22 08:15:37] [NOTICE] dnscrypt-proxy 2.0.45
May 22 08:15:37.488464 osdx dnscrypt-proxy[21764]: [2024-05-22 08:15:37] [NOTICE] Network connectivity detected
May 22 08:15:37.488524 osdx dnscrypt-proxy[21764]: [2024-05-22 08:15:37] [NOTICE] Dropping privileges
May 22 08:15:37.491777 osdx dnscrypt-proxy[21764]: [2024-05-22 08:15:37] [NOTICE] Network connectivity detected
May 22 08:15:37.491777 osdx dnscrypt-proxy[21764]: [2024-05-22 08:15:37] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
May 22 08:15:37.491777 osdx dnscrypt-proxy[21764]: [2024-05-22 08:15:37] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
May 22 08:15:37.498195 osdx dnscrypt-proxy[21764]: [2024-05-22 08:15:37] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-pqva5wbpps5n5hrv.tmp: permission denied
May 22 08:15:37.498195 osdx dnscrypt-proxy[21764]: [2024-05-22 08:15:37] [NOTICE] Source [RD] loaded
May 22 08:15:37.498379 osdx dnscrypt-proxy[21764]: [2024-05-22 08:15:37] [WARNING] Missing stamp for server [server-name`]
May 22 08:15:37.498379 osdx dnscrypt-proxy[21764]: [2024-05-22 08:15:37] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1]
May 22 08:15:37.498379 osdx dnscrypt-proxy[21764]: [2024-05-22 08:15:37] [NOTICE] Firefox workaround initialized
May 22 08:15:37.498379 osdx dnscrypt-proxy[21764]: [2024-05-22 08:15:37] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpfAs8Qu]
May 22 08:15:37.706834 osdx dnscrypt-proxy[21764]: [2024-05-22 08:15:37] [NOTICE] [rd-server] OK (DoH) - rtt: 124ms
May 22 08:15:37.706834 osdx dnscrypt-proxy[21764]: [2024-05-22 08:15:37] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 124ms)
May 22 08:15:37.706834 osdx dnscrypt-proxy[21764]: [2024-05-22 08:15:37] [NOTICE] dnscrypt-proxy is ready - live servers: 1
May 22 08:15:37.707135 osdx OSDxCLI[18676]: User 'admin' executed a new command: 'system journal show | cat'.

---

Valid Source With Prefix

Description

Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://remote.dns-server.crt
set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md
set service dns proxy source RD minisign-key 'RWSSmg3x+TiYvBGTwN7asokmWz42IUegUfZCvd4zIefo1C0t+KngIRGg'
set service dns proxy source RD prefix PRIVATE-
set service dns proxy server-name PRIVATE-rd-server

Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:

