Source

Test suite to validate using one or multiple ciphers to protect DoH connection

Valid Source

Description

Configures a valid source with the expected minisign key and checks that everything works.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://remote.dns-server.crt
set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md
set service dns proxy source RD minisign-key 'RWS3c2fUuKg8gYGt+sMZa2p6w8XgJhSvsneX1XCsQnDLAkYDuJSAuqJt'
set service dns proxy server-name rd-server

Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:

^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$

Show output

-- Logs begin at Thu 2024-10-10 06:49:30 UTC, end at Thu 2024-10-10 06:49:34 UTC. --
Oct 10 06:49:30.362735 osdx systemd-journald[1712]: Runtime journal (/run/log/journal/c2d6011d26b547ba87daa360869210a1) is 2.0M, max 16.0M, 14.0M free.
Oct 10 06:49:30.395373 osdx OSDxCLI[1889]: User 'admin' executed a new command: 'system journal clear'.
Oct 10 06:49:30.999539 osdx osdx-coredump[16316]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
Oct 10 06:49:31.010510 osdx OSDxCLI[1889]: User 'admin' executed a new command: 'system coredump delete all'.
Oct 10 06:49:32.032542 osdx OSDxCLI[1889]: User 'admin' entered the configuration menu.
Oct 10 06:49:32.148054 osdx OSDxCLI[1889]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Oct 10 06:49:32.267611 osdx OSDxCLI[1889]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Oct 10 06:49:32.555868 osdx cfgd[1328]: [1889]Completed change to active configuration
Oct 10 06:49:32.614576 osdx OSDxCLI[1889]: User 'admin' committed the configuration.
Oct 10 06:49:32.666297 osdx OSDxCLI[1889]: User 'admin' left the configuration menu.
Oct 10 06:49:32.849129 osdx OSDxCLI[1889]: User 'admin' executed a new command: 'ping 10.215.168.1      count 1 size 56 timeout 1'.
Oct 10 06:49:33.090525 osdx OSDxCLI[1889]: User 'admin' entered the configuration menu.
Oct 10 06:49:33.196517 osdx OSDxCLI[1889]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Oct 10 06:49:33.323271 osdx OSDxCLI[1889]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'.
Oct 10 06:49:33.433605 osdx OSDxCLI[1889]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWS3c2fUuKg8gYGt+sMZa2p6w8XgJhSvsneX1XCsQnDLAkYDuJSAuqJt''.
Oct 10 06:49:33.513770 osdx OSDxCLI[1889]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'.
Oct 10 06:49:33.670554 osdx ca-certificates[16426]: Updating certificates in /etc/ssl/certs...
Oct 10 06:49:34.379133 osdx ca-certificates[17409]: 1 added, 0 removed; done.
Oct 10 06:49:34.384259 osdx ca-certificates[17416]: Running hooks in /etc/ca-certificates/update.d...
Oct 10 06:49:34.388598 osdx ca-certificates[17418]: done.
Oct 10 06:49:34.466117 osdx systemd[1]: Started DNSCrypt client proxy.
Oct 10 06:49:34.468764 osdx cfgd[1328]: [1889]Completed change to active configuration
Oct 10 06:49:34.472098 osdx OSDxCLI[1889]: User 'admin' committed the configuration.
Oct 10 06:49:34.490376 osdx dnscrypt-proxy[17422]: [2024-10-10 06:49:34] [NOTICE] dnscrypt-proxy 2.0.45
Oct 10 06:49:34.490700 osdx dnscrypt-proxy[17422]: [2024-10-10 06:49:34] [NOTICE] Network connectivity detected
Oct 10 06:49:34.490866 osdx dnscrypt-proxy[17422]: [2024-10-10 06:49:34] [NOTICE] Dropping privileges
Oct 10 06:49:34.494032 osdx dnscrypt-proxy[17422]: [2024-10-10 06:49:34] [NOTICE] Network connectivity detected
Oct 10 06:49:34.494141 osdx dnscrypt-proxy[17422]: [2024-10-10 06:49:34] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
Oct 10 06:49:34.494141 osdx dnscrypt-proxy[17422]: [2024-10-10 06:49:34] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
Oct 10 06:49:34.495741 osdx dnscrypt-proxy[17422]: [2024-10-10 06:49:34] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-xjv2cqcb3gfqatc5.tmp: permission denied
Oct 10 06:49:34.495741 osdx dnscrypt-proxy[17422]: [2024-10-10 06:49:34] [NOTICE] Source [RD] loaded
Oct 10 06:49:34.495904 osdx dnscrypt-proxy[17422]: [2024-10-10 06:49:34] [WARNING] Missing stamp for server [server-name`]
Oct 10 06:49:34.495904 osdx dnscrypt-proxy[17422]: [2024-10-10 06:49:34] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1]
Oct 10 06:49:34.495904 osdx dnscrypt-proxy[17422]: [2024-10-10 06:49:34] [NOTICE] Firefox workaround initialized
Oct 10 06:49:34.495904 osdx dnscrypt-proxy[17422]: [2024-10-10 06:49:34] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpoWaYh8]
Oct 10 06:49:34.502318 osdx OSDxCLI[1889]: User 'admin' left the configuration menu.
Oct 10 06:49:34.660402 osdx dnscrypt-proxy[17422]: [2024-10-10 06:49:34] [NOTICE] [rd-server] OK (DoH) - rtt: 119ms
Oct 10 06:49:34.660544 osdx dnscrypt-proxy[17422]: [2024-10-10 06:49:34] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 119ms)
Oct 10 06:49:34.660617 osdx dnscrypt-proxy[17422]: [2024-10-10 06:49:34] [NOTICE] dnscrypt-proxy is ready - live servers: 1

