Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md set service dns proxy source RD minisign-key 'RWQjmV8ePsrXlMW8dVuFZn/igSk3HyArDem3Fi6ykk7Edi1LeTQG1h/W' set service dns proxy server-name rd-server
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
-- Logs begin at Wed 2024-10-09 08:45:40 UTC, end at Wed 2024-10-09 08:45:42 UTC. -- Oct 09 08:45:40.277260 osdx systemd-journald[5179]: Runtime journal (/run/log/journal/7b13f98cf6974d34b6af66a5ac8a2ed7) is 4.0M, max 16.0M, 11.9M free. Oct 09 08:45:40.314085 osdx OSDxCLI[25194]: User 'admin' executed a new command: 'system journal clear'. Oct 09 08:45:40.693085 osdx osdx-coredump[1832]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Oct 09 08:45:40.698746 osdx OSDxCLI[25194]: User 'admin' executed a new command: 'system coredump delete all'. Oct 09 08:45:41.214012 osdx OSDxCLI[25194]: User 'admin' entered the configuration menu. Oct 09 08:45:41.276445 osdx OSDxCLI[25194]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 09 08:45:41.364084 osdx OSDxCLI[25194]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 09 08:45:41.433351 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 09 08:45:41.507884 osdx cfgd[1327]: [25194]Completed change to active configuration Oct 09 08:45:41.547573 osdx OSDxCLI[25194]: User 'admin' committed the configuration. Oct 09 08:45:41.562890 osdx OSDxCLI[25194]: User 'admin' left the configuration menu. Oct 09 08:45:41.693510 osdx OSDxCLI[25194]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Oct 09 08:45:41.847373 osdx OSDxCLI[25194]: User 'admin' entered the configuration menu. Oct 09 08:45:41.900556 osdx OSDxCLI[25194]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Oct 09 08:45:42.001610 osdx OSDxCLI[25194]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Oct 09 08:45:42.104153 osdx OSDxCLI[25194]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWQjmV8ePsrXlMW8dVuFZn/igSk3HyArDem3Fi6ykk7Edi1LeTQG1h/W''. Oct 09 08:45:42.150909 osdx OSDxCLI[25194]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Oct 09 08:45:42.267548 osdx ca-certificates[1968]: Updating certificates in /etc/ssl/certs... Oct 09 08:45:42.687244 osdx ca-certificates[2953]: 1 added, 0 removed; done. Oct 09 08:45:42.690135 osdx ca-certificates[2959]: Running hooks in /etc/ca-certificates/update.d... Oct 09 08:45:42.692879 osdx ca-certificates[2961]: done. Oct 09 08:45:42.726916 osdx systemd[1]: Started DNSCrypt client proxy. Oct 09 08:45:42.728649 osdx cfgd[1327]: [25194]Completed change to active configuration Oct 09 08:45:42.731191 osdx OSDxCLI[25194]: User 'admin' committed the configuration. Oct 09 08:45:42.747734 osdx dnscrypt-proxy[2965]: [2024-10-09 08:45:42] [NOTICE] dnscrypt-proxy 2.0.45 Oct 09 08:45:42.747734 osdx dnscrypt-proxy[2965]: [2024-10-09 08:45:42] [NOTICE] Network connectivity detected Oct 09 08:45:42.747734 osdx dnscrypt-proxy[2965]: [2024-10-09 08:45:42] [NOTICE] Dropping privileges Oct 09 08:45:42.749891 osdx OSDxCLI[25194]: User 'admin' left the configuration menu. Oct 09 08:45:42.750403 osdx dnscrypt-proxy[2965]: [2024-10-09 08:45:42] [NOTICE] Network connectivity detected Oct 09 08:45:42.750403 osdx dnscrypt-proxy[2965]: [2024-10-09 08:45:42] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Oct 09 08:45:42.750403 osdx dnscrypt-proxy[2965]: [2024-10-09 08:45:42] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Oct 09 08:45:42.751028 osdx dnscrypt-proxy[2965]: [2024-10-09 08:45:42] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-uamouqlmcbjumhm2.tmp: permission denied Oct 09 08:45:42.751028 osdx dnscrypt-proxy[2965]: [2024-10-09 08:45:42] [NOTICE] Source [RD] loaded Oct 09 08:45:42.751073 osdx dnscrypt-proxy[2965]: [2024-10-09 08:45:42] [WARNING] Missing stamp for server [server-name`] Oct 09 08:45:42.751073 osdx dnscrypt-proxy[2965]: [2024-10-09 08:45:42] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Oct 09 08:45:42.751111 osdx dnscrypt-proxy[2965]: [2024-10-09 08:45:42] [NOTICE] Firefox workaround initialized Oct 09 08:45:42.751111 osdx dnscrypt-proxy[2965]: [2024-10-09 08:45:42] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpiQcM5Y] Oct 09 08:45:42.891286 osdx OSDxCLI[25194]: User 'admin' executed a new command: 'system journal show | cat'. Oct 09 08:45:42.898046 osdx dnscrypt-proxy[2965]: [2024-10-09 08:45:42] [NOTICE] [rd-server] OK (DoH) - rtt: 126ms Oct 09 08:45:42.898046 osdx dnscrypt-proxy[2965]: [2024-10-09 08:45:42] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 126ms) Oct 09 08:45:42.898046 osdx dnscrypt-proxy[2965]: [2024-10-09 08:45:42] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md set service dns proxy source RD minisign-key 'RWQjmV8ePsrXlMW8dVuFZn/igSk3HyArDem3Fi6ykk7Edi1LeTQG1h/W' set service dns proxy source RD prefix PRIVATE- set service dns proxy server-name PRIVATE-rd-server
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
