Source

Test suite to validate using one or multiple ciphers to protect DoH connection

Valid Source

Description

Configures a valid source with the expected minisign key and checks that everything works.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://remote.dns-server.crt
set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md
set service dns proxy source RD minisign-key 'RWQtoDCz5tJzQx9qhzYgdlMWarYrjdMb6tVdaW1TnhjIOBvBdei+teeL'
set service dns proxy server-name rd-server

Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:

^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$

Show output

-- Logs begin at Wed 2024-04-03 21:37:25 UTC, end at Wed 2024-04-03 21:37:28 UTC. --
Apr 03 21:37:25.368428 osdx systemd-journald[625]: Runtime journal (/run/log/journal/c88512c9e850498898bc11ea5f3658d6) is 2.0M, max 16.0M, 14.0M free.
Apr 03 21:37:25.382046 osdx OSDxCLI[26772]: User 'admin' executed a new command: 'system journal clear'.
Apr 03 21:37:25.819955 osdx OSDxCLI[26772]: User 'admin' entered the configuration menu.
Apr 03 21:37:25.945442 osdx OSDxCLI[26772]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.10/24'.
Apr 03 21:37:26.078084 osdx OSDxCLI[26772]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Apr 03 21:37:26.231189 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Apr 03 21:37:26.342754 osdx cfgd[1091]: [26772]Completed change to active configuration
Apr 03 21:37:26.393230 osdx OSDxCLI[26772]: User 'admin' committed the configuration.
Apr 03 21:37:26.422148 osdx OSDxCLI[26772]: User 'admin' left the configuration menu.
Apr 03 21:37:26.607390 osdx OSDxCLI[26772]: User 'admin' executed a new command: 'ping 10.215.168.1      count 1 size 56 timeout 1'.
Apr 03 21:37:26.787566 osdx OSDxCLI[26772]: User 'admin' entered the configuration menu.
Apr 03 21:37:26.899746 osdx OSDxCLI[26772]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Apr 03 21:37:27.024356 osdx OSDxCLI[26772]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'.
Apr 03 21:37:27.146588 osdx OSDxCLI[26772]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWQtoDCz5tJzQx9qhzYgdlMWarYrjdMb6tVdaW1TnhjIOBvBdei+teeL''.
Apr 03 21:37:27.266071 osdx OSDxCLI[26772]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'.
Apr 03 21:37:27.461561 osdx ca-certificates[23630]: Updating certificates in /etc/ssl/certs...
Apr 03 21:37:28.239576 osdx ca-certificates[24614]: 1 added, 0 removed; done.
Apr 03 21:37:28.247103 osdx ca-certificates[24618]: Running hooks in /etc/ca-certificates/update.d...
Apr 03 21:37:28.252577 osdx ca-certificates[24622]: done.
Apr 03 21:37:28.311930 osdx systemd[1]: Started DNSCrypt client proxy.
Apr 03 21:37:28.314690 osdx cfgd[1091]: [26772]Completed change to active configuration
Apr 03 21:37:28.323288 osdx OSDxCLI[26772]: User 'admin' committed the configuration.
Apr 03 21:37:28.341400 osdx dnscrypt-proxy[24626]: [2024-04-03 21:37:28] [NOTICE] dnscrypt-proxy 2.0.45
Apr 03 21:37:28.341816 osdx dnscrypt-proxy[24626]: [2024-04-03 21:37:28] [NOTICE] Network connectivity detected
Apr 03 21:37:28.342486 osdx dnscrypt-proxy[24626]: [2024-04-03 21:37:28] [NOTICE] Dropping privileges
Apr 03 21:37:28.344827 osdx dnscrypt-proxy[24626]: [2024-04-03 21:37:28] [NOTICE] Network connectivity detected
Apr 03 21:37:28.345013 osdx dnscrypt-proxy[24626]: [2024-04-03 21:37:28] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
Apr 03 21:37:28.345121 osdx dnscrypt-proxy[24626]: [2024-04-03 21:37:28] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
Apr 03 21:37:28.348282 osdx OSDxCLI[26772]: User 'admin' left the configuration menu.
Apr 03 21:37:28.349763 osdx dnscrypt-proxy[24626]: [2024-04-03 21:37:28] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-yjg3o5nha7nj2jol.tmp: permission denied
Apr 03 21:37:28.349866 osdx dnscrypt-proxy[24626]: [2024-04-03 21:37:28] [NOTICE] Source [RD] loaded
Apr 03 21:37:28.349962 osdx dnscrypt-proxy[24626]: [2024-04-03 21:37:28] [WARNING] Missing stamp for server [server-name`]
Apr 03 21:37:28.350049 osdx dnscrypt-proxy[24626]: [2024-04-03 21:37:28] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1]
Apr 03 21:37:28.350129 osdx dnscrypt-proxy[24626]: [2024-04-03 21:37:28] [NOTICE] Firefox workaround initialized
Apr 03 21:37:28.350203 osdx dnscrypt-proxy[24626]: [2024-04-03 21:37:28] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpAl4zv2]
Apr 03 21:37:28.548140 osdx OSDxCLI[26772]: User 'admin' executed a new command: 'system journal show | cat'.
Apr 03 21:37:28.590397 osdx dnscrypt-proxy[24626]: [2024-04-03 21:37:28] [NOTICE] [rd-server] OK (DoH) - rtt: 207ms
Apr 03 21:37:28.590397 osdx dnscrypt-proxy[24626]: [2024-04-03 21:37:28] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 207ms)
Apr 03 21:37:28.590397 osdx dnscrypt-proxy[24626]: [2024-04-03 21:37:28] [NOTICE] dnscrypt-proxy is ready - live servers: 1

