Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md set service dns proxy source RD minisign-key 'RWSSmg3x+TiYvBGTwN7asokmWz42IUegUfZCvd4zIefo1C0t+KngIRGg' set service dns proxy server-name rd-server
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
-- Logs begin at Wed 2024-06-12 22:02:41 UTC, end at Wed 2024-06-12 22:02:45 UTC. -- Jun 12 22:02:41.400404 osdx systemd-journald[1508]: Runtime journal (/run/log/journal/f8d19df27e8d4f24a0b0e24ed9aec425) is 2.0M, max 16.0M, 14.0M free. Jun 12 22:02:41.437944 osdx OSDxCLI[16771]: User 'admin' executed a new command: 'system journal clear'. Jun 12 22:02:42.117799 osdx osdx-coredump[13581]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jun 12 22:02:42.126842 osdx OSDxCLI[16771]: User 'admin' executed a new command: 'system coredump delete all'. Jun 12 22:02:43.118381 osdx OSDxCLI[16771]: User 'admin' entered the configuration menu. Jun 12 22:02:43.235196 osdx OSDxCLI[16771]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 12 22:02:43.342122 osdx OSDxCLI[16771]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 12 22:02:43.506840 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 12 22:02:43.595434 osdx cfgd[1122]: [16771]Completed change to active configuration Jun 12 22:02:43.634107 osdx OSDxCLI[16771]: User 'admin' committed the configuration. Jun 12 22:02:43.690706 osdx OSDxCLI[16771]: User 'admin' left the configuration menu. Jun 12 22:02:43.922757 osdx OSDxCLI[16771]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 12 22:02:44.213977 osdx OSDxCLI[16771]: User 'admin' entered the configuration menu. Jun 12 22:02:44.352330 osdx OSDxCLI[16771]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jun 12 22:02:44.513667 osdx OSDxCLI[16771]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Jun 12 22:02:44.640788 osdx OSDxCLI[16771]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWSSmg3x+TiYvBGTwN7asokmWz42IUegUfZCvd4zIefo1C0t+KngIRGg''. Jun 12 22:02:44.756729 osdx OSDxCLI[16771]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Jun 12 22:02:44.931395 osdx ca-certificates[13691]: Updating certificates in /etc/ssl/certs... Jun 12 22:02:45.644077 osdx ca-certificates[14675]: 1 added, 0 removed; done. Jun 12 22:02:45.649223 osdx ca-certificates[14681]: Running hooks in /etc/ca-certificates/update.d... Jun 12 22:02:45.654165 osdx ca-certificates[14683]: done. Jun 12 22:02:45.722339 osdx systemd[1]: Started DNSCrypt client proxy. Jun 12 22:02:45.724443 osdx cfgd[1122]: [16771]Completed change to active configuration Jun 12 22:02:45.728421 osdx OSDxCLI[16771]: User 'admin' committed the configuration. Jun 12 22:02:45.745206 osdx dnscrypt-proxy[14687]: [2024-06-12 22:02:45] [NOTICE] dnscrypt-proxy 2.0.45 Jun 12 22:02:45.745206 osdx dnscrypt-proxy[14687]: [2024-06-12 22:02:45] [NOTICE] Network connectivity detected Jun 12 22:02:45.745206 osdx dnscrypt-proxy[14687]: [2024-06-12 22:02:45] [NOTICE] Dropping privileges Jun 12 22:02:45.748076 osdx dnscrypt-proxy[14687]: [2024-06-12 22:02:45] [NOTICE] Network connectivity detected Jun 12 22:02:45.748267 osdx dnscrypt-proxy[14687]: [2024-06-12 22:02:45] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Jun 12 22:02:45.748372 osdx dnscrypt-proxy[14687]: [2024-06-12 22:02:45] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Jun 12 22:02:45.772542 osdx OSDxCLI[16771]: User 'admin' left the configuration menu. Jun 12 22:02:45.785459 osdx dnscrypt-proxy[14687]: [2024-06-12 22:02:45] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-p375hwwgnklyayzb.tmp: permission denied Jun 12 22:02:45.785459 osdx dnscrypt-proxy[14687]: [2024-06-12 22:02:45] [NOTICE] Source [RD] loaded Jun 12 22:02:45.785607 osdx dnscrypt-proxy[14687]: [2024-06-12 22:02:45] [WARNING] Missing stamp for server [server-name`] Jun 12 22:02:45.785607 osdx dnscrypt-proxy[14687]: [2024-06-12 22:02:45] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Jun 12 22:02:45.785607 osdx dnscrypt-proxy[14687]: [2024-06-12 22:02:45] [NOTICE] Firefox workaround initialized Jun 12 22:02:45.785743 osdx dnscrypt-proxy[14687]: [2024-06-12 22:02:45] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpC6HJnM] Jun 12 22:02:45.955047 osdx OSDxCLI[16771]: User 'admin' executed a new command: 'system journal show | cat'. Jun 12 22:02:45.960527 osdx dnscrypt-proxy[14687]: [2024-06-12 22:02:45] [NOTICE] [rd-server] OK (DoH) - rtt: 127ms Jun 12 22:02:45.960527 osdx dnscrypt-proxy[14687]: [2024-06-12 22:02:45] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 127ms) Jun 12 22:02:45.960712 osdx dnscrypt-proxy[14687]: [2024-06-12 22:02:45] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md set service dns proxy source RD minisign-key 'RWSSmg3x+TiYvBGTwN7asokmWz42IUegUfZCvd4zIefo1C0t+KngIRGg' set service dns proxy source RD prefix PRIVATE- set service dns proxy server-name PRIVATE-rd-server
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
