Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md set service dns proxy source RD minisign-key 'RWQdz4aWaeFHln2JdiPIwgBH66G9PeyMpfheA97NqkTJoeBo+5r1T4b4' set service dns proxy server-name rd-server
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
-- Logs begin at Thu 2023-11-23 22:40:19 UTC, end at Thu 2023-11-23 22:40:22 UTC. -- Nov 23 22:40:19.352893 osdx systemd-journald[619]: Runtime journal (/run/log/journal/1b38b2114cf0481baed8058b17ed7ac1) is 2.0M, max 16.0M, 14.0M free. Nov 23 22:40:19.366062 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'system journal clear'. Nov 23 22:40:19.747001 osdx OSDxCLI[18128]: User 'admin' entered the configuration menu. Nov 23 22:40:19.872953 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.10/24'. Nov 23 22:40:20.010213 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Nov 23 22:40:20.095545 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:40:20.095653 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:40:20.096667 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:40:20.097979 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:40:20.099205 osdx zebra[1034]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Nov 23 22:40:20.194353 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Nov 23 22:40:20.310552 osdx cfgd[1092]: [18128]Completed change to active configuration Nov 23 22:40:20.361954 osdx OSDxCLI[18128]: User 'admin' committed the configuration. Nov 23 22:40:20.422024 osdx OSDxCLI[18128]: User 'admin' left the configuration menu. Nov 23 22:40:20.589666 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Nov 23 22:40:20.770997 osdx OSDxCLI[18128]: User 'admin' entered the configuration menu. Nov 23 22:40:20.868276 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Nov 23 22:40:20.988804 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Nov 23 22:40:21.081806 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWQdz4aWaeFHln2JdiPIwgBH66G9PeyMpfheA97NqkTJoeBo+5r1T4b4''. Nov 23 22:40:21.177055 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Nov 23 22:40:21.303760 osdx ca-certificates[10300]: Updating certificates in /etc/ssl/certs... Nov 23 22:40:22.022965 osdx ca-certificates[11288]: 1 added, 0 removed; done. Nov 23 22:40:22.029284 osdx ca-certificates[11292]: Running hooks in /etc/ca-certificates/update.d... Nov 23 22:40:22.034941 osdx ca-certificates[11296]: done. Nov 23 22:40:22.094440 osdx systemd[1]: Started DNSCrypt client proxy. Nov 23 22:40:22.097291 osdx cfgd[1092]: [18128]Completed change to active configuration Nov 23 22:40:22.101885 osdx OSDxCLI[18128]: User 'admin' committed the configuration. Nov 23 22:40:22.123867 osdx dnscrypt-proxy[11300]: [2023-11-23 22:40:22] [NOTICE] dnscrypt-proxy 2.0.45 Nov 23 22:40:22.124282 osdx dnscrypt-proxy[11300]: [2023-11-23 22:40:22] [NOTICE] Network connectivity detected Nov 23 22:40:22.124983 osdx dnscrypt-proxy[11300]: [2023-11-23 22:40:22] [NOTICE] Dropping privileges Nov 23 22:40:22.127255 osdx dnscrypt-proxy[11300]: [2023-11-23 22:40:22] [NOTICE] Network connectivity detected Nov 23 22:40:22.127401 osdx dnscrypt-proxy[11300]: [2023-11-23 22:40:22] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Nov 23 22:40:22.127485 osdx dnscrypt-proxy[11300]: [2023-11-23 22:40:22] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Nov 23 22:40:22.128860 osdx dnscrypt-proxy[11300]: [2023-11-23 22:40:22] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-sbm3e3ts23zuod7c.tmp: permission denied Nov 23 22:40:22.128958 osdx dnscrypt-proxy[11300]: [2023-11-23 22:40:22] [NOTICE] Source [RD] loaded Nov 23 22:40:22.129053 osdx dnscrypt-proxy[11300]: [2023-11-23 22:40:22] [WARNING] Missing stamp for server [server-name`] Nov 23 22:40:22.129139 osdx dnscrypt-proxy[11300]: [2023-11-23 22:40:22] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Nov 23 22:40:22.129219 osdx dnscrypt-proxy[11300]: [2023-11-23 22:40:22] [NOTICE] Firefox workaround initialized Nov 23 22:40:22.129296 osdx dnscrypt-proxy[11300]: [2023-11-23 22:40:22] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpW5G2Sn] Nov 23 22:40:22.141888 osdx OSDxCLI[18128]: User 'admin' left the configuration menu. Nov 23 22:40:22.273891 osdx dnscrypt-proxy[11300]: [2023-11-23 22:40:22] [NOTICE] [rd-server] OK (DoH) - rtt: 107ms Nov 23 22:40:22.274044 osdx dnscrypt-proxy[11300]: [2023-11-23 22:40:22] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 107ms) Nov 23 22:40:22.274128 osdx dnscrypt-proxy[11300]: [2023-11-23 22:40:22] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md set service dns proxy source RD minisign-key 'RWQdz4aWaeFHln2JdiPIwgBH66G9PeyMpfheA97NqkTJoeBo+5r1T4b4' set service dns proxy source RD prefix PRIVATE- set service dns proxy server-name PRIVATE-rd-server
