Source

Test suite to validate using one or multiple ciphers to protect DoH connection

Valid Source

Description

Configures a valid source with the expected minisign key and checks that everything works.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://remote.dns-server.crt
set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md
set service dns proxy source RD minisign-key 'RWR0G0Gmf/QCuwa7zShuc+uWLX8pmzWiW0y92ft99v4QE5/n+g1Kertn'
set service dns proxy server-name rd-server

Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:

^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$

Show output

-- Logs begin at Tue 2024-04-23 16:48:57 UTC, end at Tue 2024-04-23 16:48:59 UTC. --
Apr 23 16:48:57.272712 osdx systemd-journald[567]: Runtime journal (/run/log/journal/6df91b3cebc34c1981199ddec73128ac) is 2.0M, max 16.0M, 14.0M free.
Apr 23 16:48:57.281231 osdx OSDxCLI[1600]: User 'admin' executed a new command: 'system journal clear'.
Apr 23 16:48:57.535982 osdx OSDxCLI[1600]: User 'admin' entered the configuration menu.
Apr 23 16:48:57.632447 osdx OSDxCLI[1600]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.10/24'.
Apr 23 16:48:57.701948 osdx OSDxCLI[1600]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Apr 23 16:48:57.826253 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Apr 23 16:48:57.900117 osdx cfgd[1182]: [1600]Completed change to active configuration
Apr 23 16:48:57.930141 osdx OSDxCLI[1600]: User 'admin' committed the configuration.
Apr 23 16:48:57.956123 osdx OSDxCLI[1600]: User 'admin' left the configuration menu.
Apr 23 16:48:58.100745 osdx OSDxCLI[1600]: User 'admin' executed a new command: 'ping 10.215.168.1      count 1 size 56 timeout 1'.
Apr 23 16:48:58.269241 osdx OSDxCLI[1600]: User 'admin' entered the configuration menu.
Apr 23 16:48:58.337787 osdx OSDxCLI[1600]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Apr 23 16:48:58.442254 osdx OSDxCLI[1600]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'.
Apr 23 16:48:58.509250 osdx OSDxCLI[1600]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWR0G0Gmf/QCuwa7zShuc+uWLX8pmzWiW0y92ft99v4QE5/n+g1Kertn''.
Apr 23 16:48:58.608616 osdx OSDxCLI[1600]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'.
Apr 23 16:48:58.697777 osdx ca-certificates[31741]: Updating certificates in /etc/ssl/certs...
Apr 23 16:48:59.082538 osdx ca-certificates[32725]: 1 added, 0 removed; done.
Apr 23 16:48:59.086291 osdx ca-certificates[32728]: Running hooks in /etc/ca-certificates/update.d...
Apr 23 16:48:59.090006 osdx ca-certificates[32732]: done.
Apr 23 16:48:59.125677 osdx systemd[1]: Started DNSCrypt client proxy.
Apr 23 16:48:59.127792 osdx cfgd[1182]: [1600]Completed change to active configuration
Apr 23 16:48:59.135275 osdx OSDxCLI[1600]: User 'admin' committed the configuration.
Apr 23 16:48:59.145164 osdx dnscrypt-proxy[32737]: [2024-04-23 16:48:59] [NOTICE] dnscrypt-proxy 2.0.45
Apr 23 16:48:59.145399 osdx dnscrypt-proxy[32737]: [2024-04-23 16:48:59] [NOTICE] Network connectivity detected
Apr 23 16:48:59.145654 osdx dnscrypt-proxy[32737]: [2024-04-23 16:48:59] [NOTICE] Dropping privileges
Apr 23 16:48:59.147312 osdx dnscrypt-proxy[32737]: [2024-04-23 16:48:59] [NOTICE] Network connectivity detected
Apr 23 16:48:59.147403 osdx dnscrypt-proxy[32737]: [2024-04-23 16:48:59] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
Apr 23 16:48:59.147437 osdx dnscrypt-proxy[32737]: [2024-04-23 16:48:59] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
Apr 23 16:48:59.150032 osdx OSDxCLI[1600]: User 'admin' left the configuration menu.
Apr 23 16:48:59.151668 osdx dnscrypt-proxy[32737]: [2024-04-23 16:48:59] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-5vl6oerwk47f2vd5.tmp: permission denied
Apr 23 16:48:59.151733 osdx dnscrypt-proxy[32737]: [2024-04-23 16:48:59] [NOTICE] Source [RD] loaded
Apr 23 16:48:59.151781 osdx dnscrypt-proxy[32737]: [2024-04-23 16:48:59] [WARNING] Missing stamp for server [server-name`]
Apr 23 16:48:59.151823 osdx dnscrypt-proxy[32737]: [2024-04-23 16:48:59] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1]
Apr 23 16:48:59.151858 osdx dnscrypt-proxy[32737]: [2024-04-23 16:48:59] [NOTICE] Firefox workaround initialized
Apr 23 16:48:59.151892 osdx dnscrypt-proxy[32737]: [2024-04-23 16:48:59] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpsuqRc2]
Apr 23 16:48:59.291812 osdx OSDxCLI[1600]: User 'admin' executed a new command: 'system journal show | cat'.
Apr 23 16:48:59.298651 osdx dnscrypt-proxy[32737]: [2024-04-23 16:48:59] [NOTICE] [rd-server] OK (DoH) - rtt: 126ms
Apr 23 16:48:59.298651 osdx dnscrypt-proxy[32737]: [2024-04-23 16:48:59] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 126ms)
Apr 23 16:48:59.298651 osdx dnscrypt-proxy[32737]: [2024-04-23 16:48:59] [NOTICE] dnscrypt-proxy is ready - live servers: 1