-- Logs begin at Wed 2024-06-12 22:02:53 UTC, end at Wed 2024-06-12 22:02:58 UTC. -- Jun 12 22:02:53.374929 osdx systemd-journald[1508]: Runtime journal (/run/log/journal/f8d19df27e8d4f24a0b0e24ed9aec425) is 2.0M, max 16.0M, 14.0M free. Jun 12 22:02:53.392584 osdx OSDxCLI[16771]: User 'admin' executed a new command: 'system journal clear'. Jun 12 22:02:54.189435 osdx osdx-coredump[16299]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jun 12 22:02:54.197977 osdx OSDxCLI[16771]: User 'admin' executed a new command: 'system coredump delete all'. Jun 12 22:02:55.168842 osdx OSDxCLI[16771]: User 'admin' entered the configuration menu. Jun 12 22:02:55.314759 osdx OSDxCLI[16771]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 12 22:02:55.470383 osdx OSDxCLI[16771]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 12 22:02:55.638286 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 12 22:02:55.749829 osdx cfgd[1122]: [16771]Completed change to active configuration Jun 12 22:02:55.810322 osdx OSDxCLI[16771]: User 'admin' committed the configuration. Jun 12 22:02:55.853431 osdx OSDxCLI[16771]: User 'admin' left the configuration menu. Jun 12 22:02:56.058754 osdx OSDxCLI[16771]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 12 22:02:56.279996 osdx OSDxCLI[16771]: User 'admin' entered the configuration menu. Jun 12 22:02:56.385267 osdx OSDxCLI[16771]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jun 12 22:02:56.523313 osdx OSDxCLI[16771]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Jun 12 22:02:56.644279 osdx OSDxCLI[16771]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWSSmg3x+TiYvBGTwN7asokmWz42IUegUfZCvd4zIefo1C0t+KngIRGg''. Jun 12 22:02:56.778272 osdx OSDxCLI[16771]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Jun 12 22:02:56.881518 osdx OSDxCLI[16771]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Jun 12 22:02:57.011280 osdx ca-certificates[16410]: Updating certificates in /etc/ssl/certs... Jun 12 22:02:57.680661 osdx ca-certificates[17401]: 1 added, 0 removed; done. Jun 12 22:02:57.685253 osdx ca-certificates[17408]: Running hooks in /etc/ca-certificates/update.d... Jun 12 22:02:57.691365 osdx ca-certificates[17410]: done. Jun 12 22:02:57.758850 osdx systemd[1]: Started DNSCrypt client proxy. Jun 12 22:02:57.761153 osdx cfgd[1122]: [16771]Completed change to active configuration Jun 12 22:02:57.765248 osdx OSDxCLI[16771]: User 'admin' committed the configuration. Jun 12 22:02:57.789236 osdx dnscrypt-proxy[17414]: [2024-06-12 22:02:57] [NOTICE] dnscrypt-proxy 2.0.45 Jun 12 22:02:57.789634 osdx dnscrypt-proxy[17414]: [2024-06-12 22:02:57] [NOTICE] Network connectivity detected Jun 12 22:02:57.789790 osdx dnscrypt-proxy[17414]: [2024-06-12 22:02:57] [NOTICE] Dropping privileges Jun 12 22:02:57.795576 osdx dnscrypt-proxy[17414]: [2024-06-12 22:02:57] [NOTICE] Network connectivity detected Jun 12 22:02:57.795713 osdx dnscrypt-proxy[17414]: [2024-06-12 22:02:57] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Jun 12 22:02:57.795713 osdx dnscrypt-proxy[17414]: [2024-06-12 22:02:57] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Jun 12 22:02:57.796918 osdx dnscrypt-proxy[17414]: [2024-06-12 22:02:57] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-q4qecnb3whtvduex.tmp: permission denied Jun 12 22:02:57.796918 osdx dnscrypt-proxy[17414]: [2024-06-12 22:02:57] [NOTICE] Source [RD] loaded Jun 12 22:02:57.797045 osdx dnscrypt-proxy[17414]: [2024-06-12 22:02:57] [WARNING] Missing stamp for server [PRIVATE-server-name`] Jun 12 22:02:57.797045 osdx dnscrypt-proxy[17414]: [2024-06-12 22:02:57] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Jun 12 22:02:57.797045 osdx dnscrypt-proxy[17414]: [2024-06-12 22:02:57] [NOTICE] Firefox workaround initialized Jun 12 22:02:57.797045 osdx dnscrypt-proxy[17414]: [2024-06-12 22:02:57] [NOTICE] Loading the set of cloaking rules from [/tmp/tmppzmhHN] Jun 12 22:02:57.809693 osdx OSDxCLI[16771]: User 'admin' left the configuration menu. Jun 12 22:02:58.009074 osdx OSDxCLI[16771]: User 'admin' executed a new command: 'system journal show | cat'. Jun 12 22:02:58.037696 osdx dnscrypt-proxy[17414]: [2024-06-12 22:02:58] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 198ms Jun 12 22:02:58.037696 osdx dnscrypt-proxy[17414]: [2024-06-12 22:02:58] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 198ms) Jun 12 22:02:58.037696 osdx dnscrypt-proxy[17414]: [2024-06-12 22:02:58] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy log level 0 set service dns proxy source RD url http://10.215.168.1/~robot/invalid-source set service dns proxy source RD minisign-key 'FFeYkkCrp8hXNSDV1GzcBBAU' set service dns proxy server-name rd-server
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy log level 0 set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md set service dns proxy source RD minisign-key 'InvalidMinisignKey==' set service dns proxy server-name rd-server