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
-- Logs begin at Thu 2023-11-23 22:40:28 UTC, end at Thu 2023-11-23 22:40:31 UTC. -- Nov 23 22:40:28.353332 osdx systemd-journald[619]: Runtime journal (/run/log/journal/1b38b2114cf0481baed8058b17ed7ac1) is 2.0M, max 16.0M, 14.0M free. Nov 23 22:40:28.366568 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'system journal clear'. Nov 23 22:40:28.711240 osdx OSDxCLI[18128]: User 'admin' entered the configuration menu. Nov 23 22:40:28.833659 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.10/24'. Nov 23 22:40:28.924235 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Nov 23 22:40:29.079886 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Nov 23 22:40:29.172666 osdx cfgd[1092]: [18128]Completed change to active configuration Nov 23 22:40:29.214361 osdx OSDxCLI[18128]: User 'admin' committed the configuration. Nov 23 22:40:29.242808 osdx OSDxCLI[18128]: User 'admin' left the configuration menu. Nov 23 22:40:29.410508 osdx OSDxCLI[18128]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Nov 23 22:40:29.592776 osdx OSDxCLI[18128]: User 'admin' entered the configuration menu. Nov 23 22:40:29.698547 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Nov 23 22:40:29.798012 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Nov 23 22:40:29.894366 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWQdz4aWaeFHln2JdiPIwgBH66G9PeyMpfheA97NqkTJoeBo+5r1T4b4''. Nov 23 22:40:29.984189 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Nov 23 22:40:30.105903 osdx OSDxCLI[18128]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Nov 23 22:40:30.220866 osdx ca-certificates[12992]: Updating certificates in /etc/ssl/certs... Nov 23 22:40:30.850895 osdx ca-certificates[13976]: 1 added, 0 removed; done. Nov 23 22:40:30.856679 osdx ca-certificates[13980]: Running hooks in /etc/ca-certificates/update.d... Nov 23 22:40:30.861869 osdx ca-certificates[13984]: done. Nov 23 22:40:30.930632 osdx systemd[1]: Started DNSCrypt client proxy. Nov 23 22:40:30.934138 osdx cfgd[1092]: [18128]Completed change to active configuration Nov 23 22:40:30.944926 osdx OSDxCLI[18128]: User 'admin' committed the configuration. Nov 23 22:40:30.961127 osdx dnscrypt-proxy[13988]: [2023-11-23 22:40:30] [NOTICE] dnscrypt-proxy 2.0.45 Nov 23 22:40:30.961529 osdx dnscrypt-proxy[13988]: [2023-11-23 22:40:30] [NOTICE] Network connectivity detected Nov 23 22:40:30.962157 osdx dnscrypt-proxy[13988]: [2023-11-23 22:40:30] [NOTICE] Dropping privileges Nov 23 22:40:30.964462 osdx dnscrypt-proxy[13988]: [2023-11-23 22:40:30] [NOTICE] Network connectivity detected Nov 23 22:40:30.964627 osdx dnscrypt-proxy[13988]: [2023-11-23 22:40:30] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Nov 23 22:40:30.964713 osdx dnscrypt-proxy[13988]: [2023-11-23 22:40:30] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Nov 23 22:40:30.966138 osdx dnscrypt-proxy[13988]: [2023-11-23 22:40:30] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-sqlx2drbgyqreyyy.tmp: permission denied Nov 23 22:40:30.966258 osdx dnscrypt-proxy[13988]: [2023-11-23 22:40:30] [NOTICE] Source [RD] loaded Nov 23 22:40:30.966356 osdx dnscrypt-proxy[13988]: [2023-11-23 22:40:30] [WARNING] Missing stamp for server [PRIVATE-server-name`] Nov 23 22:40:30.966445 osdx dnscrypt-proxy[13988]: [2023-11-23 22:40:30] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Nov 23 22:40:30.966527 osdx dnscrypt-proxy[13988]: [2023-11-23 22:40:30] [NOTICE] Firefox workaround initialized Nov 23 22:40:30.966601 osdx dnscrypt-proxy[13988]: [2023-11-23 22:40:30] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpnihMOr] Nov 23 22:40:31.015126 osdx OSDxCLI[18128]: User 'admin' left the configuration menu. Nov 23 22:40:31.143672 osdx dnscrypt-proxy[13988]: [2023-11-23 22:40:31] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 143ms Nov 23 22:40:31.143672 osdx dnscrypt-proxy[13988]: [2023-11-23 22:40:31] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 143ms) Nov 23 22:40:31.143672 osdx dnscrypt-proxy[13988]: [2023-11-23 22:40:31] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy log level 0 set service dns proxy source RD url http://10.215.168.1/~robot/invalid-source set service dns proxy source RD minisign-key 'Atq6vVQ5WapBvgxnF5bvdKVe' set service dns proxy server-name rd-server
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy log level 0 set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md set service dns proxy source RD minisign-key 'InvalidMinisignKey==' set service dns proxy server-name rd-server