---

Valid Source With Prefix

Description

Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://remote.dns-server.crt
set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md
set service dns proxy source RD minisign-key 'RWQtoDCz5tJzQx9qhzYgdlMWarYrjdMb6tVdaW1TnhjIOBvBdei+teeL'
set service dns proxy source RD prefix PRIVATE-
set service dns proxy server-name PRIVATE-rd-server

Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:

^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$

Show output

-- Logs begin at Wed 2024-04-03 21:37:35 UTC, end at Wed 2024-04-03 21:37:38 UTC. --
Apr 03 21:37:35.420443 osdx systemd-journald[625]: Runtime journal (/run/log/journal/c88512c9e850498898bc11ea5f3658d6) is 2.0M, max 16.0M, 14.0M free.
Apr 03 21:37:35.438171 osdx OSDxCLI[26772]: User 'admin' executed a new command: 'system journal clear'.
Apr 03 21:37:35.867760 osdx OSDxCLI[26772]: User 'admin' entered the configuration menu.
Apr 03 21:37:35.967210 osdx OSDxCLI[26772]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.10/24'.
Apr 03 21:37:36.086126 osdx OSDxCLI[26772]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Apr 03 21:37:36.238047 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Apr 03 21:37:36.351814 osdx cfgd[1091]: [26772]Completed change to active configuration
Apr 03 21:37:36.404788 osdx OSDxCLI[26772]: User 'admin' committed the configuration.
Apr 03 21:37:36.451419 osdx OSDxCLI[26772]: User 'admin' left the configuration menu.
Apr 03 21:37:36.685586 osdx OSDxCLI[26772]: User 'admin' executed a new command: 'ping 10.215.168.1      count 1 size 56 timeout 1'.
Apr 03 21:37:36.880534 osdx OSDxCLI[26772]: User 'admin' entered the configuration menu.
Apr 03 21:37:36.978332 osdx OSDxCLI[26772]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Apr 03 21:37:37.072430 osdx OSDxCLI[26772]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'.
Apr 03 21:37:37.171605 osdx OSDxCLI[26772]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWQtoDCz5tJzQx9qhzYgdlMWarYrjdMb6tVdaW1TnhjIOBvBdei+teeL''.
Apr 03 21:37:37.253480 osdx OSDxCLI[26772]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'.
Apr 03 21:37:37.368747 osdx OSDxCLI[26772]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'.
Apr 03 21:37:37.394290 osdx zebra[1033]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]):
Apr 03 21:37:37.486541 osdx ca-certificates[26324]: Updating certificates in /etc/ssl/certs...
Apr 03 21:37:38.133320 osdx ca-certificates[27311]: 1 added, 0 removed; done.
Apr 03 21:37:38.139704 osdx ca-certificates[27315]: Running hooks in /etc/ca-certificates/update.d...
Apr 03 21:37:38.145045 osdx ca-certificates[27319]: done.
Apr 03 21:37:38.205371 osdx systemd[1]: Started DNSCrypt client proxy.
Apr 03 21:37:38.208236 osdx cfgd[1091]: [26772]Completed change to active configuration
Apr 03 21:37:38.215372 osdx OSDxCLI[26772]: User 'admin' committed the configuration.