---

Valid Source With Prefix

Description

Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://remote.dns-server.crt
set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md
set service dns proxy source RD minisign-key 'RWR0G0Gmf/QCuwa7zShuc+uWLX8pmzWiW0y92ft99v4QE5/n+g1Kertn'
set service dns proxy source RD prefix PRIVATE-
set service dns proxy server-name PRIVATE-rd-server

Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:

^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$

Show output

-- Logs begin at Tue 2024-04-23 16:49:04 UTC, end at Tue 2024-04-23 16:49:06 UTC. --
Apr 23 16:49:04.263530 osdx systemd-journald[567]: Runtime journal (/run/log/journal/6df91b3cebc34c1981199ddec73128ac) is 2.0M, max 16.0M, 14.0M free.
Apr 23 16:49:04.272649 osdx OSDxCLI[1600]: User 'admin' executed a new command: 'system journal clear'.
Apr 23 16:49:04.503760 osdx OSDxCLI[1600]: User 'admin' entered the configuration menu.
Apr 23 16:49:04.599421 osdx OSDxCLI[1600]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.10/24'.
Apr 23 16:49:04.648292 osdx OSDxCLI[1600]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Apr 23 16:49:04.767821 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Apr 23 16:49:04.824118 osdx cfgd[1182]: [1600]Completed change to active configuration
Apr 23 16:49:04.851748 osdx OSDxCLI[1600]: User 'admin' committed the configuration.
Apr 23 16:49:04.872456 osdx OSDxCLI[1600]: User 'admin' left the configuration menu.
Apr 23 16:49:05.001121 osdx OSDxCLI[1600]: User 'admin' executed a new command: 'ping 10.215.168.1      count 1 size 56 timeout 1'.
Apr 23 16:49:05.146364 osdx OSDxCLI[1600]: User 'admin' entered the configuration menu.
Apr 23 16:49:05.201755 osdx OSDxCLI[1600]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Apr 23 16:49:05.297984 osdx OSDxCLI[1600]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'.
Apr 23 16:49:05.346971 osdx OSDxCLI[1600]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWR0G0Gmf/QCuwa7zShuc+uWLX8pmzWiW0y92ft99v4QE5/n+g1Kertn''.
Apr 23 16:49:05.436338 osdx OSDxCLI[1600]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'.
Apr 23 16:49:05.485246 osdx OSDxCLI[1600]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'.
Apr 23 16:49:05.596132 osdx ca-certificates[2013]: Updating certificates in /etc/ssl/certs...
Apr 23 16:49:05.973676 osdx ca-certificates[2998]: 1 added, 0 removed; done.
Apr 23 16:49:05.977527 osdx ca-certificates[3001]: Running hooks in /etc/ca-certificates/update.d...
Apr 23 16:49:05.981157 osdx ca-certificates[3005]: done.
Apr 23 16:49:06.017322 osdx systemd[1]: Started DNSCrypt client proxy.
Apr 23 16:49:06.019499 osdx cfgd[1182]: [1600]Completed change to active configuration
Apr 23 16:49:06.024818 osdx OSDxCLI[1600]: User 'admin' committed the configuration.
