Source
Test suite to validate using one or multiple ciphers to protect DoH connection
Valid Source
Description
Configures a valid source with the expected minisign key and checks that everything works.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md set service dns proxy source RD minisign-key 'RWQtoDCz5tJzQx9qhzYgdlMWarYrjdMb6tVdaW1TnhjIOBvBdei+teeL' set service dns proxy server-name rd-server
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
-- Logs begin at Thu 2024-01-25 00:06:37 UTC, end at Thu 2024-01-25 00:06:43 UTC. -- Jan 25 00:06:37.460353 osdx systemd-journald[1486]: Runtime journal (/run/log/journal/6c43fcb6d98c40f095ee4a4601056b4b) is 2.0M, max 16.0M, 14.0M free. Jan 25 00:06:37.476966 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'system journal clear'. Jan 25 00:06:38.112887 osdx osdx-coredump[26063]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jan 25 00:06:38.121956 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'system coredump delete all'. Jan 25 00:06:38.998101 osdx OSDxCLI[13176]: User 'admin' entered the configuration menu. Jan 25 00:06:39.121980 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 25 00:06:39.211206 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 25 00:06:39.378489 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 25 00:06:39.488925 osdx cfgd[1112]: [13176]Completed change to active configuration Jan 25 00:06:39.541979 osdx OSDxCLI[13176]: User 'admin' committed the configuration. Jan 25 00:06:39.570605 osdx OSDxCLI[13176]: User 'admin' left the configuration menu. Jan 25 00:06:39.768553 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jan 25 00:06:40.020907 osdx OSDxCLI[13176]: User 'admin' entered the configuration menu. Jan 25 00:06:40.142235 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 25 00:06:40.273845 osdx zebra[1048]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jan 25 00:06:40.306186 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Jan 25 00:06:40.452678 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWQtoDCz5tJzQx9qhzYgdlMWarYrjdMb6tVdaW1TnhjIOBvBdei+teeL''. Jan 25 00:06:40.589681 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy server-name rd-server'. Jan 25 00:06:40.728550 osdx ca-certificates[26197]: Updating certificates in /etc/ssl/certs... Jan 25 00:06:41.418200 osdx ca-certificates[27179]: 1 added, 0 removed; done. Jan 25 00:06:41.424486 osdx ca-certificates[27185]: Running hooks in /etc/ca-certificates/update.d... Jan 25 00:06:41.430220 osdx ca-certificates[27189]: done. Jan 25 00:06:41.495687 osdx systemd[1]: Started DNSCrypt client proxy. Jan 25 00:06:41.497767 osdx cfgd[1112]: [13176]Completed change to active configuration Jan 25 00:06:41.498663 osdx systemd[1]: Reached target Host and Network Name Lookups. Jan 25 00:06:41.503242 osdx OSDxCLI[13176]: User 'admin' committed the configuration. Jan 25 00:06:41.546678 osdx OSDxCLI[13176]: User 'admin' left the configuration menu. Jan 25 00:06:42.551191 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'system journal show | cat'. Jan 25 00:06:42.770315 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'system journal show | cat'. Jan 25 00:06:43.086707 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'system journal show | cat'. Jan 25 00:06:43.212290 osdx zebra[1048]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jan 25 00:06:43.320645 osdx dnscrypt-proxy[27193]: [2024-01-25 00:06:43] [NOTICE] dnscrypt-proxy 2.0.45 Jan 25 00:06:43.321177 osdx dnscrypt-proxy[27193]: [2024-01-25 00:06:43] [NOTICE] Network connectivity detected Jan 25 00:06:43.321704 osdx dnscrypt-proxy[27193]: [2024-01-25 00:06:43] [NOTICE] Dropping privileges Jan 25 00:06:43.324787 osdx dnscrypt-proxy[27193]: [2024-01-25 00:06:43] [NOTICE] Network connectivity detected Jan 25 00:06:43.324997 osdx