^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$

Show output

-- Logs begin at Wed 2024-05-22 08:15:44 UTC, end at Wed 2024-05-22 08:15:48 UTC. --
May 22 08:15:44.355337 osdx systemd-journald[1514]: Runtime journal (/run/log/journal/99893f06e2ec475e9e852fdd13370208) is 2.0M, max 16.0M, 14.0M free.
May 22 08:15:44.390910 osdx OSDxCLI[18676]: User 'admin' executed a new command: 'system journal clear'.
May 22 08:15:44.733614 osdx zebra[1078]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]):
May 22 08:15:44.975749 osdx osdx-coredump[23384]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
May 22 08:15:44.985605 osdx OSDxCLI[18676]: User 'admin' executed a new command: 'system coredump delete all'.
May 22 08:15:45.855236 osdx OSDxCLI[18676]: User 'admin' entered the configuration menu.
May 22 08:15:45.968450 osdx OSDxCLI[18676]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
May 22 08:15:46.083835 osdx OSDxCLI[18676]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
May 22 08:15:46.205877 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
May 22 08:15:46.295080 osdx cfgd[1125]: [18676]Completed change to active configuration
May 22 08:15:46.352411 osdx OSDxCLI[18676]: User 'admin' committed the configuration.
May 22 08:15:46.409196 osdx OSDxCLI[18676]: User 'admin' left the configuration menu.
May 22 08:15:46.615343 osdx OSDxCLI[18676]: User 'admin' executed a new command: 'ping 10.215.168.1      count 1 size 56 timeout 1'.
May 22 08:15:46.859714 osdx OSDxCLI[18676]: User 'admin' entered the configuration menu.
May 22 08:15:46.999446 osdx OSDxCLI[18676]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
May 22 08:15:47.145398 osdx OSDxCLI[18676]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'.
May 22 08:15:47.236471 osdx OSDxCLI[18676]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWSSmg3x+TiYvBGTwN7asokmWz42IUegUfZCvd4zIefo1C0t+KngIRGg''.
May 22 08:15:47.326166 osdx OSDxCLI[18676]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'.
May 22 08:15:47.416419 osdx OSDxCLI[18676]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'.
May 22 08:15:47.544197 osdx ca-certificates[23495]: Updating certificates in /etc/ssl/certs...
May 22 08:15:48.231911 osdx ca-certificates[24478]: 1 added, 0 removed; done.
May 22 08:15:48.236219 osdx ca-certificates[24485]: Running hooks in /etc/ca-certificates/update.d...
May 22 08:15:48.240795 osdx ca-certificates[24487]: done.
May 22 08:15:48.312265 osdx systemd[1]: Started DNSCrypt client proxy.
May 22 08:15:48.314155 osdx cfgd[1125]: [18676]Completed change to active configuration
May 22 08:15:48.317327 osdx OSDxCLI[18676]: User 'admin' committed the configuration.
May 22 08:15:48.337442 osdx dnscrypt-proxy[24491]: [2024-05-22 08:15:48] [NOTICE] dnscrypt-proxy 2.0.45
May 22 08:15:48.337804 osdx dnscrypt-proxy[24491]: [2024-05-22 08:15:48] [NOTICE] Network connectivity detected
May 22 08:15:48.338137 osdx dnscrypt-proxy[24491]: [2024-05-22 08:15:48] [NOTICE] Dropping privileges
May 22 08:15:48.341583 osdx dnscrypt-proxy[24491]: [2024-05-22 08:15:48] [NOTICE] Network connectivity detected
May 22 08:15:48.341774 osdx dnscrypt-proxy[24491]: [2024-05-22 08:15:48] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
May 22 08:15:48.341892 osdx dnscrypt-proxy[24491]: [2024-05-22 08:15:48] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
May 22 08:15:48.343691 osdx dnscrypt-proxy[24491]: [2024-05-22 08:15:48] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-ddgpzbx2baybncp5.tmp: permission denied
May 22 08:15:48.343815 osdx dnscrypt-proxy[24491]: [2024-05-22 08:15:48] [NOTICE] Source [RD] loaded
May 22 08:15:48.343934 osdx dnscrypt-proxy[24491]: [2024-05-22 08:15:48] [WARNING] Missing stamp for server [PRIVATE-server-name`]
May 22 08:15:48.344035 osdx dnscrypt-proxy[24491]: [2024-05-22 08:15:48] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1]
May 22 08:15:48.344127 osdx dnscrypt-proxy[24491]: [2024-05-22 08:15:48] [NOTICE] Firefox workaround initialized
May 22 08:15:48.344211 osdx dnscrypt-proxy[24491]: [2024-05-22 08:15:48] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpE9uLWM]
May 22 08:15:48.360489 osdx OSDxCLI[18676]: User 'admin' left the configuration menu.
May 22 08:15:48.543553 osdx OSDxCLI[18676]: User 'admin' executed a new command: 'system journal show | cat'.
May 22 08:15:48.627709 osdx dnscrypt-proxy[24491]: [2024-05-22 08:15:48] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 234ms
May 22 08:15:48.627709 osdx dnscrypt-proxy[24491]: [2024-05-22 08:15:48] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 234ms)
May 22 08:15:48.627709 osdx dnscrypt-proxy[24491]: [2024-05-22 08:15:48] [NOTICE] dnscrypt-proxy is ready - live servers: 1

---

Invalid Source

Description

Configures an invalid source with a random minisign key and expects it to fail.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://remote.dns-server.crt
set service dns proxy log level 0
set service dns proxy source RD url http://10.215.168.1/~robot/invalid-source
set service dns proxy source RD minisign-key 'iNS8U4VrFJ5QPWkmy7OwUk5f'
set service dns proxy server-name rd-server

---

Invalid Minisign Key

Description

Configures a valid source but with an incorrect minisign key, which should fail.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://remote.dns-server.crt
set service dns proxy log level 0
set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md
set service dns proxy source RD minisign-key 'InvalidMinisignKey=='
set service dns proxy server-name rd-server

---