---

Valid Source With Prefix

Description

Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://remote.dns-server.crt
set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md
set service dns proxy source RD minisign-key 'RWS3c2fUuKg8gYGt+sMZa2p6w8XgJhSvsneX1XCsQnDLAkYDuJSAuqJt'
set service dns proxy source RD prefix PRIVATE-
set service dns proxy server-name PRIVATE-rd-server

Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:

^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$

Show output

-- Logs begin at Thu 2024-10-10 06:49:41 UTC, end at Thu 2024-10-10 06:49:45 UTC. --
Oct 10 06:49:41.404902 osdx systemd-journald[1712]: Runtime journal (/run/log/journal/c2d6011d26b547ba87daa360869210a1) is 2.0M, max 16.0M, 14.0M free.
Oct 10 06:49:41.433417 osdx OSDxCLI[1889]: User 'admin' executed a new command: 'system journal clear'.
Oct 10 06:49:42.012668 osdx osdx-coredump[19028]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
Oct 10 06:49:42.022475 osdx OSDxCLI[1889]: User 'admin' executed a new command: 'system coredump delete all'.
Oct 10 06:49:42.891438 osdx OSDxCLI[1889]: User 'admin' entered the configuration menu.
Oct 10 06:49:43.031235 osdx OSDxCLI[1889]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Oct 10 06:49:43.112992 osdx OSDxCLI[1889]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Oct 10 06:49:43.353218 osdx cfgd[1328]: [1889]Completed change to active configuration
Oct 10 06:49:43.392138 osdx OSDxCLI[1889]: User 'admin' committed the configuration.
Oct 10 06:49:43.430349 osdx OSDxCLI[1889]: User 'admin' left the configuration menu.
Oct 10 06:49:43.605872 osdx OSDxCLI[1889]: User 'admin' executed a new command: 'ping 10.215.168.1      count 1 size 56 timeout 1'.
Oct 10 06:49:43.798973 osdx OSDxCLI[1889]: User 'admin' entered the configuration menu.
Oct 10 06:49:43.894588 osdx OSDxCLI[1889]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Oct 10 06:49:43.996321 osdx OSDxCLI[1889]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'.
Oct 10 06:49:44.086060 osdx OSDxCLI[1889]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWS3c2fUuKg8gYGt+sMZa2p6w8XgJhSvsneX1XCsQnDLAkYDuJSAuqJt''.
Oct 10 06:49:44.203410 osdx OSDxCLI[1889]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'.
Oct 10 06:49:44.295712 osdx OSDxCLI[1889]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'.
Oct 10 06:49:44.428483 osdx ca-certificates[19139]: Updating certificates in /etc/ssl/certs...
Oct 10 06:49:45.093485 osdx ca-certificates[20122]: 1 added, 0 removed; done.
Oct 10 06:49:45.099365 osdx ca-certificates[20129]: Running hooks in /etc/ca-certificates/update.d...
Oct 10 06:49:45.105267 osdx ca-certificates[20131]: done.
Oct 10 06:49:45.166334 osdx systemd[1]: Started DNSCrypt client proxy.
Oct 10 06:49:45.168536 osdx cfgd[1328]: [1889]Completed change to active configuration