dnscrypt-proxy[27193]: [2024-01-25 00:06:43] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Jan 25 00:06:43.325278 osdx dnscrypt-proxy[27193]: [2024-01-25 00:06:43] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Jan 25 00:06:43.335643 osdx dnscrypt-proxy[27193]: [2024-01-25 00:06:43] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-dgd63ilhfsvkcq6t.tmp: permission denied Jan 25 00:06:43.335777 osdx dnscrypt-proxy[27193]: [2024-01-25 00:06:43] [NOTICE] Source [RD] loaded Jan 25 00:06:43.335910 osdx dnscrypt-proxy[27193]: [2024-01-25 00:06:43] [WARNING] Missing stamp for server [server-name`] Jan 25 00:06:43.336019 osdx dnscrypt-proxy[27193]: [2024-01-25 00:06:43] [WARNING] Error in source [RD]: [Missing stamp for server [server-name`]] -- Continuing with reduced server count [1] Jan 25 00:06:43.336124 osdx dnscrypt-proxy[27193]: [2024-01-25 00:06:43] [NOTICE] Firefox workaround initialized Jan 25 00:06:43.336220 osdx dnscrypt-proxy[27193]: [2024-01-25 00:06:43] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpAbye0l] Jan 25 00:06:43.513266 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'system journal show | cat'. Jan 25 00:06:43.587615 osdx dnscrypt-proxy[27193]: [2024-01-25 00:06:43] [NOTICE] [rd-server] OK (DoH) - rtt: 210ms Jan 25 00:06:43.587615 osdx dnscrypt-proxy[27193]: [2024-01-25 00:06:43] [NOTICE] Server with the lowest initial latency: rd-server (rtt: 210ms) Jan 25 00:06:43.587615 osdx dnscrypt-proxy[27193]: [2024-01-25 00:06:43] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Valid Source With Prefix
Description
Configures a valid source with the expected minisign key and checks that everything works. Additionally, uses a prefix to avoid the duplicity of servers with the same name.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md set service dns proxy source RD minisign-key 'RWQtoDCz5tJzQx9qhzYgdlMWarYrjdMb6tVdaW1TnhjIOBvBdei+teeL' set service dns proxy source RD prefix PRIVATE- set service dns proxy server-name PRIVATE-rd-server
Step 2: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
^(?m)^.*\[PRIVATE-rd-server\] OK \(DoH\) - rtt: \d+ms$Show output
-- Logs begin at Thu 2024-01-25 00:06:52 UTC, end at Thu 2024-01-25 00:06:56 UTC. -- Jan 25 00:06:52.594399 osdx systemd-journald[1486]: Runtime journal (/run/log/journal/6c43fcb6d98c40f095ee4a4601056b4b) is 2.0M, max 16.0M, 14.0M free. Jan 25 00:06:52.613794 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'system journal clear'. Jan 25 00:06:53.271243 osdx osdx-coredump[28810]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jan 25 00:06:53.280169 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'system coredump delete all'. Jan 25 00:06:54.309071 osdx OSDxCLI[13176]: User 'admin' entered the configuration menu. Jan 25 00:06:54.406730 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jan 25 00:06:54.525587 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jan 25 00:06:54.654796 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jan 25 00:06:54.748368 osdx cfgd[1112]: [13176]Completed change to active configuration Jan 25 00:06:54.790691 osdx OSDxCLI[13176]: User 'admin' committed the configuration. Jan 25 00:06:54.828394 osdx OSDxCLI[13176]: User 'admin' left the configuration menu. Jan 25 00:06:55.028212 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jan 25 00:06:55.220760 osdx OSDxCLI[13176]: User 'admin' entered the configuration menu. Jan 25 00:06:55.299082 osdx zebra[1048]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jan 25 00:06:55.317430 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set system certificate trust running://remote.dns-server.crt'. Jan 25 00:06:55.407060 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md'. Jan 25 00:06:55.524903 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy source RD minisign-key 