Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md set service dns proxy source RD minisign-key 'RWSSmg3x+TiYvBGTwN7asokmWz42IUegUfZCvd4zIefo1C0t+KngIRGg' set service dns proxy server-name rd-server
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
-- Logs begin at Mon 2024-06-24 12:21:47 UTC, end at Mon 2024-06-24 12:21:51 UTC. -- Jun 24 12:21:47.423448 osdx systemd-journald[596]: Runtime journal (/run/log/journal/9a819f3302304ea795867ea7c248068f) is 2.0M, max 16.0M, 14.0M free. Jun 24 12:21:47.443432 osdx OSDxCLI[18080]: User 'admin' executed a new command: 'system journal clear'. Jun 24 12:21:48.086145 osdx osdx-coredump[11855]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jun 24 12:21:48.094957 osdx OSDxCLI[18080]: User 'admin' executed a new command: 'system coredump delete all'. Jun 24 12:21:48.994062 osdx OSDxCLI[18080]: User 'admin' entered the configuration menu. Jun 24 12:21:49.121747 osdx OSDxCLI[18080]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 24 12:21:49.207627 osdx OSDxCLI[18080]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 24 12:21:49.360823 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 24 12:21:49.476445 osdx cfgd[1115]: [18080]Completed change to active configuration Jun 24 12:21:49.534871 osdx OSDxCLI[18080]: User 'admin' committed the configuration. Jun 24 12:21:49.576895 osdx OSDxCLI[18080]: User 'admin' left the configuration menu. Jun 24 12:21:49.782009 osdx OSDxCLI[18080]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 24 12:21:50.044259 osdx OSDxCLI[18080]: User 'admin' entered the configuration menu. Jun 24 12:21:50.146655 osdx OSDxCLI[18080]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jun 24 12:21:50.264350 osdx OSDxCLI[18080]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Jun 24 12:21:50.350162 osdx OSDxCLI[18080]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWSSmg3x+TiYvBGTwN7asokmWz42IUegUfZCvd4zIefo1C0t+KngIRGg''. Jun 24 12:21:50.491620 osdx OSDxCLI[18080]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Jun 24 12:21:50.642287 osdx ca-certificates[11965]: Updating certificates in /etc/ssl/certs... Jun 24 12:21:51.304619 osdx ca-certificates[12949]: 1 added, 0 removed; done. Jun 24 12:21:51.309652 osdx ca-certificates[12956]: Running hooks in /etc/ca-certificates/update.d... Jun 24 12:21:51.313948 osdx ca-certificates[12958]: done. Jun 24 12:21:51.370275 osdx systemd[1]: Started DNSCrypt client proxy. Jun 24 12:21:51.372553 osdx cfgd[1115]: [18080]Completed change to active configuration Jun 24 12:21:51.376337 osdx OSDxCLI[18080]: User 'admin' committed the configuration. Jun 24 12:21:51.394581 osdx dnscrypt-proxy[12962]: [2024-06-24 12:21:51] [NOTICE] dnscrypt-proxy 2.0.45 Jun 24 12:21:51.394939 osdx dnscrypt-proxy[12962]: [2024-06-24 12:21:51] [NOTICE] Network connectivity detected Jun 24 12:21:51.395073 osdx dnscrypt-proxy[12962]: [2024-06-24 12:21:51] [NOTICE] Dropping privileges Jun 24 12:21:51.398146 osdx dnscrypt-proxy[12962]: [2024-06-24 12:21:51] [NOTICE] Network connectivity detected Jun 24 12:21:51.398255 osdx dnscrypt-proxy[12962]: [2024-06-24 12:21:51] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Jun 24 12:21:51.398255 osdx dnscrypt-proxy[12962]: [2024-06-24 12:21:51] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Jun 24 12:21:51.400834 osdx dnscrypt-proxy[12962]: [2024-06-24 12:21:51] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-sjbau7vzi5fute6w.tmp: permission denied Jun 24 12:21:51.400834 osdx dnscrypt-proxy[12962]: [2024-06-24 12:21:51] [NOTICE] Source [RD] loaded Jun 24 12:21:51.400834 osdx dnscrypt-proxy[12962]: [2024-06-24 12:21:51] [WARNING] Missing stamp for server [server-name`] Jun 24 12:21:51.400834 osdx dnscrypt-proxy[12962]: [2024-06-24 12:21:51] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Jun 24 12:21:51.400834 osdx dnscrypt-proxy[12962]: [2024-06-24 12:21:51] [NOTICE] Firefox workaround initialized Jun 24 12:21:51.400834 osdx dnscrypt-proxy[12962]: [2024-06-24 12:21:51] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpudelKn] Jun 24 12:21:51.403415 osdx OSDxCLI[18080]: User 'admin' left the configuration menu. Jun 24 12:21:51.569694 osdx dnscrypt-proxy[12962]: [2024-06-24 12:21:51] [NOTICE] [rd-server] OK (DoH) - rtt: 132ms Jun 24 12:21:51.569694 osdx dnscrypt-proxy[12962]: [2024-06-24 12:21:51] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 132ms) Jun 24 12:21:51.569694 osdx dnscrypt-proxy[12962]: [2024-06-24 12:21:51] [NOTICE] dnscrypt-proxy is ready - live servers: 1 Jun 24 12:21:51.588083 osdx OSDxCLI[18080]: User 'admin' executed a new command: 'system journal show | cat'.
