Source

Test suite to validate using one or multiple ciphers to protect DoH connection

Valid Source

Description

Configures a valid source with the expected minisign key and checks that everything works.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://remote.dns-server.crt
set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md
set service dns proxy source RD minisign-key 'RWQtoDCz5tJzQx9qhzYgdlMWarYrjdMb6tVdaW1TnhjIOBvBdei+teeL'
set service dns proxy server-name rd-server

Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:

^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$

Show output

-- Logs begin at Wed 2023-12-13 00:56:26 UTC, end at Wed 2023-12-13 00:56:31 UTC. --
Dec 13 00:56:26.000227 osdx systemd-timedated[14272]: Changed local time to Wed Dec 13 00:56:26 2023
Dec 13 00:56:26.002319 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'set date 2023-12-13 00:56:26'.
Dec 13 00:56:26.417591 osdx systemd-journald[1450]: Runtime journal (/run/log/journal/fa37e9b1f0b54640986d40edb905b319) is 4.0M, max 16.0M, 12.0M free.
Dec 13 00:56:26.431548 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'system journal clear'.
Dec 13 00:56:27.013636 osdx osdx-coredump[21653]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
Dec 13 00:56:27.022063 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'system coredump delete all'.
Dec 13 00:56:27.940260 osdx OSDxCLI[28897]: User 'admin' entered the configuration menu.
Dec 13 00:56:28.063395 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Dec 13 00:56:28.154154 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Dec 13 00:56:28.286631 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Dec 13 00:56:28.397342 osdx cfgd[1102]: [28897]Completed change to active configuration
Dec 13 00:56:28.450277 osdx OSDxCLI[28897]: User 'admin' committed the configuration.
Dec 13 00:56:28.499934 osdx OSDxCLI[28897]: User 'admin' left the configuration menu.
Dec 13 00:56:28.705265 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'ping 10.215.168.1      count 1 size 56 timeout 1'.
Dec 13 00:56:28.930674 osdx OSDxCLI[28897]: User 'admin' entered the configuration menu.
Dec 13 00:56:29.030472 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Dec 13 00:56:29.225902 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'.
Dec 13 00:56:29.392151 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWQtoDCz5tJzQx9qhzYgdlMWarYrjdMb6tVdaW1TnhjIOBvBdei+teeL''.
Dec 13 00:56:29.508615 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'.
Dec 13 00:56:29.667600 osdx ca-certificates[21787]: Updating certificates in /etc/ssl/certs...
Dec 13 00:56:30.415880 osdx ca-certificates[22769]: 1 added, 0 removed; done.
Dec 13 00:56:30.422938 osdx ca-certificates[22775]: Running hooks in /etc/ca-certificates/update.d...
Dec 13 00:56:30.428555 osdx ca-certificates[22779]: done.
Dec 13 00:56:30.505876 osdx systemd[1]: Started DNSCrypt client proxy.
Dec 13 00:56:30.508826 osdx cfgd[1102]: [28897]Completed change to active configuration
Dec 13 00:56:30.516120 osdx OSDxCLI[28897]: User 'admin' committed the configuration.
Dec 13 00:56:30.567798 osdx OSDxCLI[28897]: User 'admin' left the configuration menu.
Dec 13 00:56:30.832974 osdx dnscrypt-proxy[22783]: [2023-12-13 00:56:30] [NOTICE] dnscrypt-proxy 2.0.45
Dec 13 00:56:30.833359 osdx dnscrypt-proxy[22783]: [2023-12-13 00:56:30] [NOTICE] Network connectivity detected
Dec 13 00:56:30.833756 osdx dnscrypt-proxy[22783]: [2023-12-13 00:56:30] [NOTICE] Dropping privileges
Dec 13 00:56:30.841520 osdx dnscrypt-proxy[22783]: [2023-12-13 00:56:30] [NOTICE] Network connectivity detected
Dec 13 00:56:30.841715 osdx dnscrypt-proxy[22783]: [2023-12-13 00:56:30] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
Dec 13 00:56:30.841806 osdx dnscrypt-proxy[22783]: [2023-12-13 00:56:30] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
Dec 13 00:56:30.849256 osdx dnscrypt-proxy[22783]: [2023-12-13 00:56:30] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-je5pg37sosewl6rx.tmp: permission denied
Dec 13 00:56:30.849256 osdx dnscrypt-proxy[22783]: [2023-12-13 00:56:30] [NOTICE] Source [RD] loaded
Dec 13 00:56:30.849256 osdx dnscrypt-proxy[22783]: [2023-12-13 00:56:30] [WARNING] Missing stamp for server [server-name`]
Dec 13 00:56:30.849256 osdx dnscrypt-proxy[22783]: [2023-12-13 00:56:30] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1]
Dec 13 00:56:30.849256 osdx dnscrypt-proxy[22783]: [2023-12-13 00:56:30] [NOTICE] Firefox workaround initialized
Dec 13 00:56:30.849256 osdx dnscrypt-proxy[22783]: [2023-12-13 00:56:30] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpnbiBRg]
Dec 13 00:56:30.860299 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'system journal show | cat'.
Dec 13 00:56:31.090327 osdx dnscrypt-proxy[22783]: [2023-12-13 00:56:31] [NOTICE] [rd-server] OK (DoH) - rtt: 190ms
Dec 13 00:56:31.090509 osdx dnscrypt-proxy[22783]: [2023-12-13 00:56:31] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 190ms)
Dec 13 00:56:31.090638 osdx dnscrypt-proxy[22783]: [2023-12-13 00:56:31] [NOTICE] dnscrypt-proxy is ready - live servers: 1

