Source

Test suite to validate using one or multiple ciphers to protect DoH connection

Valid Source

Description

Configures a valid source with the expected minisign key and checks that everything works.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://certs/remote.dns-server.crt
set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md
set service dns proxy source RD minisign-key 'RWQWyKwQfhb07vIEGKa/AxXIiRAOGkJb6y5JSRDtionB+r2/WSF/VwRp'
set service dns proxy server-name rd-server

Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:

^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$

Show output

-- Logs begin at Mon 2023-10-30 11:26:30 UTC, end at Mon 2023-10-30 11:26:33 UTC. --
Oct 30 11:26:30.377775 osdx systemd-journald[629]: Runtime journal (/run/log/journal/3d151f703f7748e3bca150e5e3f65077) is 2.0M, max 16.0M, 14.0M free.
Oct 30 11:26:30.396620 osdx OSDxCLI[4196]: User 'admin' executed a new command: 'system journal clear'.
Oct 30 11:26:30.765635 osdx OSDxCLI[4196]: User 'admin' entered the configuration menu.
Oct 30 11:26:30.885251 osdx OSDxCLI[4196]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.10/24'.
Oct 30 11:26:30.974768 osdx OSDxCLI[4196]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Oct 30 11:26:31.127951 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Oct 30 11:26:31.221662 osdx cfgd[1093]: [4196]Completed change to active configuration
Oct 30 11:26:31.262666 osdx OSDxCLI[4196]: User 'admin' committed the configuration.
Oct 30 11:26:31.315400 osdx OSDxCLI[4196]: User 'admin' left the configuration menu.
Oct 30 11:26:31.482709 osdx OSDxCLI[4196]: User 'admin' executed a new command: 'ping 10.215.168.1      count 1 size 56 timeout 1'.
Oct 30 11:26:31.693816 osdx OSDxCLI[4196]: User 'admin' entered the configuration menu.
Oct 30 11:26:31.793671 osdx OSDxCLI[4196]: User 'admin' added a new cfg line: 'set system certificate trust running://certs/remote.dns-server.crt'.
Oct 30 11:26:31.894225 osdx OSDxCLI[4196]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'.
Oct 30 11:26:31.979669 osdx OSDxCLI[4196]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWQWyKwQfhb07vIEGKa/AxXIiRAOGkJb6y5JSRDtionB+r2/WSF/VwRp''.
Oct 30 11:26:32.093964 osdx OSDxCLI[4196]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'.
Oct 30 11:26:32.230914 osdx ca-certificates[16606]: Updating certificates in /etc/ssl/certs...
Oct 30 11:26:32.886098 osdx ca-certificates[17588]: 1 added, 0 removed; done.
Oct 30 11:26:32.891776 osdx ca-certificates[17594]: Running hooks in /etc/ca-certificates/update.d...
Oct 30 11:26:32.896771 osdx ca-certificates[17598]: done.
Oct 30 11:26:32.959308 osdx systemd[1]: Started DNSCrypt client proxy.
Oct 30 11:26:32.961090 osdx cfgd[1093]: [4196]Completed change to active configuration
Oct 30 11:26:32.965306 osdx OSDxCLI[4196]: User 'admin' committed the configuration.
Oct 30 11:26:32.991936 osdx OSDxCLI[4196]: User 'admin' left the configuration menu.
Oct 30 11:26:33.228199 osdx OSDxCLI[4196]: User 'admin' executed a new command: 'system journal show | cat'.
Oct 30 11:26:33.243707 osdx dnscrypt-proxy[17602]: [2023-10-30 11:26:33] [NOTICE] dnscrypt-proxy 2.0.45
Oct 30 11:26:33.244082 osdx dnscrypt-proxy[17602]: [2023-10-30 11:26:33] [NOTICE] Network connectivity detected
Oct 30 11:26:33.244479 osdx dnscrypt-proxy[17602]: [2023-10-30 11:26:33] [NOTICE] Dropping privileges
Oct 30 11:26:33.246713 osdx dnscrypt-proxy[17602]: [2023-10-30 11:26:33] [NOTICE] Network connectivity detected
Oct 30 11:26:33.246986 osdx dnscrypt-proxy[17602]: [2023-10-30 11:26:33] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
Oct 30 11:26:33.246986 osdx dnscrypt-proxy[17602]: [2023-10-30 11:26:33] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
Oct 30 11:26:33.267586 osdx dnscrypt-proxy[17602]: [2023-10-30 11:26:33] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-qmpokpbuvvfvfykn.tmp: permission denied
Oct 30 11:26:33.267731 osdx dnscrypt-proxy[17602]: [2023-10-30 11:26:33] [NOTICE] Source [RD] loaded
Oct 30 11:26:33.267828 osdx dnscrypt-proxy[17602]: [2023-10-30 11:26:33] [WARNING] Missing stamp for server [server-name`]
Oct 30 11:26:33.267914 osdx dnscrypt-proxy[17602]: [2023-10-30 11:26:33] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1]
Oct 30 11:26:33.267991 osdx dnscrypt-proxy[17602]: [2023-10-30 11:26:33] [NOTICE] Firefox workaround initialized
Oct 30 11:26:33.268065 osdx dnscrypt-proxy[17602]: [2023-10-30 11:26:33] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpWvdIZy]
Oct 30 11:26:33.472203 osdx OSDxCLI[4196]: User 'admin' executed a new command: 'system journal show | cat'.
Oct 30 11:26:33.580348 osdx dnscrypt-proxy[17602]: [2023-10-30 11:26:33] [NOTICE] [rd-server] OK (DoH) - rtt: 161ms
Oct 30 11:26:33.580348 osdx dnscrypt-proxy[17602]: [2023-10-30 11:26:33] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 161ms)
Oct 30 11:26:33.580348 osdx dnscrypt-proxy[17602]: [2023-10-30 11:26:33] [NOTICE] dnscrypt-proxy is ready - live servers: 1