-- Logs begin at Wed 2024-10-09 08:45:47 UTC, end at Wed 2024-10-09 08:45:49 UTC. -- Oct 09 08:45:47.270998 osdx systemd-journald[5179]: Runtime journal (/run/log/journal/7b13f98cf6974d34b6af66a5ac8a2ed7) is 2.0M, max 16.0M, 14.0M free. Oct 09 08:45:47.295119 osdx OSDxCLI[25194]: User 'admin' executed a new command: 'system journal clear'. Oct 09 08:45:47.642285 osdx osdx-coredump[4577]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Oct 09 08:45:47.648612 osdx OSDxCLI[25194]: User 'admin' executed a new command: 'system coredump delete all'. Oct 09 08:45:48.218081 osdx OSDxCLI[25194]: User 'admin' entered the configuration menu. Oct 09 08:45:48.281614 osdx OSDxCLI[25194]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Oct 09 08:45:48.369214 osdx OSDxCLI[25194]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Oct 09 08:45:48.454487 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Oct 09 08:45:48.535341 osdx cfgd[1327]: [25194]Completed change to active configuration Oct 09 08:45:48.564094 osdx OSDxCLI[25194]: User 'admin' committed the configuration. Oct 09 08:45:48.587102 osdx OSDxCLI[25194]: User 'admin' left the configuration menu. Oct 09 08:45:48.722376 osdx OSDxCLI[25194]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Oct 09 08:45:48.838781 osdx OSDxCLI[25194]: User 'admin' entered the configuration menu. Oct 09 08:45:48.904972 osdx OSDxCLI[25194]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Oct 09 08:45:49.003864 osdx OSDxCLI[25194]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Oct 09 08:45:49.057429 osdx OSDxCLI[25194]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWQjmV8ePsrXlMW8dVuFZn/igSk3HyArDem3Fi6ykk7Edi1LeTQG1h/W''. Oct 09 08:45:49.151133 osdx OSDxCLI[25194]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Oct 09 08:45:49.203588 osdx OSDxCLI[25194]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Oct 09 08:45:49.323616 osdx ca-certificates[4713]: Updating certificates in /etc/ssl/certs... Oct 09 08:45:49.467460 osdx zebra[1280]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Oct 09 08:45:49.757019 osdx ca-certificates[5697]: 1 added, 0 removed; done. Oct 09 08:45:49.760142 osdx ca-certificates[5704]: Running hooks in /etc/ca-certificates/update.d... Oct 09 08:45:49.763113 osdx ca-certificates[5706]: done. Oct 09 08:45:49.798342 osdx systemd[1]: Started DNSCrypt client proxy. Oct 09 08:45:49.800761 osdx cfgd[1327]: [25194]Completed change to active configuration Oct 09 08:45:49.804857 osdx OSDxCLI[25194]: User 'admin' committed the configuration. Oct 09 08:45:49.820312 osdx dnscrypt-proxy[5710]: [2024-10-09 08:45:49] [NOTICE] dnscrypt-proxy 2.0.45 Oct 09 08:45:49.820589 osdx dnscrypt-proxy[5710]: [2024-10-09 08:45:49] [NOTICE] Network connectivity detected Oct 09 08:45:49.820707 osdx dnscrypt-proxy[5710]: [2024-10-09 08:45:49] [NOTICE] Dropping privileges Oct 09 08:45:49.823205 osdx dnscrypt-proxy[5710]: [2024-10-09 08:45:49] [NOTICE] Network connectivity detected Oct 09 08:45:49.823205 osdx dnscrypt-proxy[5710]: [2024-10-09 08:45:49] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Oct 09 08:45:49.823205 osdx dnscrypt-proxy[5710]: [2024-10-09 08:45:49] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Oct 09 08:45:49.824792 osdx dnscrypt-proxy[5710]: [2024-10-09 08:45:49] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-gkyouvvxno6w3hbx.tmp: permission denied Oct 09 08:45:49.824792 osdx dnscrypt-proxy[5710]: [2024-10-09 08:45:49] [NOTICE] Source [RD] loaded Oct 09 08:45:49.824792 osdx dnscrypt-proxy[5710]: [2024-10-09 08:45:49] [WARNING] Missing stamp for server [PRIVATE-server-name`] Oct 09 08:45:49.824792 osdx dnscrypt-proxy[5710]: [2024-10-09 08:45:49] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Oct 09 08:45:49.824792 osdx dnscrypt-proxy[5710]: [2024-10-09 08:45:49] [NOTICE] Firefox workaround initialized Oct 09 08:45:49.824792 osdx dnscrypt-proxy[5710]: [2024-10-09 08:45:49] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpxG51S2] Oct 09 08:45:49.826894 osdx OSDxCLI[25194]: User 'admin' left the configuration menu. Oct 09 08:45:49.969572 osdx dnscrypt-proxy[5710]: [2024-10-09 08:45:49] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 122ms Oct 09 08:45:49.969572 osdx dnscrypt-proxy[5710]: [2024-10-09 08:45:49] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 122ms) Oct 09 08:45:49.969572 osdx dnscrypt-proxy[5710]: [2024-10-09 08:45:49] [NOTICE] dnscrypt-proxy is ready - live servers: 1 Oct 09 08:45:49.986286 osdx OSDxCLI[25194]: User 'admin' executed a new command: 'system journal show | cat'.
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy log level 0 set service dns proxy source RD url http://10.215.168.1/~robot/invalid-source set service dns proxy source RD minisign-key '4zUdFQezv0hdgvp7wcrJVd88' set service dns proxy server-name rd-server
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy log level 0 set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md set service dns proxy source RD minisign-key 'InvalidMinisignKey==' set service dns proxy server-name rd-server