---

Valid Source With Prefix

Description

Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://remote.dns-server.crt
set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md
set service dns proxy source RD minisign-key 'RWQtoDCz5tJzQx9qhzYgdlMWarYrjdMb6tVdaW1TnhjIOBvBdei+teeL'
set service dns proxy source RD prefix PRIVATE-
set service dns proxy server-name PRIVATE-rd-server

Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:

^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$

Show output

-- Logs begin at Wed 2023-12-13 00:56:38 UTC, end at Wed 2023-12-13 00:56:42 UTC. --
Dec 13 00:56:38.389282 osdx systemd-journald[1450]: Runtime journal (/run/log/journal/fa37e9b1f0b54640986d40edb905b319) is 4.0M, max 16.0M, 12.0M free.
Dec 13 00:56:38.405217 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'system journal clear'.
Dec 13 00:56:39.117526 osdx osdx-coredump[24386]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
Dec 13 00:56:39.125928 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'system coredump delete all'.
Dec 13 00:56:40.072259 osdx OSDxCLI[28897]: User 'admin' entered the configuration menu.
Dec 13 00:56:40.197483 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'.
Dec 13 00:56:40.307769 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Dec 13 00:56:40.452838 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Dec 13 00:56:40.550182 osdx cfgd[1102]: [28897]Completed change to active configuration
Dec 13 00:56:40.591258 osdx OSDxCLI[28897]: User 'admin' committed the configuration.
Dec 13 00:56:40.629562 osdx OSDxCLI[28897]: User 'admin' left the configuration menu.
Dec 13 00:56:40.809709 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'ping 10.215.168.1      count 1 size 56 timeout 1'.
Dec 13 00:56:40.992831 osdx OSDxCLI[28897]: User 'admin' entered the configuration menu.
Dec 13 00:56:41.104388 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'.
Dec 13 00:56:41.219174 osdx zebra[1040]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]):
Dec 13 00:56:41.228911 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'.
Dec 13 00:56:41.339125 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWQtoDCz5tJzQx9qhzYgdlMWarYrjdMb6tVdaW1TnhjIOBvBdei+teeL''.
Dec 13 00:56:41.454991 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'.
Dec 13 00:56:41.560704 osdx OSDxCLI[28897]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'.
Dec 13 00:56:41.712297 osdx ca-certificates[24521]: Updating certificates in /etc/ssl/certs...
Dec 13 00:56:42.427787 osdx ca-certificates[25505]: 1 added, 0 removed; done.
Dec 13 00:56:42.433512 osdx ca-certificates[25509]: Running hooks in /etc/ca-certificates/update.d...
Dec 13 00:56:42.439689 osdx ca-certificates[25513]: done.
Dec 13 00:56:42.501265 osdx systemd[1]: Started DNSCrypt client proxy.
Dec 13 00:56:42.503857 osdx cfgd[1102]: [28897]Completed change to active configuration