Apr 23 16:49:06.036610 osdx dnscrypt-proxy[3010]: [2024-04-23 16:49:06] [NOTICE] dnscrypt-proxy 2.0.45
Apr 23 16:49:06.036852 osdx dnscrypt-proxy[3010]: [2024-04-23 16:49:06] [NOTICE] Network connectivity detected
Apr 23 16:49:06.037128 osdx dnscrypt-proxy[3010]: [2024-04-23 16:49:06] [NOTICE] Dropping privileges
Apr 23 16:49:06.039826 osdx OSDxCLI[1600]: User 'admin' left the configuration menu.
Apr 23 16:49:06.040918 osdx dnscrypt-proxy[3010]: [2024-04-23 16:49:06] [NOTICE] Network connectivity detected
Apr 23 16:49:06.041005 osdx dnscrypt-proxy[3010]: [2024-04-23 16:49:06] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
Apr 23 16:49:06.041039 osdx dnscrypt-proxy[3010]: [2024-04-23 16:49:06] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
Apr 23 16:49:06.041916 osdx dnscrypt-proxy[3010]: [2024-04-23 16:49:06] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-tpcxy5ujmpphqaas.tmp: permission denied
Apr 23 16:49:06.041975 osdx dnscrypt-proxy[3010]: [2024-04-23 16:49:06] [NOTICE] Source [RD] loaded
Apr 23 16:49:06.042019 osdx dnscrypt-proxy[3010]: [2024-04-23 16:49:06] [WARNING] Missing stamp for server [PRIVATE-server-name`]
Apr 23 16:49:06.042060 osdx dnscrypt-proxy[3010]: [2024-04-23 16:49:06] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1]
Apr 23 16:49:06.042094 osdx dnscrypt-proxy[3010]: [2024-04-23 16:49:06] [NOTICE] Firefox workaround initialized
Apr 23 16:49:06.042130 osdx dnscrypt-proxy[3010]: [2024-04-23 16:49:06] [NOTICE] Loading the set of cloaking rules from [/tmp/tmp3rz4W2]
Apr 23 16:49:06.173403 osdx OSDxCLI[1600]: User 'admin' executed a new command: 'system journal show | cat'.
Apr 23 16:49:06.183371 osdx dnscrypt-proxy[3010]: [2024-04-23 16:49:06] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 120ms
Apr 23 16:49:06.183371 osdx dnscrypt-proxy[3010]: [2024-04-23 16:49:06] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 120ms)
Apr 23 16:49:06.183371 osdx dnscrypt-proxy[3010]: [2024-04-23 16:49:06] [NOTICE] dnscrypt-proxy is ready - live servers: 1

---

Invalid Source

Description

Configures an invalid source with a random minisign key and expects it to fail.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://remote.dns-server.crt
set service dns proxy log level 0
set service dns proxy source RD url http://10.215.168.1/~robot/invalid-source
set service dns proxy source RD minisign-key '5KxpNhD7sGDFGdwgYs9kzdCU'
set service dns proxy server-name rd-server

---

Invalid Minisign Key

Description

Configures a valid source but with an incorrect minisign key, which should fail.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://remote.dns-server.crt
set service dns proxy log level 0
set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md
set service dns proxy source RD minisign-key 'InvalidMinisignKey=='
set service dns proxy server-name rd-server

---