'RWQtoDCz5tJzQx9qhzYgdlMWarYrjdMb6tVdaW1TnhjIOBvBdei+teeL''. Jan 25 00:06:55.657705 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy source RD prefix PRIVATE-'. Jan 25 00:06:55.818589 osdx OSDxCLI[13176]: User 'admin' added a new cfg line: 'set service dns proxy server-name PRIVATE-rd-server'. Jan 25 00:06:55.963670 osdx ca-certificates[28945]: Updating certificates in /etc/ssl/certs... Jan 25 00:06:56.608173 osdx ca-certificates[29929]: 1 added, 0 removed; done. Jan 25 00:06:56.616061 osdx ca-certificates[29933]: Running hooks in /etc/ca-certificates/update.d... Jan 25 00:06:56.623381 osdx ca-certificates[29937]: done. Jan 25 00:06:56.691841 osdx systemd[1]: Started DNSCrypt client proxy. Jan 25 00:06:56.695957 osdx cfgd[1112]: [13176]Completed change to active configuration Jan 25 00:06:56.708542 osdx OSDxCLI[13176]: User 'admin' committed the configuration. Jan 25 00:06:56.737275 osdx dnscrypt-proxy[29941]: [2024-01-25 00:06:56] [NOTICE] dnscrypt-proxy 2.0.45 Jan 25 00:06:56.737765 osdx dnscrypt-proxy[29941]: [2024-01-25 00:06:56] [NOTICE] Network connectivity detected Jan 25 00:06:56.738411 osdx dnscrypt-proxy[29941]: [2024-01-25 00:06:56] [NOTICE] Dropping privileges Jan 25 00:06:56.741530 osdx dnscrypt-proxy[29941]: [2024-01-25 00:06:56] [NOTICE] Network connectivity detected Jan 25 00:06:56.741725 osdx dnscrypt-proxy[29941]: [2024-01-25 00:06:56] [NOTICE] Now listening to 127.0.0.1:53 [UDP] Jan 25 00:06:56.741827 osdx dnscrypt-proxy[29941]: [2024-01-25 00:06:56] [NOTICE] Now listening to 127.0.0.1:53 [TCP] Jan 25 00:06:56.743735 osdx dnscrypt-proxy[29941]: [2024-01-25 00:06:56] [WARNING] /var/cache/dnscrypt-proxy/RD.md: open /var/cache/dnscrypt-proxy/sf-gdlkmqiv3bemovlh.tmp: permission denied Jan 25 00:06:56.743861 osdx dnscrypt-proxy[29941]: [2024-01-25 00:06:56] [NOTICE] Source [RD] loaded Jan 25 00:06:56.743991 osdx dnscrypt-proxy[29941]: [2024-01-25 00:06:56] [WARNING] Missing stamp for server [PRIVATE-server-name`] Jan 25 00:06:56.744107 osdx dnscrypt-proxy[29941]: [2024-01-25 00:06:56] [WARNING] Error in source [RD]: [Missing stamp for server [PRIVATE-server-name`]] -- Continuing with reduced server count [1] Jan 25 00:06:56.744214 osdx dnscrypt-proxy[29941]: [2024-01-25 00:06:56] [NOTICE] Firefox workaround initialized Jan 25 00:06:56.744317 osdx dnscrypt-proxy[29941]: [2024-01-25 00:06:56] [NOTICE] Loading the set of cloaking rules from [/tmp/tmpUOWsrQ] Jan 25 00:06:56.757106 osdx OSDxCLI[13176]: User 'admin' left the configuration menu. Jan 25 00:06:56.959210 osdx OSDxCLI[13176]: User 'admin' executed a new command: 'system journal show | cat'. Jan 25 00:06:56.969055 osdx dnscrypt-proxy[29941]: [2024-01-25 00:06:56] [NOTICE] [PRIVATE-rd-server] OK (DoH) - rtt: 173ms Jan 25 00:06:56.969055 osdx dnscrypt-proxy[29941]: [2024-01-25 00:06:56] [NOTICE] Server with the lowest initial latency: PRIVATE-rd-server (rtt: 173ms) Jan 25 00:06:56.969055 osdx dnscrypt-proxy[29941]: [2024-01-25 00:06:56] [NOTICE] dnscrypt-proxy is ready - live servers: 1
Invalid Source
Description
Configures an invalid source with a random minisign key and expects it to fail.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy log level 0 set service dns proxy source RD url http://10.215.168.1/~robot/invalid-source set service dns proxy source RD minisign-key 'qYdGeBlnFdv48vvXy0Mw2byl' set service dns proxy server-name rd-server
Invalid Minisign Key
Description
Configures a valid source but with an incorrect minisign key, which should fail.
Scenario
Step 1: Set the following configuration in DUT0:
set system certificate trust running://remote.dns-server.crt set service dns proxy log level 0 set service dns proxy source RD url http://10.215.168.1/~robot/RD-resolver.md set service dns proxy source RD minisign-key 'InvalidMinisignKey==' set service dns proxy server-name rd-server