Dec 13 00:56:42.508301 osdx OSDxCLI[28897]: User 'admin' committed the configuration.
Dec 13 00:56:42.530271 osdx dnscrypt-proxy[25517]: [2023-12-13 00:56:42] [NOTICE] dnscrypt-proxy 2.0.45
Dec 13 00:56:42.530661 osdx dnscrypt-proxy[25517]: [2023-12-13 00:56:42] [NOTICE] Network connectivity detected
Dec 13 00:56:42.531220 osdx dnscrypt-proxy[25517]: [2023-12-13 00:56:42] [NOTICE] Dropping privileges
Dec 13 00:56:42.533420 osdx dnscrypt-proxy[25517]: [2023-12-13 00:56:42] [NOTICE] Network connectivity detected
Dec 13 00:56:42.533558 osdx dnscrypt-proxy[25517]: [2023-12-13 00:56:42] [NOTICE] Now listening to 127.0.0.1:53 [UDP]
Dec 13 00:56:42.533639 osdx dnscrypt-proxy[25517]: [2023-12-13 00:56:42] [NOTICE] Now listening to 127.0.0.1:53 [TCP]
Dec 13 00:56:42.535090 osdx dnscrypt-proxy[25517]: [2023-12-13 00:56:42] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-z3vapjsgwq5cbxqo.tmp: permission denied
Dec 13 00:56:42.535179 osdx dnscrypt-proxy[25517]: [2023-12-13 00:56:42] [NOTICE] Source [RD] loaded
Dec 13 00:56:42.535269 osdx dnscrypt-proxy[25517]: [2023-12-13 00:56:42] [WARNING] Missing stamp for server [PRIVATE-server-name`]
Dec 13 00:56:42.535354 osdx dnscrypt-proxy[25517]: [2023-12-13 00:56:42] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1]
Dec 13 00:56:42.535432 osdx dnscrypt-proxy[25517]: [2023-12-13 00:56:42] [NOTICE] Firefox workaround initialized
Dec 13 00:56:42.535504 osdx dnscrypt-proxy[25517]: [2023-12-13 00:56:42] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpPGwtAX]
Dec 13 00:56:42.547774 osdx OSDxCLI[28897]: User 'admin' left the configuration menu.
Dec 13 00:56:42.737460 osdx dnscrypt-proxy[25517]: [2023-12-13 00:56:42] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 162ms
Dec 13 00:56:42.737460 osdx dnscrypt-proxy[25517]: [2023-12-13 00:56:42] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 162ms)
Dec 13 00:56:42.737460 osdx dnscrypt-proxy[25517]: [2023-12-13 00:56:42] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Dec 13 00:56:42.742124 osdx OSDxCLI[28897]: User 'admin' executed a new command: 'system journal show | cat'.

---

Invalid Source

Description

Configures an invalid source with a random minisign key and expects it to fail.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://remote.dns-server.crt
set service dns proxy log level 0
set service dns proxy source RD url http://10.215.168.1/~robot/invalid-source
set service dns proxy source RD minisign-key 'daDRakOCkGePZthkwxqrzPnF'
set service dns proxy server-name rd-server

---

Invalid Minisign Key

Description

Configures a valid source but with an incorrect minisign key, which should fail.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://remote.dns-server.crt
set service dns proxy log level 0
set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md
set service dns proxy source RD minisign-key 'InvalidMinisignKey=='
set service dns proxy server-name rd-server

---