---

Valid Source With Prefix

Description

Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://certs/remote.dns-server.crt
set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md
set service dns proxy source RD minisign-key 'RWQWyKwQfhb07vIEGKa/AxXIiRAOGkJb6y5JSRDtionB+r2/WSF/VwRp'
set service dns proxy source RD prefix PRIVATE-
set service dns proxy server-name PRIVATE-rd-server

Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:

^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$

Show output

-- Logs begin at Mon 2023-10-30 11:26:38 UTC, end at Mon 2023-10-30 11:26:41 UTC. --
Oct 30 11:26:38.382677 osdx systemd-journald[629]: Runtime journal (/run/log/journal/3d151f703f7748e3bca150e5e3f65077) is 2.0M, max 16.0M, 14.0M free.
Oct 30 11:26:38.400446 osdx OSDxCLI[4196]: User 'admin' executed a new command: 'system journal clear'.
Oct 30 11:26:38.773226 osdx OSDxCLI[4196]: User 'admin' entered the configuration menu.
Oct 30 11:26:38.897166 osdx OSDxCLI[4196]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.10/24'.
Oct 30 11:26:38.985850 osdx OSDxCLI[4196]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Oct 30 11:26:39.137694 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Oct 30 11:26:39.253415 osdx cfgd[1093]: [4196]Completed change to active configuration
Oct 30 11:26:39.305193 osdx OSDxCLI[4196]: User 'admin' committed the configuration.
Oct 30 11:26:39.334966 osdx OSDxCLI[4196]: User 'admin' left the configuration menu.
Oct 30 11:26:39.508224 osdx OSDxCLI[4196]: User 'admin' executed a new command: 'ping 10.215.168.1      count 1 size 56 timeout 1'.
Oct 30 11:26:39.682471 osdx OSDxCLI[4196]: User 'admin' entered the configuration menu.
Oct 30 11:26:39.854942 osdx OSDxCLI[4196]: User 'admin' added a new cfg line: 'set system certificate trust running://certs/remote.dns-server.crt'.
Oct 30 11:26:39.974473 osdx OSDxCLI[4196]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'.
Oct 30 11:26:40.064651 osdx OSDxCLI[4196]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWQWyKwQfhb07vIEGKa/AxXIiRAOGkJb6y5JSRDtionB+r2/WSF/VwRp''.
Oct 30 11:26:40.152423 osdx OSDxCLI[4196]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'.
Oct 30 11:26:40.243526 osdx OSDxCLI[4196]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'.
Oct 30 11:26:40.364623 osdx ca-certificates[19240]: Updating certificates in /etc/ssl/certs...
Oct 30 11:26:41.133001 osdx ca-certificates[20224]: 1 added, 0 removed; done.
Oct 30 11:26:41.139351 osdx ca-certificates[20228]: Running hooks in /etc/ca-certificates/update.d...
Oct 30 11:26:41.147482 osdx ca-certificates[20232]: done.
Oct 30 11:26:41.215860 osdx systemd[1]: Started DNSCrypt client proxy.
Oct 30 11:26:41.219794 osdx cfgd[1093]: [4196]Completed change to active configuration
Oct 30 11:26:41.225573 osdx OSDxCLI[4196]: User 'admin' committed the configuration.