Oct 10 06:49:45.172246 osdx OSDxCLI[1889]: User 'admin' committed the configuration.
Oct 10 06:49:45.184561 osdx dnscrypt-proxy[20135]: [2024-10-10 06:49:45] [NOTICE] dnscrypt-proxy 2.0.45
Oct 10 06:49:45.184561 osdx dnscrypt-proxy[20135]: [2024-10-10 06:49:45] [NOTICE] Network connectivity detected
Oct 10 06:49:45.184561 osdx dnscrypt-proxy[20135]: [2024-10-10 06:49:45] [NOTICE] Dropping privileges
Oct 10 06:49:45.187576 osdx dnscrypt-proxy[20135]: [2024-10-10 06:49:45] [NOTICE] Network connectivity detected
Oct 10 06:49:45.187749 osdx dnscrypt-proxy[20135]: [2024-10-10 06:49:45] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
Oct 10 06:49:45.187834 osdx dnscrypt-proxy[20135]: [2024-10-10 06:49:45] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
Oct 10 06:49:45.189369 osdx dnscrypt-proxy[20135]: [2024-10-10 06:49:45] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-ngzyze5xkheglpqe.tmp: permission denied
Oct 10 06:49:45.189467 osdx dnscrypt-proxy[20135]: [2024-10-10 06:49:45] [NOTICE] Source [RD] loaded
Oct 10 06:49:45.189584 osdx dnscrypt-proxy[20135]: [2024-10-10 06:49:45] [WARNING] Missing stamp for server [PRIVATE-server-name`]
Oct 10 06:49:45.189679 osdx dnscrypt-proxy[20135]: [2024-10-10 06:49:45] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1]
Oct 10 06:49:45.189763 osdx dnscrypt-proxy[20135]: [2024-10-10 06:49:45] [NOTICE] Firefox workaround initialized
Oct 10 06:49:45.189839 osdx dnscrypt-proxy[20135]: [2024-10-10 06:49:45] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpNC6_Nn]
Oct 10 06:49:45.213454 osdx OSDxCLI[1889]: User 'admin' left the configuration menu.
Oct 10 06:49:45.331060 osdx dnscrypt-proxy[20135]: [2024-10-10 06:49:45] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 109ms
Oct 10 06:49:45.331060 osdx dnscrypt-proxy[20135]: [2024-10-10 06:49:45] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 109ms)
Oct 10 06:49:45.331060 osdx dnscrypt-proxy[20135]: [2024-10-10 06:49:45] [NOTICE] dnscrypt-proxy is ready - live servers: 1

---

Invalid Source

Description

Configures an invalid source with a random minisign key and expects it to fail.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://remote.dns-server.crt
set service dns proxy log level 0
set service dns proxy source RD url http://10.215.168.1/~robot/invalid-source
set service dns proxy source RD minisign-key 'Xre3YZrrSMNxORTPXSQKQCSJ'
set service dns proxy server-name rd-server

---

Invalid Minisign Key

Description

Configures a valid source but with an incorrect minisign key, which should fail.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://remote.dns-server.crt
set service dns proxy log level 0
set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md
set service dns proxy source RD minisign-key 'InvalidMinisignKey=='
set service dns proxy server-name rd-server

---