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md set service dns proxy source RD minisign-key 'RWSSmg3x+TiYvBGTwN7asokmWz42IUegUfZCvd4zIefo1C0t+KngIRGg' set service dns proxy source RD prefix PRIVATE- set service dns proxy server-name PRIVATE-rd-server
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
-- Logs begin at Mon 2024-06-24 12:21:58 UTC, end at Mon 2024-06-24 12:22:02 UTC. -- Jun 24 12:21:58.409118 osdx systemd-journald[596]: Runtime journal (/run/log/journal/9a819f3302304ea795867ea7c248068f) is 2.0M, max 16.0M, 14.0M free. Jun 24 12:21:58.435251 osdx OSDxCLI[18080]: User 'admin' executed a new command: 'system journal clear'. Jun 24 12:21:59.052816 osdx osdx-coredump[14574]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jun 24 12:21:59.062970 osdx OSDxCLI[18080]: User 'admin' executed a new command: 'system coredump delete all'. Jun 24 12:22:00.046961 osdx OSDxCLI[18080]: User 'admin' entered the configuration menu. Jun 24 12:22:00.160307 osdx OSDxCLI[18080]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jun 24 12:22:00.298584 osdx OSDxCLI[18080]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jun 24 12:22:00.459240 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jun 24 12:22:00.558324 osdx cfgd[1115]: [18080]Completed change to active configuration Jun 24 12:22:00.607245 osdx OSDxCLI[18080]: User 'admin' committed the configuration. Jun 24 12:22:00.641576 osdx OSDxCLI[18080]: User 'admin' left the configuration menu. Jun 24 12:22:00.836346 osdx OSDxCLI[18080]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jun 24 12:22:01.035021 osdx OSDxCLI[18080]: User 'admin' entered the configuration menu. Jun 24 12:22:01.171224 osdx OSDxCLI[18080]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jun 24 12:22:01.267430 osdx OSDxCLI[18080]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Jun 24 12:22:01.395750 osdx OSDxCLI[18080]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWSSmg3x+TiYvBGTwN7asokmWz42IUegUfZCvd4zIefo1C0t+KngIRGg''. Jun 24 12:22:01.480434 osdx OSDxCLI[18080]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Jun 24 12:22:01.594390 osdx OSDxCLI[18080]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Jun 24 12:22:01.736173 osdx ca-certificates[14685]: Updating certificates in /etc/ssl/certs... Jun 24 12:22:02.478686 osdx ca-certificates[15674]: 1 added, 0 removed; done. Jun 24 12:22:02.483119 osdx ca-certificates[15680]: Running hooks in /etc/ca-certificates/update.d... Jun 24 12:22:02.487678 osdx ca-certificates[15682]: done. Jun 24 12:22:02.559160 osdx systemd[1]: Started DNSCrypt client proxy. Jun 24 12:22:02.561437 osdx cfgd[1115]: [18080]Completed change to active configuration Jun 24 12:22:02.565848 osdx OSDxCLI[18080]: User 'admin' committed the configuration. Jun 24 12:22:02.581957 osdx dnscrypt-proxy[15686]: [2024-06-24 12:22:02] [NOTICE] dnscrypt-proxy 2.0.45 Jun 24 12:22:02.582294 osdx dnscrypt-proxy[15686]: [2024-06-24 12:22:02] [NOTICE] Network connectivity detected Jun 24 12:22:02.582456 osdx dnscrypt-proxy[15686]: [2024-06-24 12:22:02] [NOTICE] Dropping privileges Jun 24 12:22:02.585249 osdx dnscrypt-proxy[15686]: [2024-06-24 12:22:02] [NOTICE] Network connectivity detected Jun 24 12:22:02.585249 osdx dnscrypt-proxy[15686]: [2024-06-24 12:22:02] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Jun 24 12:22:02.585249 osdx dnscrypt-proxy[15686]: [2024-06-24 12:22:02] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Jun 24 12:22:02.586688 osdx dnscrypt-proxy[15686]: [2024-06-24 12:22:02] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-o5amyz6772nlabze.tmp: permission denied Jun 24 12:22:02.586688 osdx dnscrypt-proxy[15686]: [2024-06-24 12:22:02] [NOTICE] Source [RD] loaded Jun 24 12:22:02.586814 osdx dnscrypt-proxy[15686]: [2024-06-24 12:22:02] [WARNING] Missing stamp for server [PRIVATE-server-name`] Jun 24 12:22:02.586814 osdx dnscrypt-proxy[15686]: [2024-06-24 12:22:02] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Jun 24 12:22:02.586814 osdx dnscrypt-proxy[15686]: [2024-06-24 12:22:02] [NOTICE] Firefox workaround initialized Jun 24 12:22:02.586814 osdx dnscrypt-proxy[15686]: [2024-06-24 12:22:02] [NOTICE] Loading the set of cloaking rules from [/tmp/tmp441EYc] Jun 24 12:22:02.632196 osdx OSDxCLI[18080]: User 'admin' left the configuration menu. Jun 24 12:22:02.823698 osdx dnscrypt-proxy[15686]: [2024-06-24 12:22:02] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 205ms Jun 24 12:22:02.823698 osdx dnscrypt-proxy[15686]: [2024-06-24 12:22:02] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 205ms) Jun 24 12:22:02.823698 osdx dnscrypt-proxy[15686]: [2024-06-24 12:22:02] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy log level 0 set service dns proxy source RD url http://10.215.168.1/~robot/invalid-source set service dns proxy source RD minisign-key 'AyIEqHVDZtR2Obgyefw9kJ0z' set service dns proxy server-name rd-server
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy log level 0 set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md set service dns proxy source RD minisign-key 'InvalidMinisignKey==' set service dns proxy server-name rd-server