Oct 30 11:26:41.251887 osdx OSDxCLI[4196]: User 'admin' left the configuration menu.
Oct 30 11:26:41.260773 osdx dnscrypt-proxy[20236]: [2023-10-30 11:26:41] [NOTICE] dnscrypt-proxy 2.0.45
Oct 30 11:26:41.261285 osdx dnscrypt-proxy[20236]: [2023-10-30 11:26:41] [NOTICE] Network connectivity detected
Oct 30 11:26:41.261980 osdx dnscrypt-proxy[20236]: [2023-10-30 11:26:41] [NOTICE] Dropping privileges
Oct 30 11:26:41.265417 osdx dnscrypt-proxy[20236]: [2023-10-30 11:26:41] [NOTICE] Network connectivity detected
Oct 30 11:26:41.265697 osdx dnscrypt-proxy[20236]: [2023-10-30 11:26:41] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
Oct 30 11:26:41.265811 osdx dnscrypt-proxy[20236]: [2023-10-30 11:26:41] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
Oct 30 11:26:41.267479 osdx dnscrypt-proxy[20236]: [2023-10-30 11:26:41] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-iefz36zdhunzzcvm.tmp: permission denied
Oct 30 11:26:41.267680 osdx dnscrypt-proxy[20236]: [2023-10-30 11:26:41] [NOTICE] Source [RD] loaded
Oct 30 11:26:41.267849 osdx dnscrypt-proxy[20236]: [2023-10-30 11:26:41] [WARNING] Missing stamp for server [PRIVATE-server-name`]
Oct 30 11:26:41.267979 osdx dnscrypt-proxy[20236]: [2023-10-30 11:26:41] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1]
Oct 30 11:26:41.268125 osdx dnscrypt-proxy[20236]: [2023-10-30 11:26:41] [NOTICE] Firefox workaround initialized
Oct 30 11:26:41.268239 osdx dnscrypt-proxy[20236]: [2023-10-30 11:26:41] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpTn2sKx]
Oct 30 11:26:41.446744 osdx OSDxCLI[4196]: User 'admin' executed a new command: 'system journal show | cat'.
Oct 30 11:26:41.529938 osdx dnscrypt-proxy[20236]: [2023-10-30 11:26:41] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 210ms
Oct 30 11:26:41.529938 osdx dnscrypt-proxy[20236]: [2023-10-30 11:26:41] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 210ms)
Oct 30 11:26:41.529938 osdx dnscrypt-proxy[20236]: [2023-10-30 11:26:41] [NOTICE] dnscrypt-proxy is ready - live servers: 1

---

Invalid Source

Description

Configures an invalid source with a random minisign key and expects it to fail.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://certs/remote.dns-server.crt
set service dns proxy log level 0
set service dns proxy source RD url http://10.215.168.1/~robot/invalid-source
set service dns proxy source RD minisign-key 'okfeHp1Vl0k3Uos0amibn5CJ'
set service dns proxy server-name rd-server

---

Invalid Minisign Key

Description

Configures a valid source but with an incorrect minisign key, which should fail.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://certs/remote.dns-server.crt
set service dns proxy log level 0
set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md
set service dns proxy source RD minisign-key 'InvalidMinisignKey=='
set service dns proxy server-name rd-server

---