Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md set service dns proxy source RD minisign-key 'RWSSmg3x+TiYvBGTwN7asokmWz42IUegUfZCvd4zIefo1C0t+KngIRGg' set service dns proxy server-name rd-server
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
-- Logs begin at Thu 2024-06-20 17:43:46 UTC, end at Thu 2024-06-20 17:43:50 UTC. -- Jun 20 17:43:46.373374 osdx systemd-journald[1713]: Runtime journal (/run/log/journal/4bdaa9d5a32b43918ba3b0d5647305f4) is 2.0M, max 16.0M, 14.0M free. Jun 20 17:43:46.405472 osdx OSDxCLI[19773]: User 'admin' executed a new command: 'system journal clear'. Jun 20 17:43:47.040419 osdx osdx-coredump[20553]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jun 20 17:43:47.048684 osdx OSDxCLI[19773]: User 'admin' executed a new command: 'system coredump delete all'. Jun 20 17:43:48.030684 osdx OSDxCLI[19773]: User 'admin' entered the configuration menu. Jun 20 17:43:48.170054 osdx OSDxCLI[19773]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 20 17:43:48.264863 osdx OSDxCLI[19773]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 20 17:43:48.453558 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 20 17:43:48.542011 osdx cfgd[1341]: [19773]Completed change to active configuration Jun 20 17:43:48.587997 osdx OSDxCLI[19773]: User 'admin' committed the configuration. Jun 20 17:43:48.613587 osdx OSDxCLI[19773]: User 'admin' left the configuration menu. Jun 20 17:43:48.810586 osdx OSDxCLI[19773]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 20 17:43:49.079621 osdx OSDxCLI[19773]: User 'admin' entered the configuration menu. Jun 20 17:43:49.180390 osdx OSDxCLI[19773]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jun 20 17:43:49.289430 osdx OSDxCLI[19773]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Jun 20 17:43:49.391106 osdx OSDxCLI[19773]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWSSmg3x+TiYvBGTwN7asokmWz42IUegUfZCvd4zIefo1C0t+KngIRGg''. Jun 20 17:43:49.519369 osdx OSDxCLI[19773]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Jun 20 17:43:49.664722 osdx ca-certificates[20663]: Updating certificates in /etc/ssl/certs... Jun 20 17:43:50.396677 osdx ca-certificates[21646]: 1 added, 0 removed; done. Jun 20 17:43:50.401440 osdx ca-certificates[21653]: Running hooks in /etc/ca-certificates/update.d... Jun 20 17:43:50.407498 osdx ca-certificates[21655]: done. Jun 20 17:43:50.464948 osdx systemd[1]: Started DNSCrypt client proxy. Jun 20 17:43:50.467256 osdx cfgd[1341]: [19773]Completed change to active configuration Jun 20 17:43:50.471152 osdx OSDxCLI[19773]: User 'admin' committed the configuration. Jun 20 17:43:50.495467 osdx dnscrypt-proxy[21659]: [2024-06-20 17:43:50] [NOTICE] dnscrypt-proxy 2.0.45 Jun 20 17:43:50.495811 osdx dnscrypt-proxy[21659]: [2024-06-20 17:43:50] [NOTICE] Network connectivity detected Jun 20 17:43:50.495964 osdx dnscrypt-proxy[21659]: [2024-06-20 17:43:50] [NOTICE] Dropping privileges Jun 20 17:43:50.499041 osdx dnscrypt-proxy[21659]: [2024-06-20 17:43:50] [NOTICE] Network connectivity detected Jun 20 17:43:50.499141 osdx dnscrypt-proxy[21659]: [2024-06-20 17:43:50] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Jun 20 17:43:50.499141 osdx dnscrypt-proxy[21659]: [2024-06-20 17:43:50] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Jun 20 17:43:50.500602 osdx dnscrypt-proxy[21659]: [2024-06-20 17:43:50] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-rc3utu6bisnal5eg.tmp: permission denied Jun 20 17:43:50.500602 osdx dnscrypt-proxy[21659]: [2024-06-20 17:43:50] [NOTICE] Source [RD] loaded Jun 20 17:43:50.500715 osdx dnscrypt-proxy[21659]: [2024-06-20 17:43:50] [WARNING] Missing stamp for server [server-name`] Jun 20 17:43:50.500715 osdx dnscrypt-proxy[21659]: [2024-06-20 17:43:50] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Jun 20 17:43:50.500715 osdx dnscrypt-proxy[21659]: [2024-06-20 17:43:50] [NOTICE] Firefox workaround initialized Jun 20 17:43:50.500715 osdx dnscrypt-proxy[21659]: [2024-06-20 17:43:50] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpBdSXZe] Jun 20 17:43:50.534871 osdx OSDxCLI[19773]: User 'admin' left the configuration menu. Jun 20 17:43:50.644053 osdx dnscrypt-proxy[21659]: [2024-06-20 17:43:50] [NOTICE] [rd-server] OK (DoH) - rtt: 112ms Jun 20 17:43:50.644053 osdx dnscrypt-proxy[21659]: [2024-06-20 17:43:50] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 112ms) Jun 20 17:43:50.644053 osdx dnscrypt-proxy[21659]: [2024-06-20 17:43:50] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md set service dns proxy source RD minisign-key 'RWSSmg3x+TiYvBGTwN7asokmWz42IUegUfZCvd4zIefo1C0t+KngIRGg' set service dns proxy source RD prefix PRIVATE- set service dns proxy server-name PRIVATE-rd-server
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