Apr 03 21:37:38.235153 osdx dnscrypt-proxy[27323]: [2024-04-03 21:37:38] [NOTICE] dnscrypt-proxy 2.0.45
Apr 03 21:37:38.235574 osdx dnscrypt-proxy[27323]: [2024-04-03 21:37:38] [NOTICE] Network connectivity detected
Apr 03 21:37:38.236313 osdx dnscrypt-proxy[27323]: [2024-04-03 21:37:38] [NOTICE] Dropping privileges
Apr 03 21:37:38.241234 osdx OSDxCLI[26772]: User 'admin' left the configuration menu.
Apr 03 21:37:38.242095 osdx dnscrypt-proxy[27323]: [2024-04-03 21:37:38] [NOTICE] Network connectivity detected
Apr 03 21:37:38.242249 osdx dnscrypt-proxy[27323]: [2024-04-03 21:37:38] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
Apr 03 21:37:38.242333 osdx dnscrypt-proxy[27323]: [2024-04-03 21:37:38] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
Apr 03 21:37:38.243699 osdx dnscrypt-proxy[27323]: [2024-04-03 21:37:38] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-scqboklaedbnvthm.tmp: permission denied
Apr 03 21:37:38.243796 osdx dnscrypt-proxy[27323]: [2024-04-03 21:37:38] [NOTICE] Source [RD] loaded
Apr 03 21:37:38.243897 osdx dnscrypt-proxy[27323]: [2024-04-03 21:37:38] [WARNING] Missing stamp for server [PRIVATE-server-name`]
Apr 03 21:37:38.243986 osdx dnscrypt-proxy[27323]: [2024-04-03 21:37:38] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1]
Apr 03 21:37:38.244067 osdx dnscrypt-proxy[27323]: [2024-04-03 21:37:38] [NOTICE] Firefox workaround initialized
Apr 03 21:37:38.244140 osdx dnscrypt-proxy[27323]: [2024-04-03 21:37:38] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpL5ebxa]
Apr 03 21:37:38.460795 osdx OSDxCLI[26772]: User 'admin' executed a new command: 'system journal show | cat'.
Apr 03 21:37:38.631096 osdx dnscrypt-proxy[27323]: [2024-04-03 21:37:38] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 353ms
Apr 03 21:37:38.631096 osdx dnscrypt-proxy[27323]: [2024-04-03 21:37:38] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 353ms)
Apr 03 21:37:38.631096 osdx dnscrypt-proxy[27323]: [2024-04-03 21:37:38] [NOTICE] dnscrypt-proxy is ready - live servers: 1

---

Invalid Source

Description

Configures an invalid source with a random minisign key and expects it to fail.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://remote.dns-server.crt
set service dns proxy log level 0
set service dns proxy source RD url http://10.215.168.1/~robot/invalid-source
set service dns proxy source RD minisign-key 'kKujg1FjJ12JeRWTi5i2oK5S'
set service dns proxy server-name rd-server

---

Invalid Minisign Key

Description

Configures a valid source but with an incorrect minisign key, which should fail.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://remote.dns-server.crt
set service dns proxy log level 0
set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md
set service dns proxy source RD minisign-key 'InvalidMinisignKey=='
set service dns proxy server-name rd-server

---