Cipher Server

Test suite to validate using one or multiple ciphers to protect DoH connection

TLS v1.3 Connection

Description

Sets up the DUT0 as a server, DUT1 as a client and ensures the communication between them is secured by TLS v1.3.

Scenario

Step 1: Set the following configuration in DUT0:

set system certificate trust running://remote.dns-server.crt
set service dns proxy server-name RD
set service dns proxy static RD protocol dns-over-https host name remote.dns
set service dns proxy static RD protocol dns-over-https ip 10.215.168.1
set service dns proxy static RD protocol dns-over-https hash 563c4f02c5ec6eb3d02a1ff7b1e2ca38884464e5e7e227ba087ee6524ee6fbac
set service dns proxy server cert file 'running://dns.dut0.crt'
set service dns proxy server cert key 'running://dns.dut0.key'
set service dns static host-name teldat.com inet 10.11.12.13

Step 2: Set the following configuration in DUT1:

set service dns static host-name dns.dut0 inet 10.215.168.64
set system certificate trust running://CA.crt
set service dns proxy server-name DUT0
set service dns proxy static DUT0 protocol dns-over-https host name dns.dut0
set service dns proxy static DUT0 protocol dns-over-https host port 3000
set service dns proxy static DUT0 protocol dns-over-https ip 10.215.168.64
set service dns proxy static DUT0 protocol dns-over-https hash 3cdba44c5b9d3e2c0f614f9a450d91f772582d962ff44dab323c61611149c2b6
set service dns proxy log level 0
set service dns resolver local

Step 3: Run command system journal show | cat at DUT1 and expect this output:

Show output

-- Logs begin at Thu 2024-01-25 00:16:31 UTC, end at Thu 2024-01-25 00:16:40 UTC. --
Jan 25 00:16:31.450524 osdx systemd-journald[1366]: Runtime journal (/run/log/journal/4d0b7da89f49460287018e38b087a15a) is 1.2M, max 9.7M, 8.5M free.
Jan 25 00:16:31.470527 osdx OSDxCLI[1558]: User 'admin' executed a new command: 'system journal clear'.
Jan 25 00:16:32.350440 osdx osdx-coredump[29048]: Deleting all coredumps in /opt/vyatta/etc/config/coredump...
Jan 25 00:16:32.359064 osdx OSDxCLI[1558]: User 'admin' executed a new command: 'system coredump delete all'.
Jan 25 00:16:34.146380 osdx OSDxCLI[1558]: User 'admin' entered the configuration menu.
Jan 25 00:16:34.284234 osdx OSDxCLI[1558]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.65/24'.
Jan 25 00:16:34.426280 osdx OSDxCLI[1558]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'.
Jan 25 00:16:34.512911 osdx OSDxCLI[1558]: User 'admin' added a new cfg line: 'set service ssh'.
Jan 25 00:16:34.669469 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0
Jan 25 00:16:34.847958 osdx systemd[1]: Starting OpenBSD Secure Shell server...
Jan 25 00:16:34.867975 osdx sshd[29145]: Server listening on 0.0.0.0 port 22.
Jan 25 00:16:34.868459 osdx sshd[29145]: Server listening on :: port 22.
Jan 25 00:16:34.868687 osdx systemd[1]: Started OpenBSD Secure Shell server.
Jan 25 00:16:34.892868 osdx cfgd[996]: [1558]Completed change to active configuration
Jan 25 00:16:34.945299 osdx OSDxCLI[1558]: User 'admin' committed the configuration.
Jan 25 00:16:34.973522 osdx OSDxCLI[1558]: User 'admin' left the configuration menu.
Jan 25 00:16:35.190218 osdx OSDxCLI[1558]: User 'admin' executed a new command: 'ping 10.215.168.64      count 1 size 56 timeout 1'.
Jan 25 00:16:37.763617 osdx OSDxCLI[1558]: User 'admin' entered the configuration menu.
Jan 25 00:16:37.891007 osdx OSDxCLI[1558]: User 'admin' added a new cfg line: 'set service dns static host-name dns.dut0 inet 10.215.168.64'.
Jan 25 00:16:37.982083 osdx OSDxCLI[1558]: User 'admin' added a new cfg line: 'set system certificate trust running://CA.crt'.
Jan 25 00:16:38.076837 osdx OSDxCLI[1558]: User 'admin' added a new cfg line: 'set service dns proxy server-name DUT0'.
Jan 25 00:16:38.211760 osdx OSDxCLI[1558]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https host name dns.dut0'.
Jan 25 00:16:38.335960 osdx OSDxCLI[1558]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https host port 3000'.
Jan 25 00:16:38.455050 osdx OSDxCLI[1558]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https ip 10.215.168.64'.
Jan 25 00:16:38.586230 osdx OSDxCLI[1558]: User 'admin' added a new cfg line: 'set service dns proxy static DUT0 protocol dns-over-https hash 3cdba44c5b9d3e2c0f614f9a450d91f772582d962ff44dab323c61611149c2b6'.
Jan 25 00:16:38.688449 osdx OSDxCLI[1558]: User 'admin' added a new cfg line: 'set service dns proxy log level 0'.
Jan 25 00:16:38.834126 osdx OSDxCLI[1558]: User 'admin' added a new cfg line: 'set service dns resolver local'.
Jan 25 00:16:38.962186 osdx ca-certificates[29210]: Updating certificates in /etc/ssl/certs...
Jan 25 00:16:39.681288 osdx ca-certificates[30194]: 1 added, 0 removed; done.
Jan 25 00:16:39.687901 osdx ca-certificates[30198]: Running hooks in /etc/ca-certificates/update.d...
Jan 25 00:16:39.693751 osdx ca-certificates[30202]: done.
Jan 25 00:16:39.834991 osdx systemd[1]: Started DNSCrypt client proxy.
Jan 25 00:16:39.837730 osdx cfgd[996]: [1558]Completed change to active configuration
Jan 25 00:16:39.842454 osdx OSDxCLI[1558]: User 'admin' committed the configuration.
Jan 25 00:16:39.869221 osdx OSDxCLI[1558]: User 'admin' left the configuration menu.
Jan 25 00:16:39.870033 osdx dnscrypt-proxy[30255]: dnscrypt-proxy 2.0.45
Jan 25 00:16:39.870437 osdx dnscrypt-proxy[30255]: Network connectivity detected
Jan 25 00:16:39.871080 osdx dnscrypt-proxy[30255]: Dropping privileges
Jan 25 00:16:39.873792 osdx dnscrypt-proxy[30255]: Network connectivity detected
Jan 25 00:16:39.874162 osdx dnscrypt-proxy[30255]: Now listening to 127.0.0.1:53 [UDP]
Jan 25 00:16:39.874287 osdx dnscrypt-proxy[30255]: Now listening to 127.0.0.1:53 [TCP]
Jan 25 00:16:39.874432 osdx dnscrypt-proxy[30255]: Firefox workaround initialized
Jan 25 00:16:39.874519 osdx dnscrypt-proxy[30255]: Loading the set of cloaking rules from [/tmp/tmp2xYbbT]
Jan 25 00:16:40.052576 osdx OSDxCLI[1558]: User 'admin' executed a new command: 'system journal show | cat'.
Jan 25 00:16:40.370372 osdx OSDxCLI[1558]: User 'admin' executed a new command: 'system journal show | cat'.
Jan 25 00:16:40.548256 osdx dnscrypt-proxy[30255]: [DUT0] TLS version: 304 - Protocol: h2 - Cipher suite: 4867
Jan 25 00:16:40.548282 osdx dnscrypt-proxy[30255]: [DUT0] OK (DoH) - rtt: 236ms
Jan 25 00:16:40.548295 osdx dnscrypt-proxy[30255]: Server with the lowest initial latency: DUT0 (rtt: 236ms)
Jan 25 00:16:40.548304 osdx dnscrypt-proxy[30255]: dnscrypt-proxy is ready - live servers: 1

---