-- Logs begin at Thu 2024-06-20 17:43:57 UTC, end at Thu 2024-06-20 17:44:01 UTC. -- Jun 20 17:43:57.383647 osdx systemd-journald[1713]: Runtime journal (/run/log/journal/4bdaa9d5a32b43918ba3b0d5647305f4) is 2.0M, max 16.0M, 14.0M free. Jun 20 17:43:57.396686 osdx OSDxCLI[19773]: User 'admin' executed a new command: 'system journal clear'. Jun 20 17:43:57.950793 osdx osdx-coredump[23267]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jun 20 17:43:57.958881 osdx OSDxCLI[19773]: User 'admin' executed a new command: 'system coredump delete all'. Jun 20 17:43:58.838810 osdx OSDxCLI[19773]: User 'admin' entered the configuration menu. Jun 20 17:43:58.999714 osdx OSDxCLI[19773]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 20 17:43:59.079840 osdx OSDxCLI[19773]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 20 17:43:59.115468 osdx zebra[1282]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jun 20 17:43:59.115633 osdx zebra[1282]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jun 20 17:43:59.231081 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 20 17:43:59.333073 osdx cfgd[1341]: [19773]Completed change to active configuration Jun 20 17:43:59.374733 osdx OSDxCLI[19773]: User 'admin' committed the configuration. Jun 20 17:43:59.410130 osdx OSDxCLI[19773]: User 'admin' left the configuration menu. Jun 20 17:43:59.630603 osdx OSDxCLI[19773]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 20 17:43:59.955813 osdx OSDxCLI[19773]: User 'admin' entered the configuration menu. Jun 20 17:44:00.063663 osdx OSDxCLI[19773]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jun 20 17:44:00.240958 osdx OSDxCLI[19773]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Jun 20 17:44:00.331138 osdx OSDxCLI[19773]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWSSmg3x+TiYvBGTwN7asokmWz42IUegUfZCvd4zIefo1C0t+KngIRGg''. Jun 20 17:44:00.449224 osdx OSDxCLI[19773]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Jun 20 17:44:00.576192 osdx OSDxCLI[19773]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Jun 20 17:44:00.768250 osdx ca-certificates[23378]: Updating certificates in /etc/ssl/certs... Jun 20 17:44:01.550295 osdx ca-certificates[24361]: 1 added, 0 removed; done. Jun 20 17:44:01.556486 osdx ca-certificates[24368]: Running hooks in /etc/ca-certificates/update.d... Jun 20 17:44:01.563358 osdx ca-certificates[24370]: done. Jun 20 17:44:01.634169 osdx systemd[1]: Started DNSCrypt client proxy. Jun 20 17:44:01.636363 osdx cfgd[1341]: [19773]Completed change to active configuration Jun 20 17:44:01.640332 osdx OSDxCLI[19773]: User 'admin' committed the configuration. Jun 20 17:44:01.655680 osdx dnscrypt-proxy[24374]: [2024-06-20 17:44:01] [NOTICE] dnscrypt-proxy 2.0.45 Jun 20 17:44:01.655945 osdx dnscrypt-proxy[24374]: [2024-06-20 17:44:01] [NOTICE] Network connectivity detected Jun 20 17:44:01.656097 osdx dnscrypt-proxy[24374]: [2024-06-20 17:44:01] [NOTICE] Dropping privileges Jun 20 17:44:01.659201 osdx dnscrypt-proxy[24374]: [2024-06-20 17:44:01] [NOTICE] Network connectivity detected Jun 20 17:44:01.659289 osdx dnscrypt-proxy[24374]: [2024-06-20 17:44:01] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Jun 20 17:44:01.659289 osdx dnscrypt-proxy[24374]: [2024-06-20 17:44:01] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Jun 20 17:44:01.660699 osdx dnscrypt-proxy[24374]: [2024-06-20 17:44:01] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-ts3cvtdozyqrin4y.tmp: permission denied Jun 20 17:44:01.660791 osdx dnscrypt-proxy[24374]: [2024-06-20 17:44:01] [NOTICE] Source [RD] loaded Jun 20 17:44:01.660894 osdx dnscrypt-proxy[24374]: [2024-06-20 17:44:01] [WARNING] Missing stamp for server [PRIVATE-server-name`] Jun 20 17:44:01.660976 osdx dnscrypt-proxy[24374]: [2024-06-20 17:44:01] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Jun 20 17:44:01.661051 osdx dnscrypt-proxy[24374]: [2024-06-20 17:44:01] [NOTICE] Firefox workaround initialized Jun 20 17:44:01.661116 osdx dnscrypt-proxy[24374]: [2024-06-20 17:44:01] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpJHsANy] Jun 20 17:44:01.717813 osdx OSDxCLI[19773]: User 'admin' left the configuration menu. Jun 20 17:44:01.825854 osdx dnscrypt-proxy[24374]: [2024-06-20 17:44:01] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 125ms Jun 20 17:44:01.825854 osdx dnscrypt-proxy[24374]: [2024-06-20 17:44:01] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 125ms) Jun 20 17:44:01.825854 osdx dnscrypt-proxy[24374]: [2024-06-20 17:44:01] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy log level 0 set service dns proxy source RD url http://10.215.168.1/~robot/invalid-source set service dns proxy source RD minisign-key '2guA1ERrsbND2I8vIE5Wq0Ic' set service dns proxy server-name rd-server
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy log level 0 set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md set service dns proxy source RD minisign-key 'InvalidMinisignKey==' set service dns proxy server-name rd-server